Globus Connect Server Administration Guides
  • Quickstart Guide
  • Installation Guide
  • Data Access Admin Guide
  • Domain Guide
  • HTTPS Access to Collections
  • Identity Mapping Admin Guide
  • Globus OIDC Installation Guide
  • v5.3 Migration Guide
  • Troubleshooting Guide
  • Command-Line Reference
    • Audit
      • Load
      • Query
      • Dump
    • Endpoint
      • Setup
      • Show
      • Update
      • Reset Advertised Owner String
      • Set Advertised Owner String
      • Set Owner
      • Set Subscription ID
      • Migrate53
      • Cleanup
      • Domain
      • Role
      • Upgrade
    • OIDC
      • Create
      • Delete
      • Register
      • Show
      • Update
    • Node
      • Create
      • Setup
      • List
      • Show
      • Update
      • Cleanup
      • Delete
    • Login
    • Session
      • Consent
      • Show
      • Update
    • Whoami
    • Logout
    • Storage Gateway
      • Create
      • List
      • Show
      • Update
      • Delete
    • Collection
      • Create
      • List
      • Show
      • Reset Advertised Owner String
      • Set Advertised Owner String
      • Update
      • Delete
      • Domain
      • Role
    • Sharing Policy
      • Create
      • List
      • Show
      • Delete
    • User Credentials
      • Activescale Create
      • Box Create
      • Delete
      • List
      • S3 Create
    • Self Diagnostic
  • Globus Connect Server Manager API
    • Responses
    • Schemas
    • Authorization
    • Versioning
    • Endpoint
    • Roles
    • Nodes
    • Storage Gateways
    • Collections
    • User Credentials
    • Domains
    • Sharing Policies
    • ActiveScale
    • Azure Blob
      • Azure Blob
    • BlackPearl
    • Box
    • Ceph
    • Google Cloud Storage
    • Google Drive
    • HPSS
    • iRODS Connector
    • OAuth Credential API
    • OneDrive
    • POSIX Connector
    • POSIX Staging Connector
    • S3
  • API Access for Portals
  • Application Migration Guide
  • Data Access Application Guide
  • Change Log
Skip to main content
Globus Docs
  • APIs
    Auth Flows Groups Search Transfer Python SDK Helper Pages
  • How To
  • Guides
    Globus Connect Server High Assurance Collections for Protected Data Command Line Interface Premium Storage Connectors Security Modern Research Data Portal
  • Support
    FAQs Mailing Lists Contact Us Check Support Tickets
  1. Home
  2. Globus Connect Server
  3. Installation Guide
  4. Command-Line Reference
  5. OIDC

Globus Connect Server OIDC Register

Name

globus-connect-server oidc register - Register an existing OIDC server for use with this endpoint

Synopsis

globus-connect-server oidc register [OPTIONS]…​

Description

The globus-connect-server oidc register command provides a command-line interface for registering an existing OIDC server for use with this endpoint. This command should be run as root, on any data transfer node that has been set up with node setup. Once registered, you will be able to authenticate users from the associated domain.

The display name, support contact information, discovery-url, OIDC client credentials, and claim mapping information is required to run the command.

You must configure Globus Auth as a client on your OIDC Server. The client_id and client_secret options are used to pass the confidential client credentials. You should configure https://auth.globus.org/p/authenticate/callback as a redirect URL for this client.

In order to prove domain ownership, you must add a TXT record to the associated domains with the client-id of this endpoint. If this is not done, the registration will fail. You can rerun the command with the same arguments after creating the TXT record.

An OIDC registration can not be created on a GCS endpoint that has a Globus OIDC server.

Options

-h, --help

Show a help message and exit.

--version

Show the version and exit.

--display-name DISPLAY_NAME (required)

The display name for the OIDC server. This will be displayed on the login page when the user attempts to sign in. Note that this is limited to 64 characters.

--support-contact SUPPORT_CONTACT (required)

The support contact name for the OIDC server. This is required by Globus Auth.

--support-email SUPPORT_EMAIL (required)

The support contact email for the OIDC server. This is required by Globus Auth and is shown on the login screen in the event that a user requires support contact information.

--discovery-url URL (required)

The OpenID Connect discovery URL for the server. The domain of the url will be the main domain of the IdP and must be asserted by the OIDC server.

--domain DOMAIN

An alternate domain asserted by the OIDC server. It is not necessary to pass the domain from the 'discovery-url'. May be passed multiple times.

--client-id CLIENT-ID (required)

You must configure Globus Auth as a client on your OIDC Server. This is the Client ID of that that client configuration, which Globus will use to authenticate with your OIDC server. This is not the Globus client-id of your endpoint.

--client-secret SECRET (required)

You must configure Globus Auth as a client on your OIDC Server. This is the Client secret for the Client ID that Globus will use to authenticate with your OIDC server. This is not the Globus client-secret of your endpoint.

--username-claim TEXT (required)

Identity provider claim that maps to the user name. In general this should be 'preferred_username'.

--id-claim TEXT (required)

Identity provider claim that maps to the immutable ID. In general this should be 'sub'.

Example

This invocation registers an OIDC server, setting the display name to "Example OIDC Server" and the support contact is configured to "Test User" with an email address of "testuser@test.com".

globus-connect-server oidc register \
    --display-name "Example OIDC Server" \
    --domain "exampledomain.com" \
    --discovery-url "https://id.example.com/.well-known/openid-configuration" \
    --client-id "globus-auth-client" \
    --client-secret "HhefXXDCxDMeRXnPHyZn7mGklL" \
    --username-claim "preferred_username" \
    --id-claim "sub" \
    --support-contact "Test User" \
    --support-email "testuser@test.com"
  • Quickstart Guide
  • Installation Guide
  • Data Access Admin Guide
  • Domain Guide
  • HTTPS Access to Collections
  • Identity Mapping Admin Guide
  • Globus OIDC Installation Guide
  • v5.3 Migration Guide
  • Troubleshooting Guide
  • Command-Line Reference
    • Audit
      • Load
      • Query
      • Dump
    • Endpoint
      • Setup
      • Show
      • Update
      • Reset Advertised Owner String
      • Set Advertised Owner String
      • Set Owner
      • Set Subscription ID
      • Migrate53
      • Cleanup
      • Domain
      • Role
      • Upgrade
    • OIDC
      • Create
      • Delete
      • Register
      • Show
      • Update
    • Node
      • Create
      • Setup
      • List
      • Show
      • Update
      • Cleanup
      • Delete
    • Login
    • Session
      • Consent
      • Show
      • Update
    • Whoami
    • Logout
    • Storage Gateway
      • Create
      • List
      • Show
      • Update
      • Delete
    • Collection
      • Create
      • List
      • Show
      • Reset Advertised Owner String
      • Set Advertised Owner String
      • Update
      • Delete
      • Domain
      • Role
    • Sharing Policy
      • Create
      • List
      • Show
      • Delete
    • User Credentials
      • Activescale Create
      • Box Create
      • Delete
      • List
      • S3 Create
    • Self Diagnostic
  • Globus Connect Server Manager API
    • Responses
    • Schemas
    • Authorization
    • Versioning
    • Endpoint
    • Roles
    • Nodes
    • Storage Gateways
    • Collections
    • User Credentials
    • Domains
    • Sharing Policies
    • ActiveScale
    • Azure Blob
      • Azure Blob
    • BlackPearl
    • Box
    • Ceph
    • Google Cloud Storage
    • Google Drive
    • HPSS
    • iRODS Connector
    • OAuth Credential API
    • OneDrive
    • POSIX Connector
    • POSIX Staging Connector
    • S3
  • API Access for Portals
  • Application Migration Guide
  • Data Access Application Guide
  • Change Log
© 2010- The University of Chicago Legal Privacy Accessibility