Hi Alex, In my experience it worked fine, with a major limitation about groups. This, merged in ussri, should have fixed the group issues: https://bugs.launchpad.net/keystone/+bug/1809116 I had planned on testing that by now, but that work hasn't been started/agreed yet. My current workaround for not having groups is for the federation mapping to add users directly into projects: https://github.com/RSE-Cambridge/cumulus-config I planned to map from an OIDC group attribute into a specific concrete project, but the above puts everyone in a holding project and does static role assignments, due to issues with group management in the OIDC provider. As an aside, this the way were were configuring keystone, incase that is important to making things work: https://github.com/RSE-Cambridge/cumulus-kayobe-config/tree/train-preprod/et... https://github.com/RSE-Cambridge/cumulus-kayobe-config/blob/0dc43a0f5c7b76f6... Horizon and the CLI tools in train didn't really agree, I think the auth url is now missing "/v3", but I believe that is fixed in latest keystoneauth client: https://bugs.launchpad.net/keystoneauth/+bug/1876317 Hopefully that helps? Thanks, John On Tue, 8 Sep 2020 at 16:33, Alexander Dibbo - UKRI STFC <alexander.dibbo@stfc.ac.uk> wrote:

Hi All,

Is it possible for a user logging in via an oidc provider to generate application credentials?

When I try it I get an error about there being no role for the user in the project.

We map the users to groups based on assertions in their tokens.

It looks like it would work if we mapped users individually to local users in keystone and then gave those roles. I would prefer to avoid using per user mappings for this if possible as it would be a lot of extra work for my team.

Regards

Alexander Dibbo – Cloud Architect / Cloud Operations Group Leader

For STFC Cloud Documentation visit https://stfc-cloud-docs.readthedocs.io

To raise a support ticket with the cloud team please email cloud-support@gridpp.rl.ac.uk

To receive notifications about the service please subscribe to our mailing list at: https://www.jiscmail.ac.uk/cgi-bin/webadmin?A0=STFC-CLOUD

To receive fast notifications or to discuss usage of the cloud please join our Slack: https://stfc-cloud.slack.com/

This email and any attachments are intended solely for the use of the named recipients. If you are not the intended recipient you must not use, disclose, copy or distribute this email or any of its attachments and should notify the sender immediately and delete this email from your system. UK Research and Innovation (UKRI) has taken every reasonable precaution to minimise risk of this email or any attachments containing viruses or malware but the recipient should carry out its own virus and malware checks before opening the attachments. UKRI does not accept any liability for any losses or damages which the recipient may sustain due to presence of any viruses. Opinions, conclusions or other information in this message and attachments that are not related directly to UKRI business are solely those of the author and do not represent the views of UKRI.