Best way to support users with multiple accounts.
72 views
Skip to first unread message
Stephen Booth
Jun 4, 2021, 6:18:30 AM6/4/21
to Discuss
I'm planning a new globus rollout probably using GCSv5 but I've only used v4 up until now.
I need to support systems from disjoint LDAP namespaces and users with multiple login accounts on a single system.
However we do have a single user management system covering the whole infrastructure
Clearly I'm going to need different endpoints for each of the LDAP namespaces.
The obvious option is to run a Globus OIDC server for each LDAP namespace allowing users to create OIDC identities for each login account, with each LDAP namespace forming an OIDC domain.
On the other hand the user management system can act as an OIDC IdP and I can configure it to allow users to select an identity (corresponding to one of their login accounts) when they authenticate. All the identities would be from the same domain but
identity mapping should still be able to extract the required info. From the user perspective I suspect it is pretty similar.
Does anyone see any problem with either approach? Is ther any reason to prefer one over the other?
I need to support systems from disjoint LDAP namespaces and users with multiple login accounts on a single system.
However we do have a single user management system covering the whole infrastructure
Clearly I'm going to need different endpoints for each of the LDAP namespaces.
The obvious option is to run a Globus OIDC server for each LDAP namespace allowing users to create OIDC identities for each login account, with each LDAP namespace forming an OIDC domain.
On the other hand the user management system can act as an OIDC IdP and I can configure it to allow users to select an identity (corresponding to one of their login accounts) when they authenticate. All the identities would be from the same domain but
identity mapping should still be able to extract the required info. From the user perspective I suspect it is pretty similar.
Does anyone see any problem with either approach? Is ther any reason to prefer one over the other?
Does the Globus server support 2FA PAM modules or is it single password only?
Thanks in advance
Stephen
Dan Powers
Jun 8, 2021, 2:52:42 PM6/8/21
to Discuss, stephen.pe...@googlemail.com
Hi Stephen,
Given the use case you describe, you'd likely want to consider using your management system's OIDC identity provider functionality, since you already have this system in place and so as to avoid having to manage various additional Globus OIDC service instances. As you also seem interested in deploying an identity provider solution that supports 2FA, you'll want to ensure that your existing system supports such functionality. As it is not possible at this time for a site to simply use their own custom OIDC service as a drop in replacement for the Globus OIDC service, if you wish to use your management system's OIDC identity provider with Globus/GCS you will have to register it as a custom identity provider with Globus. We discuss the process for doing this in our doc here:
https://docs.globus.org/faq/security/#how_do_i_get_my_organization_added_as_an_option_to_log_into_globus
The Globus OIDC service can support 2FA functionality via PAM provided that the solution being used supports sending the password and 2FA token in the same request. At this time, the Globus OIDC service cannot support 2FA solutions that require a second page or prompt for the user to enter in the 2FA token. Additionally, although the Globus OIDC service can be configured to support 2FA within the limits discussed above, it cannot be configured to require 2FA at this time.
-Dan Powers
Given the use case you describe, you'd likely want to consider using your management system's OIDC identity provider functionality, since you already have this system in place and so as to avoid having to manage various additional Globus OIDC service instances. As you also seem interested in deploying an identity provider solution that supports 2FA, you'll want to ensure that your existing system supports such functionality. As it is not possible at this time for a site to simply use their own custom OIDC service as a drop in replacement for the Globus OIDC service, if you wish to use your management system's OIDC identity provider with Globus/GCS you will have to register it as a custom identity provider with Globus. We discuss the process for doing this in our doc here:
https://docs.globus.org/faq/security/#how_do_i_get_my_organization_added_as_an_option_to_log_into_globus
The Globus OIDC service can support 2FA functionality via PAM provided that the solution being used supports sending the password and 2FA token in the same request. At this time, the Globus OIDC service cannot support 2FA solutions that require a second page or prompt for the user to enter in the 2FA token. Additionally, although the Globus OIDC service can be configured to support 2FA within the limits discussed above, it cannot be configured to require 2FA at this time.
-Dan Powers
Reply all
Reply to author
Forward
0 new messages