Skip to content

Register the admin VO

The admin VO is the one that rules them all. It is not meant to be connected to the grid services and therefore can be offline and DiracX-specific. We currently support Indigo IAM and dex, but you can also use your institute SSO platform (e.g. CERN SSO).

Prerequisites

  • You have access to your DiracX instance URL.

1. Generate an OIDC client

  1. Log in to your VO’s IdP instance (e.g. Indigo IAM).
  2. Create a new OIDC client with:
  3. Client secret: none
  4. Redirect URIs: 
    https://<your‑diracx‑url>/api/auth/authorize/complete
  5. Grant type: authorization_code
  6. Scope: at minimum openid, profile and email

2. Configure DiracX

  1. In your DIRAC CS, add under DiracX > CsSync > VOs > <VO> > IdP:
DiracX
{
  CsSync
  {
    VOs
    {
      diracx_admin
      {
        IdP
        {
          ClientID = "<OIDC‑client‑ID>"
          URL = "https://<your‑idp‑instance>/"
        }
      }
    }
  }
}
  1. Add an admin group to the Registry:
Registry
{
  Groups
  {
    diracx_admin
    {
      Users = <username from dirac>
      VO = diracx_admin
      Properties = Operator
      Properties += FullDelegation
      Properties += ProxyManagement
      Properties += ServiceAdministrator
      Properties += JobAdministrator
      Properties += CSAdministrator
      Properties += AlarmsManagement
      Properties += FileCatalogManagement
      Properties += SiteManager
    }
  }
}
  1. To add specific users, list their subject‑IDs under UserSubjects:
DiracX
{
  CsSync
  {
    VOs
    {
      diracx_admin
      {
        UserSubjects
        {
          <username from dirac> = <user id from the IdP instance>
          ...
        }
        DefaultGroup = diracx_admin
      }
    }
  }
}

After saving, you should sync the configuration with DiracX. See Convert CS for next steps.