Local authentication

IAM has the ability to limit or disable authentication with local IAM credentials, so that external, brokered authentication is required.

It’s possible to hide the local login form from the IAM login page and also to control for which users local authentication is enabled (all users, VO administrators, no users).

iam:
  local-authn:
    # possible values for enabled-for: all, vo-admins, none
    enabled-for: vo-admins 
    # possible values: hidden, hidden-with-link, visible
    login-page-visibility: hidden

In alternative, one can configure the local authentication settings using environment variables as described in the Configuration section.

When the local authentication (username/password) fields are hidden on the login page, it is possible to display them by adding the query string ?sll=y to the login page URL. It may be useful, for example, to access the admin account if only username/password authentication has been configured for it and if enable-for has been set to vo-admins.

Note that hiding local authentication on the login page without restricting the category of users able to use it doesn’t really provide additional security.

Last modified July 22, 2022: Add option for local authentication (f11a0e6)