Guides
  • Guides
  • Tutorials
    • File Management
    • Manage Identities
    • Storage Connectors
    • Automation with Flows
  • Overviews & Concepts
    • Clients, Scopes, and Consents
    • Collections and Endpoints
    • Globus Auth Requirements Errors (GAREs)
    • High Assurance Collections for Protected Data
    • Security Overview
  • Recipes & Manuals
    • Automating Transfer and Share of Data from Instruments
    • Automation with Service Accounts
    • GCS Apache Reverse Proxy
    • GCS Default VirtualHost
    • Monitoring Globus Connect Server
    • MRDP
    • Require a Flow for Data Movement
    • Use Globus Preview
Skip to main content
Globus Docs
  • Getting Started
    Getting Started

    Getting Started and Tutorial docs cover how to perform some activity or provide an introduction to a feature. They are not comprehensive, but help you get started with Globus or with new Globus features.

    • Users
    • Admins
    • Developers
  • Reference
    Reference
    • Service
      • Auth
      • Groups
      • Transfer
      • Timers
      • Flows
      • Compute
      • Search
    • Agents
      • Globus Connect Server
      • GCS CLI
      • Globus Connect Personal
      • Globus Compute
    • SDK
      • Python
      • JS
    • Clients
      • CLI
    • Security and Compliance
      • Product Security
      • Privacy
      • Solutions for Sensitive Data
      • FAQs
  • Solutions & Guides
    Solutions & Guides

    Find practical approaches for leveraging Globus in research environments, integrating with platforms, and building science gateways. Access hands-on guides, integration instructions, and real-world scenarios for advanced usage.

    • Portals/Science Gateways
    • Guides
  • Support
    Support

    Find answers to frequently asked questions, connect with the community by joining our mailing lists, or reach out directly to Globus support.

    • FAQs
    • Mailing Lists
    • Contact Us
    • Check Support Tickets
  • Site Search
  1. Home
  2. Guides
  3. Overviews & Concepts
  4. Security Overview
  5. GCS Globus OIDC Reference Architecture

GCS Globus OIDC Reference Architecture

This document provides a reference architecture for a GCS Globus OIDC integrated into a Globus Connect Server endpoint.

Reference Architecture

auth flow 2022 OIDC

The Globus OIDC server is an integrated OIDC module that runs on your Globus Connect Server endpoint.

Note: The Globus OIDC server is solely intended for restricting access to Globus Connect Server endpoints and collections.

The Globus OIDC module is used in scenarios where the authentication service needed to access collections on the endpoint is not one of the identity providers that can be used to log into Globus. Using this module an administrator can allow users to log in with their local Linux identities (or LDAP identities) to access collections hosted on this endpoint. The module uses Linux Pluggable Authentication Module (PAM) and the administrator can configure a suitable PAM module and authentication to use.

  • The source and/or destination Globus Connect Server instances are configured by an administrator to require a login from a specific domain within a given timeframe

    • Information on how to set the authentication requirements can be found in Globus Connect Server installation documentation under Authentication Policies

  • The Globus OIDC server running on the endpoint is registered as an identity provider in Globus Auth

    • Note that the OIDC server is registered as an identity provider for use with this collection, but not for logging into Globus

  • PAM is used for local user authentication on the Globus Connect Server instances, which can be redirected to other services such as LDAP, RADIUS, or Kerberos. This is configured by the administrator of the endpoint.

Next Steps

  • Read the GCSv5 Getting Started documentation to set up the Globus OIDC server on your Globus Connect Server endpoint.

  • Configure the Globus Connect Server identity provider requirement using the --domain option on the storage gateway Authentication Policies

Definitions

  • Collection: Collections are discoverable access points that allow data to be transferred through GridFTP or HTTPS. A collection consists of metadata about the collection, a DNS domain for accessing data on the collection, and configuration information

  • Endpoint: Storage connected to the Globus service via Globus Connect Server or Globus Connect Personal. An endpoint has a logical name that points to the physical data movement servers and is associated with identity services. Endpoints contain one or more collections

  • Globus or Globus service: The Globus software as a service, operated by University of Chicago, hosted on Amazon Web Services

  • Globus Auth: The Globus Authentication service

  • Globus OIDC Server: OIDC server that can be installed as part of an endpoint for PAM-based authentication

  • Globus Connect Server: Administrator installed multi-user server that has a data movement and identity service components

  • GlobusID: A free identity provider operated by Globus

  • GridFTP server: Data movement component of Globus Connect Server that uses the high performance GridFTP protocol

  • Globus OIDC Server: Identity component of Globus Connect Server that can be used to authenticate users through PAM

  • Identity set: Set of identities that a user has linked together in Globus

  • Linux PAM: Linux Pluggable Authentication Module (PAM) is a suite of libraries for Linux user authentication

  • OAuth: A widely-used standard for access delegation, more information can be found at http://oauth.net/

  • Guides
  • Tutorials
    • File Management
    • Manage Identities
    • Storage Connectors
    • Automation with Flows
  • Overviews & Concepts
    • Clients, Scopes, and Consents
    • Collections and Endpoints
    • Globus Auth Requirements Errors (GAREs)
    • High Assurance Collections for Protected Data
    • Security Overview
  • Recipes & Manuals
    • Automating Transfer and Share of Data from Instruments
    • Automation with Service Accounts
    • GCS Apache Reverse Proxy
    • GCS Default VirtualHost
    • Monitoring Globus Connect Server
    • MRDP
    • Require a Flow for Data Movement
    • Use Globus Preview
© 2010- The University of Chicago Legal Privacy Accessibility