Federating HPC access via SAML: Towards a plug-and-play solution

Many potential users hesitate to use HPC resources due to sometimes complex procedures that are necessary to get access. Furthermore, HPC providers need up-to-date identity information to make correct access control decisions. Federated identity management addresses both issues by enforcing access control based on the users' familiar accounts at their home organizations. SAML-based federations consisting of home organizations and web-services are already established, but the integration of non web-based services such as HPC resources is not trivial due to the absence of a browser as a user client or missing trust between web-portals and HPC resources. In this paper, we propose a concept that enables non web-based services to join SAML-based federations. From the service's point-of-view, our approach is transparent and appears to be a local LDAP directory. From the federations point-of-view, our approach can be integrated like an ordinary SAML service provider. Due to this separation of concerns, integration effort is considerably reduced. Furthermore, we will show how our approach can be extended to enable federated access to semi-trusted web-portals.