We are setting up a new OOD instance using the latest available version, and we want CILogon authentication to work. We found a documentation page recommending we contact OSC if we plan to attempt this. Can someone guide us on the easiest/quickest way to get CILogon working?
We have set up CILogon for Grafana, and that was pretty easy. We basically registered an endpoint and provided the URL to our Grafana’s authentication endpoint, and everything just worked after that. What do we need to do to get CILogon working for OOD? I know we’ll need to register a new endpoint, so what callback URL do we use, etc.?
Not sure why our docs say that, but as it’s OIDC it should be fairly straight forward. Lot’s of folks use the /oidc endpoint, but you could choose another if you like.
That said, I think the trick may be user mapping. You need to map the CILogon user to a Linux system user. We use Keycloak to do this mapping, so that you could login say with 2 different institutions and Keycloak would map those 2 users back to the same Linux user that OOD then use.
This mapping may be why our docs say this. Using Keycloak makes this fairly easy (though you’d have to install and manage this new instance) though there’s another way of doing it through the user_map_cmd in ood_portal.yml where you could script out this mapping and you maintain some sort of lookup table.
@jeff.ohrstrom That seems accurate. I’ll provide more details regarding how the Keycloak works and how we use use it. The way OSC handles CILogon is using Keycloak. So we setup CILogon as an Identity Provider inside Keycloak and use a custom theme so that when a user goes to OnDemand they can choose to login with local LDAP via Keycloak or can choose to login with CILogon via the Keycloak Identity Provider.
The CILogon in Keycloak is how we handle mapping to local users. When a user clicks “Login with CILogon” they get redirected to CILogon where they choose institution like OSU and then login through that institution. Once they login through the CILogon institution they get redirected back to Keycloak. If this is not the first time logging in through CILogon then Keycloak matches the CILogon returned ID to the local record matching LDAP and redirects to OnDemand telling OnDemand who that user is locally. If the CILogon is first local login then the user is redirected to a login form for local LDAP so Keycloak can save the CILogon → LDAP mapping for future logins.
The main limitation with Keycloak and CILogon is you can only map one LDAP user to one CILogon endpoint. So I can’t log into Keycloak via CILogon with OSU and then choose to login with like Google. To change the CILogon provider the user must first delete their original mapping and then login with new provider to generate new mapping. This is all handled via Keycloak web UI for account management that the user can do themselves.