Single Sign-On (SSO) Hub
XSEDE's Single Sign On (SSO) login hub,
login.xsede.org, is a single point-of-entry to the XSEDE cyberinfrastructure. Upon logging into the hub with your XSEDE User Portal (XUP) username and password, a 12 hour proxy certificate is automatically generated, allowing you to access XSEDE resources for the duration of the proxy. You may then
gsissh to any XSEDE compute resource where you have an account without the need for a resource-specific username and password.
The SSO hub now requires you to authenticate using Multi-Factor Authorization (MFA) with the Duo app. Consult Multi-Factor Authentication with Duo for account setup instructions.
You may view a complete listing of your XSEDE resource accounts in the XSEDE User Portal under the MyXSEDE->Accounts menu item. For any and all account related questions and problems, please submit an XSEDE helpdesk ticket.
The XSEDE SSO hub only accepts standard SSH incoming connections. Use of SSH keys is not allowed as this would interfere with the authentication mechanism.
It is your responsibility to verify each system's host key fingerprint prior to connecting to the system for the first time. See the XSEDE Resource SSH Keys page for a full listing.
You are limited to 100MB of storage on the hub. Your directories and data on the SSO Hub are NOT backed up, so use your XSEDE allocated storage resources for data storage.
To login to the XSEDE SSO Hub, use your SSH client to start an SSH session on
login.xsede.org with your XSEDE User Portal username and password:
localhost$ ssh -l XUPusername login.xsede.org
XSEDE now requires that you use the XSEDE Duo service for additional authentication, you will be prompted to authenticate yourself further using Duo and your Duo client app, token or other contact method.
Once logged into the hub, then use the "
gsissh" utility to login to any XSEDE HPC system where you have an account. To simplify access to XSEDE HPC systems, host aliases and settings have been defined in the default gsissh client configuration on the SSO Hub. This means that you can use gsissh to login to XSEDE HPC systems by referring only to their short Host alias name, e.g.,
[XUPusername@ssohub ~]$ gsissh bridges
A current list of these gsissh host aliases is provided in the "message of the day" (
/etc/motd) file displayed upon login, or by executing the "
xsede-gsissh-hosts" command on the XSEDE SSO Hub. (See example below.)
The X.509 credential obtained on your behalf upon SSH login to the SSO Hub has a 12-hour validity period by default. You can check the remaining validity of this credential with the "
To renew your X.509 credential while logged into the SSO Hub, use the "
myproxy-logon" command; when prompted, enter your XSEDE User Portal password.
In the example session below, Dr. Jane User, uses the command-line
ssh utility to log in to the XSEDE SSO Hub, also authenticating with Duo. From there she uses the
gsissh utility to login to her account on Bridges at PSC. After exiting from Bridges and returning to the SSO Hub, she examines the status of her X.509 credential using
grid-proxy-info and then renews it using
myproxy-logon. After listing the currently available
gsissh host aliases using the
xsede-gsissh-hosts command, Dr. Jane uses
gsissh to login to her account on the Maverick subsystem at TACC. Finally Dr. Jane exits the Maverick system, returning to the SSO Hub, and then exits the SSO Hub to return to her local workstation and ending the session.
Script started on Thu Apr 20 12:00:46 2017 [my-local-workstation:~ DrJanePhD]$ ssh JaneXUPUser@login.xsede.org Please login to this system using your XSEDE username and password: password: Duo two-factor login for janexupuser Enter a passcode or select one of the following options: 1. Duo Push to XXX-XXX-9999 2. Phone call to XXX-XXX-9999 Passcode or option (1-2): 1 Success. Logging you in... Last login: Thu Apr 20 12:55:35 2017 from 22.214.171.124 # Welcome to the XSEDE Single Sign-On (SSO) Hub!
The X.509 credential displays time left in this session: 11 hours and 58 minutes.
[JaneXUPuser@ssohub ~]$ grid-proxy-info subject : /C=US/O=National Center for Supercomputing Applications/CN=Susan Lindsey issuer : /C=US/O=National Center for Supercomputing Applications/OU=Certificate Authorities/CN=MyProxy CA 2013 identity : /C=US/O=National Center for Supercomputing Applications/CN=Susan Lindsey type : end entity credential strength : 2048 bits path : /tmp/x509up_u7121 timeleft : 11:58:38
Jane User connects to PSC's Bridges, does science, then exits:
[JaneXUPuser@ssohub ~]$ gsissh bridges Last login: Mon Feb 20 14:11:23 2017 from ssohub.iu.xsede.org ... You have connected to br006.pvt.bridges.psc.edu ... ... do science ... ... [janeuser@br006 ~]$ exit logout Connection to bridges.psc.edu closed.
After exiting Bridges, display a list of the available XSEDE resources. Note that you must have an account on that resource in order to log in.
[JaneXUPuser@ssohub ~]$ xsede-gsissh-hosts bridges comet gordon mason maverick osg stampede supermic wrangler-iu wrangler-tacc xstream
Jane User then connects to TACC's Maverick subsystem for more science. After finishing work and exiting Maverick, she exits the SSO hub, ending the session.
[JaneXUPuser@ssohub ~]$ gsissh maverick ... Welcome to the Maverick Ivy Bridge/K40 Linux Cluster ... login2.maverick(1)$ ... do science ... login2.maverick(1)$ exit logout Connection to maverick.tacc.utexas.edu closed. [JaneXUPuser@ssohub ~]$ exit logout Connection to login.xsede.org closed. [my-local-workstation:~ DrJanePhD]$
- Multi-Factor Authentication with Duo
- Globus' "
- SSO Hub with MEG PAM Module and OpenSSH
- Knowledge Base: What is the XSEDE Single Sign-On Login Hub?
Last update: February 24, 2019