@@ -594,6 +594,105 @@ authentications.
594594Please refer to :ref: `auth-policies ` for more information.
595595
596596
597+ With Globus OIDC
598+ ----------------
599+
600+ Administrators can create a custom OIDC server by following the `Globus OIDC guide `__.
601+ (Note that this requires an existing Globus Connect Server endpoint.) This OIDC server
602+ can then be combined with Globus Auth Policies to authenticate users on a multi-user
603+ endpoint.
604+
605+ __ https://docs.globus.org/globus-connect-server/v5.4/globus-oidc-guide/
606+
607+ With a Globus OIDC server configured, run ``gcs oidc show `` to retrieve the OIDC
608+ server's configured domain:
609+
610+ .. code-block :: console
611+ :emphasize-lines: 6
612+
613+ $ globus-connect-server oidc show
614+ Current OIDC server configuration:
615+ {
616+ "auth_client": {
617+ "client_id": "00000000-1111-2222-3333-444444444444",
618+ "domain": "<some custom OIDC domain>",
619+ "env": "production"
620+ },
621+ "clients": {
622+ "00000000-1111-2222-3333-444444444444": {
623+ "client_salt": "NOT_ACTUALLY_USED",
624+ "redirect_uris": [
625+ [
626+ "https://auth.globus.org/p/authenticate/callback",
627+ null
628+ ]
629+ ]
630+ }
631+ },
632+ "oidc_server": {
633+ "display_name": "My Globus OIDC Server",
634+ "pam_service": "login",
635+ "support_contact": "Alice Administrator",
636+ "support_email": "alice@example.org"
637+ }
638+ }
639+
640+ note ::
641+
642+ The value of the domain field will be referenced in the following steps as
643+ ``<OIDC-domain> ``.
644+
645+ When configuring a new multi-user endpoint, use the ``--allowed-domains `` option to
646+ restrict access to users authenticated via the OIDC server:
647+
648+ .. code-block :: console
649+
650+ $ globus-compute-endpoint configure \
651+ --allowed-domains "<OIDC-domain>" \
652+ my_oidc_compute_endpoint
653+
654+
655+ authentication policy using either the `Globus Auth API <https://docs.globus.org/api/auth/reference/#create_policy >`_
656+ or the `Globus SDK <https://globus-sdk-python.readthedocs.io/en/stable/services/auth.html#globus_sdk.AuthClient.create_policy >`_,
657+ with ``domain_constraints_include `` set to something like ``[<OIDC-domain>] ``.
658+ Then, :ref: `add that policy to the endpoint config <apply-existing-auth-policy >`.
659+
660+ After configuring the endpoint to authenticate against the OIDC server, start or
661+ restart the endpoint to ensure the administrator running the endpoint is also properly
662+ authenticated against the same OIDC server.
663+
664+ Finally, create an :ref: `identity mapping configuration <example-idmap-config >` so
665+ OIDC-authenticated users can run tasks on the endpoint. The following config maps
666+ identities of the form ``user@<OIDC-domain> `` to the local username ``user `` (which
667+ must exist on the endpoint host system):
668+
669+ .. code-block :: json
670+ :caption: ``identity_mapping.json``
671+ :emphasize-lines: 8
672+
673+ [
674+ {
675+ "comment" : " Map OIDC identities to local usernames"
676+ "DATA_TYPE" : " expression_identity_mapping#1.0.0"
677+ "mappings" : [
678+ {
679+ "source" : " {username}"
680+ "match" : " (.*)@<OIDC-domain>"
681+ "output" : " {0}"
682+ }
683+ ]
684+ }
685+ ]
686+
687+ identity_mapping.json ``) and reference it in
688+ the endpoint's ``config.yaml `` under the ``identity_mapping `` key:
689+
690+ .. code-block :: yaml
691+ :caption : ` ` config.yaml``
692+
693+ identity_mapping : /path/to/identity_mapping.json
694+
695+
597696
598697========================
599698
0 commit comments