Single Sign-On (SSO) Hub

XSEDE's Single Sign On (SSO) login hub,, is a single point-of-entry to the XSEDE cyberinfrastructure. Upon logging into the hub with your XSEDE User Portal (XUP) username and password, a 12 hour proxy certificate is automatically generated, allowing you to access XSEDE resources for the duration of the proxy. You may then gsissh to any XSEDE compute resource where you have an account without the need for a resource-specific username and password.

The SSO hub now requires you to authenticate using Multi-Factor Authorization (MFA) with the Duo app. Consult Multi-Factor Authentication with Duo for account setup instructions.

You may view a complete listing of your XSEDE resource accounts in the XSEDE User Portal under the MyXSEDE->Accounts menu item. For any and all account related questions and problems, please submit an XSEDE helpdesk ticket.

The XSEDE SSO hub only accepts standard SSH incoming connections. Use of SSH keys is not allowed as this would interfere with the authentication mechanism.

It is your responsibility to verify each system's host key fingerprint prior to connecting to the system for the first time. See the XSEDE Resource SSH Keys page for a full listing.

You are limited to 100MB of storage on the hub. Your directories and data on the SSO Hub are NOT backed up, so use your XSEDE allocated storage resources for data storage.

Login to the SSO Hub

To login to the XSEDE SSO Hub, use your SSH client to start an SSH session on with your XSEDE User Portal username and password:

localhost$ ssh -l XUPusername

XSEDE now requires that you use the XSEDE Duo service for additional authentication, you will be prompted to authenticate yourself further using Duo and your Duo client app, token or other contact method.

Once logged into the hub, then use the "gsissh" utility to login to any XSEDE HPC system where you have an account. To simplify access to XSEDE HPC systems, host aliases and settings have been defined in the default gsissh client configuration on the SSO Hub. This means that you can use gsissh to login to XSEDE HPC systems by referring only to their short Host alias name, e.g.,

[XUPusername@ssohub ~]$ gsissh bridges

A current list of these gsissh host aliases is provided in the "message of the day" (/etc/motd) file displayed upon login, or by executing the "xsede-gsissh-hosts" command on the XSEDE SSO Hub. (See example below.)

Checking the Status of and Renewing your X.509 Credential on the SSO Hub

The X.509 credential obtained on your behalf upon SSH login to the SSO Hub has a 12-hour validity period by default. You can check the remaining validity of this credential with the "grid-proxy-info" command.

To renew your X.509 credential while logged into the SSO Hub, use the "myproxy-logon" command; when prompted, enter your XSEDE User Portal password.

SSO Hub Example Work Session

In the example session below, Dr. Jane User, uses the command-line ssh utility to log in to the XSEDE SSO Hub, also authenticating with Duo. From there she uses the gsissh utility to login to her account on Bridges at PSC. After exiting from Bridges and returning to the SSO Hub, she examines the status of her X.509 credential using grid-proxy-info and then renews it using myproxy-logon. After listing the currently available gsissh host aliases using the xsede-gsissh-hosts command, Dr. Jane uses gsissh to login to her account on the Maverick subsystem at TACC. Finally Dr. Jane exits the Maverick system, returning to the SSO Hub, and then exits the SSO Hub to return to her local workstation and ending the session.

Script started on Thu Apr 20 12:00:46 2017
[my-local-workstation:~ DrJanePhD]$ ssh
Please login to this system using your XSEDE username and password:
Duo two-factor login for janexupuser

Enter a passcode or select one of the following options:

1. Duo Push to XXX-XXX-9999
2. Phone call to XXX-XXX-9999

Passcode or option (1-2): 1
Success. Logging you in...
Last login: Thu Apr 20 12:55:35 2017 from

#  Welcome to the XSEDE Single Sign-On (SSO) Hub!

The X.509 credential displays time left in this session: 11 hours and 58 minutes.

[JaneXUPuser@ssohub ~]$ grid-proxy-info
subject  : /C=US/O=National Center for Supercomputing Applications/CN=Susan Lindsey
issuer   : /C=US/O=National Center for Supercomputing Applications/OU=Certificate Authorities/CN=MyProxy CA 2013
identity : /C=US/O=National Center for Supercomputing Applications/CN=Susan Lindsey
type     : end entity credential
strength : 2048 bits
path     : /tmp/x509up_u7121
timeleft : 11:58:38

Jane User connects to PSC's Bridges, does science, then exits:

[JaneXUPuser@ssohub ~]$ gsissh bridges
Last login: Mon Feb 20 14:11:23 2017 from
You have connected to 
... do science ...
[janeuser@br006 ~]$ exit
Connection to closed.

After exiting Bridges, display a list of the available XSEDE resources. Note that you must have an account on that resource in order to log in.

[JaneXUPuser@ssohub ~]$ xsede-gsissh-hosts

Jane User then connects to TACC's Maverick subsystem for more science. After finishing work and exiting Maverick, she exits the SSO hub, ending the session.

[JaneXUPuser@ssohub ~]$ gsissh maverick
Welcome to the Maverick Ivy Bridge/K40 Linux Cluster

login2.maverick(1)$ ... do science ...
login2.maverick(1)$ exit
Connection to closed.
[JaneXUPuser@ssohub ~]$ exit
Connection to closed.
[my-local-workstation:~ DrJanePhD]$