using keycloak (OIDC) for collection authentication

[Manuel Sopena Ballesteros]

Dear Globus community,

We are trying to integrate our local keycloak instance with a globus connect server v5.4 test environment. The goal is to use keycloak as an authentication method for users to access our collection. So far we have only seen this document https://docs.globus.org/security/authorization-authentication-v54/#transfer_tofrom_a_collection but we still have a couple of questions we would like to ask.

Is the use case exposed here valid for Globus? if so, could you please point us to the right documentation?

thank you very much

Manuel

[Sam Claassens]

Hi Manuel,

Thanks for the question - Yes, we do support that use-case.

To use your Keycloak identity provider for authentication to access your collections, you can manually register the identity provider using the Identity Providers API. Note: it won't be listed in the Globus dropdown for logging in. But you can configure your collection to require the identity provider's registered domain, requiring users to authenticate using that identity provider, and restricting access to the collection (see https://docs.globus.org/globus-connect-server/v5.4/identity-mapping-guide/). This has a few requirements for the identity provider registration - ensuring ownership of the domain and an accessible openid-configuration document. You will need to configure this beforehand. 

Alternatively, if you'd like the identity provider to be listed as a dropdown option in the Globus login page in addition to accessing collections, you could use one of the two options discussed in this page.

Let us know if you have any further questions, or contact sup...@globus.org for additional support on setting up the identity provider.

Best,

Sam