Skip to content

Register the admin VO

The admin VO is the one that rules them all. It is not meant to be connected to the grid services and therefore can be offline and DiracX-specific. We currently support Indigo IAM and dex, but you can also use your institute SSO platform (e.g. CERN SSO).

Prerequisites

  • You have access to your DiracX instance URL.

Generate an OIDC client

  1. Go to the CERN Application Portal
  2. Click "Register a new application"

  3. Fill in the application details:

  4. Application Name: DiracX [Your VO/Installation]

  5. Description: DiracX authentication for [Your VO]

  6. SSO Protocol: OpenID Connect

  7. Redirect URLs 
    https://<youdiracx.invalid>/api/auth/device/complete
https://<youdiracx.invalid>/api/auth/authorize/complete
  8. Base URL 
    https://<youdiracx.invalid>/
  9. Client Secret Configuration: tick My application cannot store a client secret safely
  10. If you want to restrict to a certain egroup, in the role part, edit the default role to add your egroup

TODO: blabla

The general guidelines for the configuration is as follow

  • Client secret: none

  • Redirect URIs:

    https://<your‑diracx‑url>/api/auth/authorize/complete
https://<your‑diracx‑url>/api/auth/device/complete

  • Grant type: authorization_code

  • Scope: at minimum openid, profile and email

Use Authorization Code without secrets

If your IDP gives you a choice, use the PKCE one, which is the only one supported by DiracX

Configure DIRAC

  1. In your DIRAC CS, add under DiracX > CsSync > VOs > <VO> > IdP:

    Display configuration example 
        DiracX
    {
      CsSync
      {
        VOs
        {
          diracx_admin
          {
            IdP
            {
              ClientID = "<OIDC‑client‑ID>"
              URL = "https://<your‑idp‑instance>/"
            }
          }
        }
      }
    }

  2. Add a diracx_admin group to the Registry:

    Dispalay configuration example 
    Registry
{
    Groups
    {
        diracx_admin
        {
            Users = <username from dirac>
            VO = diracx_admin
            Properties = Operator
            Properties += FullDelegation
            Properties += ProxyManagement
            Properties += ServiceAdministrator
            Properties += JobAdministrator
            Properties += CSAdministrator
            Properties += AlarmsManagement
            Properties += FileCatalogManagement
            Properties += SiteManager
        }
    }
}

  3. List their subject‑IDs under UserSubjects:

    Display configuration example 
      DiracX
  {
    CsSync
    {
      VOs
        {
        diracx_admin
        {
          UserSubjects
          {
            <username from dirac> = <user id from the IdP instance>
          ...
          }
          DefaultGroup = diracx_admin
        }
      }
    }
  }
    Automate the listing of subjects if you can

    The SubId corresponds to the username. Members of an egroup can be listed with the following (replace <the-egroup-you-want>)

        curl --no-progress-meter --insecure "ldaps://xldap.cern.ch/OU=Users,OU=Organic Units,DC=cern,DC=ch?name?sub?(&(objectClass=user)(memberOf=CN=<the-egroup-you-want>,OU=e-groups,OU=Workgroups,DC=cern,DC=ch))"  | grep name | awk -F ":" '{print $2}' | tr -d '[:blank:]'
    You need an ldap compatible curl build

    See if ldap shows in curl --version

     === "Dex"

     TODO: You should do that

Make sure that the CS sync is active.