GCS Globus OIDC Reference Architecture

This document provides a reference architecture for a GCS Globus OIDC integrated into a Globus Connect Server endpoint.

Reference Architecture

auth flow 2022 OIDC

The Globus OIDC server is an integrated OIDC module that runs on your Globus Connect Server endpoint.

Note: The Globus OIDC server is solely intended for restricting access to Globus Connect Server endpoints and collections.

The Globus OIDC module is used in scenarios where the authentication service needed to access collections on the endpoint is not one of the identity providers that can be used to log into Globus. Using this module an administrator can allow users to log in with their local Linux identities (or LDAP identities) to access collections hosted on this endpoint. The module uses Linux Pluggable Authentication Module (PAM) and the administrator can configure a suitable PAM module and authentication to use.

  • The source and/or destination Globus Connect Server instances are configured by an administrator to require a login from a specific domain within a given timeframe

    • Information on how to set the authentication requirements can be found in Globus Connect Server installation documentation under Authentication Policies

  • The Globus OIDC server running on the endpoint is registered as an identity provider in Globus Auth

    • Note that the OIDC server is registered as an identity provider for use with this collection, but not for logging into Globus

  • PAM is used for local user authentication on the Globus Connect Server instances, which can be redirected to other services such as LDAP, RADIUS, or Kerberos. This is configured by the administrator of the endpoint.

Next Steps

  • Read the GCSv5 Getting Started documentation to set up the Globus OIDC server on your Globus Connect Server endpoint.

  • Configure the Globus Connect Server identity provider requirement using the --domain option on the storage gateway Authentication Policies

Definitions

  • Collection: Collections are discoverable access points that allow data to be transferred through GridFTP or HTTPS. A collection consists of metadata about the collection, a DNS domain for accessing data on the collection, and configuration information

  • Endpoint: Storage connected to the Globus service via Globus Connect Server or Globus Connect Personal. An endpoint has a logical name that points to the physical data movement servers and is associated with identity services. Endpoints contain one or more collections

  • Globus or Globus service: The Globus software as a service, operated by University of Chicago, hosted on Amazon Web Services

  • Globus Auth: The Globus Authentication service

  • Globus OIDC Server: OIDC server that can be installed as part of an endpoint for PAM-based authentication

  • Globus Connect Server: Administrator installed multi-user server that has a data movement and identity service components

  • GlobusID: A free identity provider operated by Globus

  • GridFTP server: Data movement component of Globus Connect Server that uses the high performance GridFTP protocol

  • Globus OIDC Server: Identity component of Globus Connect Server that can be used to authenticate users through PAM

  • Identity set: Set of identities that a user has linked together in Globus

  • Linux PAM: Linux Pluggable Authentication Module (PAM) is a suite of libraries for Linux user authentication

  • OAuth: A widely-used standard for access delegation, more information can be found at http://oauth.net/