domains and IDP's and identity mapping

107 views
Skip to first unread message

Simon Leary

unread,
Aug 9, 2022, 5:21:32 PM8/9/22
to Discuss
Hi,
1)
I want to set up a storage gateway with multiple allowed domains. It says I can do this in the docs but it doesn't show the syntax, so I went with commas.
I got the following error:
Globus Auth does not have an identity provider registration for the following domains, so they can not be used with Globus Connect Server: umass.edu,uri.edu,umassd.edu

This brings up another question. If my organization has it's own identity provider, how do I add it to globus auth? Or, if my org uses google as its backend, should I use that instead? After making my globus account, my identity is simon...@umass.edu@accounts.google.com. Should I be using accounts.google.com as the domain for my storage gateway?

2)
The source option in the identity mapping allows me to choose from {username} {email} and {id}, but I'm not sure what username might be. When I go to my account settings in app.globus.org, I see email simon...@umass.edu, identity simon...@umass.edu@accounts.google.com, but no username.

This example confuses me:
"source": "{username}",
"match": "(.*)@example\\.org",
"output": "{0}@example.org"
It seems to indicate that a {username} is in the email format. What's the difference between {username} and {email} then? Do either of these include @accounts.google.com?

Simon

Karl Kornel

unread,
Aug 9, 2022, 5:59:33 PM8/9/22
to Simon Leary, Discuss

Hi Simon,

 

For multiple domains, try specifying the --domain option multiple times, like so:

 

globus-connect-server storage-gateway create posix --domain umass.edu --domain uri.edu --domain umassd.edu

 

For your second question, it looks like both Amherst and Dartmouth are in the list of organizations you can select when logging in.  That’s in addition to the “Log in via Google” option.

 

We suggest everyone log in to Globus by selecting “Stanford University” from the list.  That sends users through Stanford Login, our SAML IdP.  The user’s Globus identity username is then their SUN...@stanford.edu.  If logging in via Google, it becomes SUN...@stanford.edu@accounts.google.com.

 

Note that in both of the above cases, I am stating my Globus identity username.  My email address can be different.  For example:

 

• When logging in via Stanford, my Globus Identity username is akko...@stanford.edu and my email address is akko...@stanford.edu.

• When logging in via Google, my Globus Identity username is akko...@stanford.edu@accounts.google.com, and my email address is akko...@stanford.edu.

 

I think that this helps answer your second question.  Note in particular that the Identity Username format looks like an email address, but isn’t; the Google example shows how the @ sign can appear multiple times.

 

~ Karl

--
You received this message because you are subscribed to the Google Groups "Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss+u...@globus.org.

Reply all
Reply to author
Forward
0 new messages