To accommodate Globus transfers, users can authorize Pegasus via "pegasus-globus-online-init" to execute transfers between Globus endpoints/collections.

However, new requirements have been introduced to some sites for authentication while using the Globus transfer service, and the tokens acquired by "pegasus-globus-online-init" do not meet all the requirements.

An example is OLCF where they require users to "sign" the token against their domain identity. If the token hasn't been linked with the required domain identity then transfers fail with the following error. 

"None of your identities are from domains allowed by resource policies"

Some more background on this can be find on Globus Docs:

• https://docs.globus.org/globus-connect-server/v5.4/domain-guide/#custom_domains_new_in_v_5_4_13
• https://docs.globus.org/globus-connect-server/v5.4/troubleshooting-guide/#collection_access_issues