Child pages
  • WBS 2.3.2 OAuth SSH Planning 2019-06-06 Meeting
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »


Agenda, Discussion, and Action Items

This meeting is a follow-up action from a breakout at the March 2019 quarterly meeting (see notes). The purpose is to:

  • Discuss TFA support with XSEDE IdM technical leads (Jim B, Lee, and Globus if necessary)
  • Discuss implementation costs and other considerations
  • Decide if we should proceed or not, or escalate to management for a decision


Known Options

  1. Globus Auth SSH


Next steps / actions

The preliminary recommendations are:

  • Implement in the XUP MFA authentication to protect only these two functions:

    1. User profiles edit
    2. Allocation membership add/drop user
  • Only enforce for users that have already enrolled in MFA
  • Users would not be re-prompted for the XSEDE username and password to access these two functions
  • The XUP should be able to make a single call that simply returns if the user isn't enrolled in MFA (the XUP shouldn't have to lookup whether a user is enrolled in MFA)
  • Implement using the DUO provided tooling API, and not XSEDE's IdM/Globus or CILogon
  • Operations will continue to periodically purge users that have signed up and never used DUO or not used within a year
  • Gary will send some info on the DUO API to the team

Maytal had to drop off early and wasn't present when the recommendation was drafted. If Maytal and UII team agree with this recommendation they can implement as soon as practical, otherwise we'll need to figure how to resolve any disagreements.


  • No labels