-
Notifications
You must be signed in to change notification settings - Fork 327
Globus
Globus is used by colleges and universities, research labs, and major research projects to manage research data. Globus provides an OpenID Connect authentication service that allows faculty, staff, and students to authenticate using campus authentication services at over 1,000 InCommon and eduGAIN institutions worldwide, ORCID, Google (used as GSuite by hundreds of academic institutions), and dozens of national research facilities. Globus allows users to choose the institution to authenticate with and returns the resulting identity data to the web application.
Register your Web app with Globus to obtain a Client ID and Client Secret for your application. Assuming your callback address is https://your.server.here/protected/redirect_uri, use the following Apache configuration settings to authenticate using Globus.
# Load the mod_auth_openidc module
LoadModule auth_openidc_module modules/mod_auth_openidc.so
# Configure the module to use Globus Auth
OIDCProviderMetadataURL https://auth.globus.org/.well-known/openid-configuration
OIDCClientID GLOBUS_CLIENT_ID
OIDCClientSecret GLOBUS_CLIENT_SECRET
OIDCRedirectURI https://your.hostname.here/protected/redirect_uri
OIDCCryptoPassphrase ANY-LONG-RANDOM-SEQUENCE-OF-CHARACTERS
OIDCScope "openid email profile"
# maps the prefered_username claim to the REMOTE_USER environment variable
OIDCRemoteUserClaim preferred_username
# Following line is needed for mod_oauth_openidc version >=2.4
OIDCProviderTokenEndpointAuth client_secret_post
# Specify the part of your server space that will require the user to login
<Location /protected>
AuthType openid-connect
Require valid-user
</Location>
Globus provides the following OIDC claims. The name, email, and organization values are provided by the user's preferred identity provider.
| Claim | Value |
|---|---|
| name | The user's full name |
| The user's email address | |
| organization | The user's organization |
| preferred_username | [email protected]; e.g., "[email protected]"; see note below |
| sub | Globus UUID for this user; will never change |
| identity_provider_display_name | Human-readable name of the identity provider; e.g., "University of Michigan" |
| identity_provider | Globus UUID of the identity provider; will never change |
Note: Although preferred_username is formatted like an email address, it is actually the userid reported by the identity provider (may or may not be the user's actual username depending on the IdP's policies) followed by the identity provider's internet domain. The actual email address is in the email field.
To allow a logged-in user to logout, use a link of the form below.
https://auth.globus.org/v2/web/logout?client_id=GLOBUS_CLIENT_ID&redirect_uri=https%3A%2F%2Fyour.hostname.here%2Fprotected%2Fredirect_uri%3Flogout%3Dhttps%3A%2F%2Fyour.hostname.here%2F&redirect_name=your.hostname.here