I'm planning a new globus rollout probably using GCSv5 but I've only used v4 up until now.
I need to support systems from disjoint LDAP namespaces and users with multiple login accounts on a single system.
However we do have a single user management system covering the whole infrastructure
Clearly I'm going to need different endpoints for each of the LDAP namespaces.
The obvious option is to run a Globus OIDC server for each LDAP namespace allowing users to create OIDC identities for each login account, with each LDAP namespace forming an OIDC domain.
On the other hand the user management system can act as an OIDC IdP and I can configure it to allow users to select an identity (corresponding to one of their login accounts) when they authenticate. All the identities would be from the same domain but
identity mapping should still be able to extract the required info. From the user perspective I suspect it is pretty similar.
Does anyone see any problem with either approach? Is ther any reason to prefer one over the other?
Does the Globus server support 2FA PAM modules or is it single password only?
Thanks in advance
Stephen