How to create your Indigo-IAM account
LSST France uses a dedicated instance of Indigo IAM for managing membership of individuals with Rubin data rights who need access to Rubin data stored at CC-IN2P3. That service delivers cryptographically signed credentials with limited lifetime that the storage system will require you to present to grant you access to data.
In this tutorial you will learn how to create your individual Indigo IAM account and the tools to get credentials useful for your day to day work.
Important
⚠️ The information below assumes that you have configured your environment as described in Configuring your working environment.
Step 1: create your Indigo-IAM account
LSST France’s Indigo IAM instance is hosted at CC-IN2P3 and is accessible at
You must create your individual account in this service, a one time process.
The landing page of the Indigo-IAM instance is shown in the image below, where the button to start the process is highlighted with a red box.
We recommend initiating the account creation process by clicking on the CC-IN2P3 SSO button, as this will automatically establish a connection between your Indigo IAM account and your CC-IN2P3 account. This is convenient because you will be able to log in to Indigo IAM dashboard using your main CC-IN2P3 credentials.
Please fill up the form shown in the image below and press the Register button at the bottom:
You will receive an email message: please follow the instructions provided in that message to validate your email address, the first step to create your account.
Once your email address validated, a second step requiring human validation is necessary: this will be performed by the Indigo IAM administrators who will verify whether you have rights on Rubin data. On approval, you will receive a separate message asking you to set up a password using a specific link. This step is necessary even if you have already linked your account to the CC-IN2P3 account. In the case of your membership request is rejected, you will be notified by email.
At any time you can log in to Indigo IAM to update your personal information and check the status of your credentials via a dashboard. To log in you can use either CC-IN2P3’s single sign-on system (SSO), which is recommended, or your user/password that you just set up.
Step 2: register your Indigo IAM client
In order to get ephemeral credentials, you must create an Indigo IAM client associated to your account. This is typically a one time process but can be repeated if needed.
To create your client connect to the Login Farm and do:
lsstfr register
The first time you do this, this command will trigger the process of creating your client as shown below:
$ lsstfr register
lsstfr: you must provide a password for encrypting your credentials
lsstfr: you will be asked to provide that password each time a fresh token is required
lsstfr: please enter your password: ●●●●●●●●●●●●●●●●●●●●●
lsstfr: please enter your password again: ●●●●●●●●●●●●●●●●●●●●●
Registering Client ...
Generating account configuration ...
accepted
Using a browser on any device, visit:
https://lsst.iam.in2p3.fr/device
And enter the code: ABCDEF
Alternatively you can use the following QR code to visit the above listed URL.
To validate your request, please use your preferred browser to visit https://lsst.iam.in2p3.fr/device You will be instructed to log into Indigo IAM and type the code shown above to validate your registration, as shown in the image below:
You will then get directed to the approval page where you authorize Indigo IAM to provide your individual client with the information it requires from your account.
If your client is correctly set up, details about it are stored encrypted under $HOME/.config/oidc-agent/ and you will
get a message like the one shown below:
$ lsstfr register
...
Everything setup correctly!
lsstfr: your registration ended successfully and an access token was retrieved and cached
lsstfr: to inspect the contents of the access token use 'lsstfr token'
Important
⚠️ You will be asked to type in the encryption password you provided above every time you need to authenticate (see Step 3: get an access token below).
Please choose a memorable, strong password and keep it safe.
You only need to create your client once. If you attempt a new registration you will get instructions on how to proceed as shown below:
$ lsstfr register
lsstfr: your account "lagrange.lsstfr" already exists, you do not need to register again
lsstfr: use "lsstfr login --help" for help on obtaining an access token
lsstfr: alternatively, use "lsstfr register --help" for help on how to forcefully register again
However, it is possible to register again if needed. Use lsstfr register --help for details.
Hint
The command lsstfr shown above, is a convenience wrapper around oidc-agent, a set
of tools to manage credentials compliant to the OpenID Connect protocol
used by Indigo IAM and understood by dCache , the storage system used at CC-IN2P3 to manage Rubin data. Those
tools are already installed on all hosts in the Login Farm and in the Batch Farm.
Type lsstfr --help for getting help on how to use this command.
Step 3: get an access token
dCache requires you to present credentials in order to grant you access to data. You can retrieve those credentials
via the command lsstfr login, as shown below:
$ lsstfr login
lsstfr: your access token stored cached in "${HOME}/.lsst/lsstfr.token" is still valid for 71h25m46s
Those credentials are called access tokens and have a limited lifetime, typically 72 hours. As shown above, if you have credentials which have not yet expired they can be used and you don’t have to do anything else.
If your cached access token is expired, you will be asked to type in the encryption password you provided in Step 2: register your Indigo IAM client:
$ lsstfr login
lsstfr: please enter your credentials encryption password: ●●●●●●●●●●●●●●●●●●●●●
lsstfr: a fresh access token was obtained and saved in "${HOME}/.lsst/lsstfr.token", it is still valid for 71h59m59s
The access token you just obtained is stored in ${HOME}/.lsst/lsstfr.token and will be used by the Rubin Data Butler to
access data.
You can get a fresh access token valid for the default token lifetime, even if your current token is still valid, use lsstfr login --help
for details on how to proceed.
Step 4: inspect your access token
At any time, you can inspect your cached access token previously obtained with command lsstfr login. Use command lsstfr token, as shown below:
$ lsstfr token
Issuer : https://lsst.iam.in2p3.fr
WLCG Version : 1.0
Subject : abcdefgh-1234-5678-a1b2-cd3fg4hi5jK6
Client : 1234z987-6789-987Y-ac65-78hv5c6w23bp
Audience: : https://wlcg.cern.ch/jwt/v1/any
Scope : "entitlements storage.modify:/users address phone openid profile storage.read:/ eduperson_scoped_affiliation eduperson_assurance eduperson_entitlement email storage.modify:/groups"
Issued at : 2026-04-23 11:00:19 +0200 CEST
Expires : 2026-04-26 11:00:19 +0200 CEST
Time to live : 71h51m43s ✅
This command offers other possibilities. Please use lsstfr token --help for details.
If you don’t have a cached token or the one you have already expired use the command lsstfr login to obtain a new one.