So I am setting up Dex for the first time, really love how it comes out of the box connected to ood.
Question is, I am planning on doing auth via another openid connect endpoint, in this case Globus which will then connect back to Dex with the email of the authenticated user which will be mapped to a local user. Eventually I will have it map that authenticated users email from Globus to ldap then over to ood but for this Demo I will just write a shim to map to a local user.
It looks like I might need to put Dex in front of httpd so it can get the redirect from Globus?
For reference the flow is basically:
Unauth user hits dex landing page, chooses to login via Globus → login via institution in globus → globus sends Dex the mapped claims → globus sends mapped claims to OOD.
Then eventually, have dex map the globus claims to ldap and send the ldap bits to OOD
OK - need some clarity on you’re trying to do here, but first we, at OSC, run Keycloak with support to CIlogon through the scheme you’re describing. We don’t use Dex for production.
That said, I don’t know how much mapping you need to do. remote ID (email or preferred name) → system Id is a must which we provide regular expressions for out of the box (you can additionally write a script to do this too).
If this is all you need - i.e., globus has the claims that you can directly map to system users - then you can use it directly instead of Dex.
Ah, I think that was the second pair of eyes I needed. Indeed, I can just regex parse the claim from Globus with the map_user shim in OOD. I was confusing myself trying to stick a map to ldap in between this but I can actually just query ldap right in my shim after doing the regex from the Globus claim…