Globus Connect Server OIDC Register

Name

globus-connect-server oidc register - Register an existing OIDC server for use with this endpoint

Synopsis

globus-connect-server oidc register [OPTIONS]…

Description

The globus-connect-server oidc register command provides a command-line interface for registering an existing OIDC server for use with this endpoint. This command should be run as root, on any data transfer node that has been set up with node setup. Once registered, you will be able to authenticate users from the associated domain.

The display name, support contact information, discovery-url, OIDC client credentials, and claim mapping information is required to run the command.

You must configure Globus Auth as a client on your OIDC Server. The client_id and client_secret options are used to pass the confidential client credentials. You should configure https://auth.globus.org/p/authenticate/callback as a redirect URL for this client.

In order to prove domain ownership, you must add a TXT record to the associated domains with the client-id of this endpoint. If this is not done, the registration will fail. You can rerun the command with the same arguments after creating the TXT record.

An OIDC registration can not be created on a GCS endpoint that has a Globus OIDC server.

Options

-h, --help: Show a help message and exit.
--version: Show the version and exit.
--display-name DISPLAY_NAME (required): The display name for the OIDC server. This will be displayed on the login page when the user attempts to sign in. Note that this is limited to 64 characters.
--support-contact SUPPORT_CONTACT (required): The support contact name for the OIDC server. This is required by Globus Auth.
--support-email SUPPORT_EMAIL (required): The support contact email for the OIDC server. This is required by Globus Auth and is shown on the login screen in the event that a user requires support contact information.
--discovery-url URL (required): The OpenID Connect discovery URL for the server. The domain of the url will be the main domain of the IdP and must be asserted by the OIDC server.
--domain DOMAIN: An alternate domain asserted by the OIDC server. It is not necessary to pass the domain from the 'discovery-url'. May be passed multiple times.
--client-id CLIENT-ID (required): You must configure Globus Auth as a client on your OIDC Server. This is the Client ID of that that client configuration, which Globus will use to authenticate with your OIDC server. This is not the Globus client-id of your endpoint.
--client-secret SECRET (required): You must configure Globus Auth as a client on your OIDC Server. This is the Client secret for the Client ID that Globus will use to authenticate with your OIDC server. This is not the Globus client-secret of your endpoint.
--username-claim TEXT (required): Identity provider claim that maps to the user name. In general this should be 'preferred_username'.
--id-claim TEXT (required): Identity provider claim that maps to the immutable ID. In general this should be 'sub'.

Example

This invocation registers an OIDC server, setting the display name to "Example OIDC Server" and the support contact is configured to "Test User" with an email address of "testuser@test.com".

globus-connect-server oidc register \
    --display-name "Example OIDC Server" \
    --domain "exampledomain.com" \
    --discovery-url "https://id.example.com/.well-known/openid-configuration" \
    --client-id "globus-auth-client" \
    --client-secret "HhefXXDCxDMeRXnPHyZn7mGklL" \
    --username-claim "preferred_username" \
    --id-claim "sub" \
    --support-contact "Test User" \
    --support-email "testuser@test.com"