Multiple idp_suffix setting

[tscollins-nygc]

Is there a way to set multiple idps? We have tried multiple lines under ACCOUNT MAPPING OPTIONS section like this: idp_suffix globusid.org idp_suffix xsede.org idp_suffix nygenome.org@accounts.google.com and/or idp_suffix xsede.org, globusid.org, nygenome.org@accounts.google.com but when trying to authorize get: Authorization to this host has failed. Likely causes are no local account or a misconfigured service Have also tried leaving just one under ACCOUNT MAPPING OPTIONS and enabling permitted_idps under the HIGH ASSURANCE (SESSION) OPTIONS section like this: idp_suffix nygenome.org@accounts.google.com permitted_idps globusid.org, xsede.org This setup allows user to authorize but not login oauth-ssh-token authorize ga.nygenome.org --identity tscnygc@xsede.org Please go to this URL and login: https://auth.globus.org/v2/oauth2/authorize?code_challenge=RWUfXe1n681h6zHwnVIYiLLms-JaHg0vWwMufm__bKk&session_required_identities=622b8fd0-5883-4f3d-8eca-d2da5a3fa8ca&state=_default&redirect_uri=https%3A%2F%2Fauth.globus.org%2Fv2%2Fweb%2Fauth-code&code_challenge_method=S256&client_id=a9be630f-a6ea-4901-97fb-20845ba32c32&scope=https%3A%2F%2Fauth.globus.org%2Fscopes%2Fga.nygenome.org%2Fssh&session_message=The+SSH+service+requires+that+you+authenticate+using+this+identity%3A&access_type=offline&response_type=code Please enter the code you get after login here: XXXXXX oauth-ssh -l tscnygc ga.nygenome.org Unexpected reply from the SSH service: {"error": {"code": "INVALID_ACCOUNT","description": "You cannot use that local account."}} another account oauth-ssh-token authorize ga.nygenome.org --identity tscollins@globusid.org Please go to this URL and login: https://auth.globus.org/v2/oauth2/authorize?code_challenge=TTrHi0GKaGLFUjwn04glTQl9TTJDHVn7D0QxYHTlW9E&session_required_identities=a7f827fa-d274-11e5-a42e-1fc3e09f558b&state=_default&redirect_uri=https%3A%2F%2Fauth.globus.org%2Fv2%2Fweb%2Fauth-code&code_challenge_method=S256&client_id=ea80dea3-9068-406e-b00f-9f2488b41463&scope=https%3A%2F%2Fauth.globus.org%2Fscopes%2Fga.nygenome.org%2Fssh&session_message=The+SSH+service+requires+that+you+authenticate+using+this+identity%3A&access_type=offline&response_type=code Please enter the code you get after login here: pomSHzvC2zEHbaZfbige5bz0JfUNsM oauth-ssh -l tscollins ga.nygenome.org Unexpected reply from the SSH service: {"error": {"code": "INVALID_ACCOUNT","description": "You cannot use that local account."}} and the one that actually has the idp_suffix setting results in this when trying to go to the URL provided: Sorry, but we encountered a problem while servicing your request. Invalid state parameter: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZHBfaWQiOjEsInJmcCI6IkZUOWxKQ2pDUzlkNjNvcExDb2dWSWRnRiIsImNsaWVudF9pZCI6IjZhNDYxYTYxLTA0YTEtNDQ0ZS1hMmYwLTlkZDVkY2UzNzYwZSIsImZsb3ciOiJsb2dpbiIsImNvbnRpbnVlX3RvIjpbIi92Mi9vYXV0aDIvYXV0aG9yaXplP2NvZGVfY2hhbGxlbmdlPUsybU5keThiRlRERWpKS2s3VkJLTkgzYW9vbWlOdzBjMHdGcExvRGg5VDQmc2Vzc2lvbl9yZXF1aXJlZF9pZGVudGl0aWVzPTgzYWUzMTRiLWVlNmQtNDE5YS05ZWRlLTBmYmNkN2Y0OTQwZiZzdGF0ZT1fZGVmYXVsdCZyZWRpcmVjdF91cmk9aHR0cHMlM0ElMkYlMkZhdXRoLmdsb2J1cy5vcmclMkZ2MiUyRndlYiUyRmF1dGgtY29kZSZjb2RlX2NoYWxsZW5nZV9tZXRob2Q9UzI1NiZjbGllbnRfaWQ9NmE0NjFhNjEtMDRhMS00NDRlLWEyZjAtOWRkNWRjZTM3NjBlJnNjb3BlPWh0dHBzJTNBJTJGJTJGYXV0aC5nbG9idXMub3JnJTJGc2NvcGVzJTJGZ2EubnlnZW5vbWUub3JnJTJGc3NoJnNlc3Npb25fbWVzc2FnZT1UaGUrU1NIK3NlcnZpY2UrcmVxdWlyZXMrdGhhdCt5b3UrYXV0aGVudGljYXRlK3VzaW5nK3RoaXMraWRlbnRpdHklM0EmYWNjZXNzX3R5cGU9b2ZmbGluZSZyZXNwb25zZV90eXBlPWNvZGUiXSwiZXhwIjoxNTcwNjUxNTUyLCJhdXRoX3Byb3ZpZGVyX2lkIjo1MDAyfQ.fu0rG5VOBlSaH3rl6VUbt4zv0KE2ufQbRk9i0_QPpa4' Occurred at time: 2019-10-09T19:35:54.836641+00:00 Error ID: ee99eb9727e74b4e80a1ba01d07d0f6d Error code: INVALID_STATE

[JasonAlt]

You can only configure one idp_suffix at this time.

[tscollins-nygc]

Just to clarify:

• under the ACCOUNT MAPPING OPTIONS section only one 'idp_suffix' can be specified, correct?
• under the HIGH ASSURANCE (SESSION) OPTIONS section the 'permitted_idps' does nothing currently, correct?

[JasonAlt]

• under the ACCOUNT MAPPING OPTIONS section only one 'idp_suffix' can be specified, correct?

Yes, with a single value.

• under the HIGH ASSURANCE (SESSION) OPTIONS section the 'permitted_idps' does nothing currently, correct?

permitted_idps works, it is a list of IdPs that the connecting user must have recently authenticated against.

These two work together to determine who can access your system. For example, I have multiple linked Globus accounts (jasonalt@globus.org, alt@gmail.com, jalt@uhicago.edu). Using idp_suffix uchicago.edu would mean that my local username has to be jalt; the fact that I have linked identities with usernames jasonalt and alt makes no difference, those are not used when mapping to the local account.

Using permitted_idps globus.org means that I would have to have authenticated recently to the globus.org IdP. Without this settings, I could have authenticated to any IdP from any of my linked identities. That may not be what you want; for example, you might have a specific IdP you trust more than others, perhaps because you know it to be two factor.