How to create your Indigo-IAM account

Access to LSSTCam and calibration data stored on dCache at CC-IN2P3 is reserved only for users who are registered and approved on LSST France Indigo-IAM. To be approved, you must be listed on the official Rubin authorized user list.

This tutorial shows you how to create an account on the LSST France Indigo-IAM instance and how to use this account to obtain a valid token to access data on dCache.

How to set up an Indigo-IAM account

The LSST France Indigo-IAM is hosted at CC-IN2P3 and is accessible at the URL lsst.iam.in2p3.fr.

In this section, we will explain how to create an Indigo-IAM account. This step is mandatory to be allowed to obtain a token for accessing dCache data and only needs to be done once.

The landing page of the Indigo-IAM instance is shown in the next figure, where the button to start the account creation is highlighted with a red box.

We recommend initiating the account creation process by clicking the CC-IN2P3 SSO button, as this will automatically establish a connection between your Indigo-IAM account and your CC-IN2P3 account, enabling you to log in to the Indigo-IAM dashboard using your CC-IN2P3 credentials.

Creating an Indigo-IAM account requires filling out a form with some requested information, as shown in the following image.

When you submit the form, you will receive an email: please follow the instructions provided in the message to validate your email as the first step to activate your account.

Once your email has been validated, a second step requiring human validation is necessary: this will be performed by the Indigo-IAM admins, who will verify whether you are on the list of individuals authorized to access Rubin’s private data.

If your account request has been approved, you will receive a new email asking you to set up a new password using a specific link. This step is necessary even if you have already linked your account to the CC-IN2P3 account.

Even if your account request has been rejected, you will be notified by email.

To access the Indigo-IAM dashboard to update your personal information and check the status of your active tokens and clients, you can use the CC-IN2P3 SSO login or the username/password just created at your convenience.

How to register a Indigo-IAM client

Getting a token to access Rubin’s data requires two steps: registering a client in the Indigo-IAM instance and then using that client to request the token.

To create a valid client, you need to use oidc-agent tools.

In this section, we explain how to activate the agent (see Activate the oidc-agent on CC-IN2P3 Login Farm section) and how to register a client on Indigo-IAM (see How to register an Indigo-IAM client section).

Activate the oidc-agent on CC-IN2P3 Login Farm

The execution of oidc-agent is mandatory to set up the correct environment for all the oidc commands.

The oidc-agent is installed on all the hosts in the CC-IN2P3 Login Farm under /usr/bin. You have to login on these machines via ssh:

$ ssh <your-ccin2p3-account>@cca.in2p3.fr

Once connected to a host, you can activate the oidc-agent as follows:

$ eval $(oidc-agent)

If the agent starts correctly, you will receive an Agent pid <number> message.

Warning

In some cases an error can occur with the following message: Error: socket path location is not trustworthy. In this case, you can relaunch oidc-agent and specify a path where to store the socket via the -a option, e.g. : eval $(oidc-agent -a $HOME/.oidc-agent/oidc-agent.sock).

How to register an Indigo-IAM client

An Indigo-IAM client is a client that communicates with an Indigo-IAM instance to deliver tokens to users. In this section, we describe how to register a client in Indigo-IAM. This procedure needs to be performed only once.

To create a client linked to Indigo-IAM instance, you need to use oidc-gen as shown in the exemple below.

$ oidc-gen --flow device --scope-max --issuer https://lsst.iam.in2p3.fr/ lsstfr
Registering Client ...
Generating account configuration ...
accepted

Using a browser on any device, visit:
https://lsst.iam.in2p3.fr/device

And enter the code: ABCDE

To validate your request, you must visit the URL https://lsst.iam.in2p3.fr/device, with your preferred browser, log in to your Indigo-IAM account, and insert the code shown in the terminal prompt.

../_images/iam-code.png

This step will redirect you to the authorization page where you need to authorize the client to access the information needed by the client.

../_images/iam-authorize.png

Once authorized, you have to return to your terminal where the client request started to create an encryption password for the generated client:

Enter encryption password for account configuration 'lsstfr':
Confirm encryption password:
Everything setup correctly!

It is important to keep this password carefully, as it will be required every time the client needs to request a new token.

How to obtain and use a token

Once your lsstfr client is registered on the Indigo-IAM instance (see How to register an Indigo-IAM client section), you can obtain a token by running oidc-token lssfr.

If the oidc-agent is not running, you need to activate it as explained in Activate the oidc-agent on CC-IN2P3 Login Farm section.

To use the Indigo-IAM generated token, you need to start by loading it. The easiest solution is to load it as an environment variable, as shown in the following example:

$ oidc-add lsstfr
$ export BEARER_TOKEN=$(oidc-token lsstfr)

The use of the BEARER_TOKEN variable name is to allow dCache to connect directly, so we don’t have to provide the token in the dCache-related commands such as gfal.

$ gfal-ls https://ccdavrubinint.in2p3.fr:2880/pnfs/in2p3.fr/lsst/users/
  ageorget
  fabio
  leboulch

The token lifetime is set by default to 72 hours. To refresh a token, you can run:

# Use option '--force-new' to force oidc-agent to obtain a new access token.
# This will return an access token that will be valid as long as possible
# and it substitutes the cached access token.
$ oidc-token lsstfr [--force-new]

You can visualize your information associated with the token via curl:

$ curl -s -H "$(oidc-token --auth lsstfr)" https://lsst.iam.in2p3.fr//userinfo | jq
{
"sub": "3b63d75d-b6c2-4609-982b-ea5b1ce8cffe",
"email_verified": true,
"updated_at": 1749567064,
"scope": [
  "entitlements",
  "address",
  "openid",
  "profile",
  "storage.read:/",
  "eduperson_entitlement",
  "storage.modify:/groups",
  "storage.modify:/users",
  "phone",
  "offline_access",
  "eduperson_scoped_affiliation",
  "eduperson_assurance",
  "email"
],
"name": "Fistname Lastname",
"preferred_username": "userid",
"given_name": "Fistname",
"family_name": "Lastname",
"email": "yourmail@yourprovider"
}

A list of useful commands for managing your tokens is available in the oidc-agent documentation.

Troubleshooting

In some rare cases, when you add the token via oidc-add lsstfr and enter the password, the authentication process hangs. In this case, you can revalidate your token using:

oidc-gen lsstfr --reauthenticate -w device