vokac
vokac
Is there an use-case where dynamic anonymous registration is useful on the production IAM instances? Applications that register new clients should first login. It seems to me a bit weird...
> > Is there an use-case where dynamic anonymous registration is useful on the production IAM instances? > > All oidc-agent clients are dynamically and anonymously registered (for ATLAS it's...
At least in IAM 1.9.0 owner is still able to add `client_credential` grant type even for clients with restricted scopes. With client credential flow IAM doesn't check scope policies and...
This endpoint `/iam/account/find/bycertsubject` is not available with `scim:read` privileges and currently require admin privileges. This may be solved by new `admin:read` scope that comes with 1.8.2, but currently there is...
I can confirm that secondary CERN account works with WLCG IAM. May be `cern_person_id` claim from SSO token is used during ATLAS registration to fill account label with prefix `hr.cern`...
We decided to use CERN secondary accounts for privileged users => SSO should work also for these accounts that doesn't provide `cern_person_id` in the token. We should discuss how to...
Considering small number of these cases (< 3%) we decided that these can be [created manually](https://atlassoftwaredocs.web.cern.ch/ASWTutorial/basicSetup/images/IAMLogin.png) by experts. VO administrators can create new user account using IAM web interface, the...
As discussed during today's WLCG AuthZ meeting, `cern_person_id` from CERN SSO token should be used only during registration and ignored while logging to the IAM account linked to the secondary...
Described configuration would be fine for us: we can just add in our VO documentation that people who want to use secondary account must contact VO Admins (we are talking...
Yes, secondary accounts works with our IAM deployment and suggested configuration.