Hello everyone,

After reviewing the provided documentation and understanding the involved technologies and standards, I’d like to request the setup of our IDAC in the Rubin authentication system.

Currently, we have several services in our environment integrated via Satosa proxy, which interacts with the authentication services of the Brazilian Federated Academic Community (CAFe) and CILogon. In this context, I’d like to register our Satosa instances (homolog and production) as an OpenID Connect Client in the Rubin authentication system.

One point that I’d like to clarify is the OIDC discovery configuration. The Satosa OpenID Connect Client implementation supports configuration discovery via the /.well-known/openid-configuration endpoint. Do you have a corresponding URL?

Satosa homolog

• A short name for our IDAC: IDAC Brazil Dev
• URLs to redirect: https://satosa-dev.linea.org.br/rubin_oidc

Satosa production

• A short name for our IDAC: IDAC Brazil
• URLs to redirect: https://satosa.linea.org.br/rubin_oidc

Thank you for the support.

Hi Carlos, thanks for posting the question. This is just to acknowledge the question, and that the SQuaRE team are looking at it.

Hi Carlos, I see you have an account on the lsstc slack workspace, @rra will send you the credentials you need there.

I have staged this client configuration for data.lsst.cloud and will deploy it this Thursday during our normal patch window from 15:00 to 17:00 Pacific Daylight Time. I sent Carlos the client_id and client_password information for both clients via Slack and a one-time link.

This is the first client for the data.lsst.cloud Science Platform, so currently none of the OpenID Connect server URLs will work. They will be enabled on Thursday.

Once that is done, use https://data.lsst.cloud/.well-known/openid-configuration for configuration discovery. Hopefully that will work. Let us know if you run into problems; at present, this is a very limited OpenID Connect implementation and only supports a narrow subset of the full standard.

Thank you @rra @knutago @frossie for the support.

We’re going to configure and start testing in our side. I’ll keep you posted on the progress.

Hello everyone,

We successfully configured our Satosa proxy (homolog environment) with the information provided. After completing the configuration, we were able to authenticate a user registered in the Rubin authentication system and retrieve the corresponding data rights information. This confirms that the integration is working as expected.

However, during the process, we identified an issue with the Satosa OIDC backend plugin. Specifically, the plugin does not correctly handle the token endpoint authentication method supported by the OpenID Connect Provider’s configuration, which is downloaded from https://data.lsst.cloud/.well-known/openid-configuration.

We have created an issue for this in the Satosa repository, which you can find here: https://github.com/IdentityPython/SATOSA/issues/476

I’ll keep you posted on the progress.

Thank you for the support.

We have added support for client_secret_basic in Gafaelfawr 12.1.0, so hopefully Satora should now work without further changes, at least for the token retrieval protocol.

Hello Russ,

Thank you for that.

We also identified an new double slash in some attributes at https://data.lsst.cloud/.well-known/openid-configuration that is impacting the request routing and causing authentication errors, e.g.: “authorization_endpoint”: “https://data.lsst.cloud//auth/openid/login”.

When accessed directly in a browser, it results in a failure to reach the endpoint.

Thanks for the bug report! I tracked down the problem and am testing the fix now. The fixed version should go into production on Thursday (November 21st) during our maintenance window.

The doubled slash should now be fixed. Thanks again for the report.