InCommon Federation for HPC Clusters



What is the InCommon Federation and how can I use it to simplify authentication and access control for an HPC Cluster?


InCommon is operated by Internet2 and provides a common framework for trusted shared management of access to online systems or services. Their site provides ample background

One important feature is that it gives end-users the ability to have SAML compliant single-sign-on (SSO) capabilities. An end user could use their host institutional identity management provider to authenticate, and that trusted identity is sent the other online systems or services, without the need for locally managed identity. Or, in short, you can login to remote sites with your local credentials.

If you were to setup and allow InCommon connections to your own HPC service, you would no longer have to manage the authentication credentials of external users. You would just manage the access that accounts could have via a linked local account. So if they leave their institution, then they would also loose their access to your local HPC service.


One means for enabling federated login for HPC resources is CI-Logon: which provides the integration with SAML as well as attribute management through Internet2’s COmanage software.