You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@airavata.apache.org by Josh Seamans <jo...@huskers.unl.edu> on 2021/02/13 22:22:35 UTC

Django - CI Logon setup

Hello, I am with the UNL Capstone project and I have been looking into how CI Logon is set up on the Django Airavata gateway found here: Home (airavata.org)<https://testdrive.airavata.org/>

I was wondering if there was any instructions that was found to set that up?

Re: Django - CI Logon setup

Posted by "Christie, Marcus Aaron" <ma...@iu.edu>.

Hi Josh,

Here are the notes I have on adding CILogon as a Identity Provider in Keycloak:

	• Log into the Keycloak and select the realm
	• Create OIDC Identity Provider in Keycloak
	• set the alias to something meaningful, like cilogo
		• This alias will be used as the value of the kc_idp_hint query parameter to link directly to CILogon
	• go to https://cilogon.org/oauth2/register
		• the callback url to use is listed in Keycloak as the Redirect URI (for example: https://iam.scigap.org/auth/realms/seagrid/broker/cilogon/endpoint)
		• home URL is the URL of the website (for example: https://seagrid.org)
		• check all of the Scopes
	• After submitting the registration you will get a page with a client id and secret. Enter these into the Keycloak page
		• Also copy them to a secure location since you can't retrieve them later
	• First login flow: first broker login
	• Enable Trust Email
	• Authorization URL: https://cilogon.org/authorize 
	• Token URL: https://cilogon.org/oauth2/token
	• Userinfo URL: https://cilogon.org/oauth2/userinfo 
	• no logout URL
	• Default scopes: openid email profile org.cilogon.userinfo
	• Add the following attribute mappers
		• family_name
			• name: family_name
			• Mapper Type: Attribute Importer
			• claim: family_name
			• User Attribute Name: lastName
		• given_name
			• name: given_name
			• Mapper Type: Attribute Importer
			• claim: given_name
			• User Attribute Name: firstName
		• Claim mapping documentation: http://www.keycloak.org/docs/2.5/server_admin/topics/identity-broker/mappers.html <http://www.keycloak.org/docs/2.5/server_admin/topics/identity-broker/mappers.html>

I'll point out though that long term we're moving away from manually creating the CILogon client to automation provided by Airavata Custos [1] which automatically registers a CILogon client for tenants.

[1] https://airavata.apache.org/custos/ <https://airavata.apache.org/custos/>


> On Feb 13, 2021, at 5:22 PM, Josh Seamans <jo...@huskers.unl.edu> wrote:
> 
> Hello, I am with the UNL Capstone project and I have been looking into how CI Logon is set up on the Django Airavata gateway found here: Home (airavata.org) <https://testdrive.airavata.org/>
>  
> I was wondering if there was any instructions that was found to set that up?