The CILogon project provides the open source, standards-based CILogon Service at https://cilogon.org/, providing the NSF research community with credentials for secure access to cyberinfrastructure (CI). The service bridges the identity credentials generated by the nation’s universities, through the InCommon Federation, to a certificate for authentication to NSF’s cyberinfrastructure projects.
The Challenge. The goal of our service is to allow users’ credentials as managed by universities (and other research institutions) in InCommon to be used to access NSF’s cyberinfrastructure. The primary technical challenge we face is the technology difference between InCommon, which is based on the Security Assertion Markup Language (SAML) as implemented by the Internet2 Shibboleth software, and NSF’s cyberinfrastructure, which is based on public key infrastructures (PKIs) that emerged from computational grids.
Our Approach. Our project leverages existing software to provide the required functionality. Much of our approach has been previously demonstrated in the TeraGrid federated login system. Since Shibboleth is a web-based technology, designed for users using web browsers, our service is a web application residing in Apache. Building on Shibboleth and Apache, we use the work pioneered in the GridShib project, deployed in TeraGrid, to convert Shibboleth into certificates as needed for much of the NSF CI. As with the TeraGrid work, we use MyProxy with specialized hardware security modules to generate these certificates.
Service Operation. Central to our proposed work is the operation of our service for the NSF community. Our plans for operating our service include:
Non-InCommon home institutions. While InCommon is growing and now represents over 200 organizations and over 4 million users, we recognize that there will be users from organizations that have not yet joined InCommon. In this case we encourage users to use the Google identity provider.
Privacy. The CILogon Service follows best practices for auditing, as befits an authentication service. With regards to these logs, we follow standard NCSA and University of Illinois policies. In summary, user information will only be released in aggregate form (so we can report metrics to NSF) or with the explicit, opt-in permission of the user. Note that the purpose of the service is to issue certificates containing user identifying information, but the CILogon Services issues certificates on explicit request of the user.
Host certificates. Currently the CILogon Service focuses on issuing certificates that identify people, rather than hosts or services, since this allows us to directly leverage the authentication services provided through InCommon.
For more information, please see our Frequently Asked Questions page.