WLCG AuthZ Call

Thursday 18 Feb 2021, 15:00 → 16:00 Europe/Zurich

Proposed agenda: 

• Announcements/Info
  • vCHEP Submission 
  • VOMS Migration Strategy input
  • IAM support migration to CERN IT-CDA
• Discussions:
  • VOMS Importer Script (Andrea)
  • id token claim for use by vault with kerberos (Dave, Andrea, Hannah)
  • Capability Sets
    • Dave to add examples & motivation
    •  https://github.com/WLCG-AuthZ-WG/common-jwt-profile/pull/10
  • Standardisation of CE capability requirements
    • https://github.com/WLCG-AuthZ-WG/common-jwt-profile/pull/11
  • Token Propagation Workflow Doc 

Zoom meeting:

Please ensure you are signed up to project-lcg-authz@cern.ch to receive the meeting password!

Join Zoom Meeting
https://cern.zoom.us/j/94718857994

Meeting ID: 947 1885 7994
Password: <see email>
One tap mobile
+41432107042,,94718857994# Switzerland
+41432107108,,94718857994# Switzerland

Dial by your location
        +41 43 210 70 42 Switzerland
        +41 43 210 71 08 Switzerland
        +41 31 528 09 88 Switzerland
        +33 1 7037 9729 France
        +33 7 5678 4048 France
        +33 1 7037 2246 France
Meeting ID: 947 1885 7994
Find your local number: https://cern.zoom.us/u/abjrVtLBu4

Join by SIP
94718857994@188.184.85.92
94718857994@188.184.89.188

Join by H.323
188.184.85.92
188.184.89.188
Meeting ID: 947 1885 7994
Password: <see email>

Attendees: Hannah, Andrea, Andrei, Andrei, DaveD, DaveK, Enrico, Federica, Irwin, Jeny, Jim, Dave, Brian, DaveC, Mine, Maarten, Linda, Marcelo, ,Paul, Mischa, Tom

Notes:

• VOMS Migration
  • No concept of username in VOMS but there is in IAM. We need a different approach
    • Could concat several attributes
    • Could have local accounts too
    • Is username same as sub in the token? No, they are decoupled
    • User accounts are tied to an HR record
    • IAM relies on SSO identifier (cern_upn e.g. hshort), the PersonId is used to check against the HR DB
    • Username is largely hidden to user since they log in through CERN SSO. They are private to an individual
    • Using surnames may prove complicated, need to handle name change plus they can be very long
    • Preference to use short, unique username (e.g. hshort or 127869234 personID)
    • Nicknames were the way that community could set up a username syntax, would be good for VOs to be allowed to choose
  • IAM requires unique email addresses, accounts are merged pending a manual review
    • Several people have several accounts with the same email
    • Better to NOT automatically merge in case of email recycling
  • For VOs that already have Nickname = UPN instead VOMS this can be an easy migration process
  • We do already have a few number of users that are already signed up - will that be an issue?
• Capability Sets
  • Should add explicitly that server can reject the request
  • Return the union of all scopes

Actions

• Andrea and Hannah to finalise which attributes should be used for migration between VOMS and IAM based on CERN SSO attribute (couple of weeks)
• DaveD modify capability set to require Union rather than overwrite of scopes
• DaveD to add that should return an error if someone doesn’t have the role assigned & Including the capability set in the result/group (not sure I captured this correctly)
• Andrea complete text for vCHEP Submission

15:00 → 15:20 VOMS Import Script

Speakers: Andrea Ceccanti (Unknown), Andrea Ceccanti (Universita e INFN, Bologna (IT))

VOMS-Importer-180221.pdf