E.2.13 mischaracterizes Globus Auth usage data reporting

5 posts / 0 new
Last post
E.2.13 mischaracterizes Globus Auth usage data reporting

Section E.2.13 suggests that because XSEDE already obtains usage data from Globus Auth, no additional usage tracking is needed. This is incorrect.

The Globus Auth usage data only includes usage data for a specific set of XSEDE applications that use Globus Auth. (Examples include XSEDE User Portal, Jetstream, Research Software Portal, XSEDE Confluence & Jira.) Use of XSEDE identities in other applications are not included in XSEDE's Globus Auth usage data.

Furthermore, the Globus Auth usage data reports every use of Globus Auth to authenticate an individual in one of the tracked XSEDE applications. This isn't the same as every use of the XSEDE IDP to authenticate XSEDE identities. XSEDE applications are configured to require an XSEDE identity, but this requirement is satisfied by any identity that has been linked to an XSEDE identity. Thus, a usage record from Globus Auth indicates that EITHER an XSEDE identity OR an identity linked to an XSEDE identity was used to login to an application. It does not mean that the XSEDE identity was authenticated.

Having clarified these points, I wonder if the logging mentioned in E.2.7 can be used to track usage of this XSEDE IDP?

I'm confused. This activity is about replacing weblogin.xsede.org with CILogon and idp.xsede.org for Globus Auth. Globus Auth is the only service that uses weblogin.xsede.org. Does XSEDE do usage tracking for weblogin.xsede.org separate from Globus Auth usage tracking?

I'm happy to add a reference to CILogon usage tracking (https://software.xsede.org/display/xci-182) in Section E.2.13, but I hope you're not suggesting that this activity should be blocked on adding additional usage tracking to idp.xsede.org.

My main point is that it's not accurate to suggest that because we have Globus Auth usage data, there's no point in having IDP usage data: those are totally different things. I think that incorrect statement should be removed from the design doc.

Beyond removing inaccurate information, the section is supposed to be about documenting any usage data that will be collected, so if CILogon is already creating usage data, adding a reference would helpful. I agree there's no need to block on anything that doesn't exist now.

Section E.2.13 previously contained:

"Globus Auth usage tracking is implemented in XCI-183. No change in usage tracking is required for this activity."

I'm revising it to contain:

"CILogon usage tracking is implemented in XCI-182, and Globus Auth usage tracking is implemented in XCI-183. No change in usage tracking is required for this activity."

Does that revision address your concerns?

Yes, thank you!

Log in to post comments