Attendees: Hannah, Andrea, Andrei, Andrei, DaveD, DaveK, Enrico, Federica, Irwin, Jeny, Jim, Dave, Brian, DaveC, Mine, Maarten, Linda, Marcelo, ,Paul, Mischa, Tom

Notes:

• VOMS Migration
  • No concept of username in VOMS but there is in IAM. We need a different approach
    • Could concat several attributes
    • Could have local accounts too
    • Is username same as sub in the token? No, they are decoupled
    • User accounts are tied to an HR record
    • IAM relies on SSO identifier (cern_upn e.g. hshort), the PersonId is used to check against the HR DB
    • Username is largely hidden to user since they log in through CERN SSO. They are private to an individual
    • Using surnames may prove complicated, need to handle name change plus they can be very long
    • Preference to use short, unique username (e.g. hshort or 127869234 personID)
    • Nicknames were the way that community could set up a username syntax, would be good for VOs to be allowed to choose
  • IAM requires unique email addresses, accounts are merged pending a manual review
    • Several people have several accounts with the same email
    • Better to NOT automatically merge in case of email recycling
  • For VOs that already have Nickname = UPN instead VOMS this can be an easy migration process
  • We do already have a few number of users that are already signed up - will that be an issue?
• Capability Sets
  • Should add explicitly that server can reject the request
  • Return the union of all scopes

Actions

• Andrea and Hannah to finalise which attributes should be used for migration between VOMS and IAM based on CERN SSO attribute (couple of weeks)
• DaveD modify capability set to require Union rather than overwrite of scopes
• DaveD to add that should return an error if someone doesn’t have the role assigned & Including the capability set in the result/group (not sure I captured this correctly)
• Andrea complete text for vCHEP Submission