WLCG AuthZ Call


PLEASE NOTE: New Meeting Time & Schedule.

Apologies for last week - Tom

Previous Actions:


Proposed agenda: 

  • JDL/Scopes/Groups discussion
  • GDB Update July 13

Zoom meeting:

Link below, in the videoconference section. Please ensure you are signed in to Indico to see the meeting password!

Next Meeting: 

  • 22nd July
WLCG AuthZ Call
Zoom Meeting ID
Zoom room for WLCG AuthZ Call
Tom Dack
Useful links
Join via phone
Zoom URL

Apologies: Dave K, Maarten

Attending: Petr V, Tom D, Liz SK, Linda C, John SDSJr, Jeny T, Stefano DP, Max F, Jim B, Xin Zhao, Roberta M, Douglas B, Julie M, Hannah S, Dave D, Federica A, Andrei T

GDB Update:

  • Petr: hoping for more concrete details, notably the "wanting to grow" comment
    Hannah: Maarten had said expected but Hannah didn't want to portray as definite due to hiring issues. Support from community should help. Hopeful
  • Petr: Some sort of timeline towards IAM transition from VOMs Admin. Currently makes planning hard.
    Hannah: Maarten wants to restart Token transition timeline, but there are conversations needed to happen. Conversation with Laurence, who is keen to migrate asap - should be driven by experiments rather than us, as they will need to support and move users. Expect CMS and Atlas to push, but will need discussion.
    Petr: Can push, but a fixed timeline would help. Would like to see all experiments move at the same time according to a timeline.
    Hannah: A stage migration would be preferable. CMS likely to go first as they were driving it.
  • Previous timeline document: https://docs.google.com/document/d/11fcZU8fEsfjDiSkjh95nVr4tNXLPCA_xwr2SwriBpiw/edit#
  • Not just the CERN team maintaing - support from CNAF is there
  • Addition of OSG CE token support comment
    Liz: chicken & egg, as CMS didn't go full into transition as they were afraid the service wasn't ready and the service wasn't ready as it needed an experiment user
    Hannah: to clarify, don't need an experiment for justification for more effort. Agree it's unreasonable to expect experiments to use something underfunded
    Liz: has there been a declaration of production?
    Hannah: not really - more organic. There is a support service (best effort) and it is working
    Liz: When could lots of users use in anger reliable? So we can all aim for the same place
    Hannah: Not sure can have that information ready for wednesday
  • Unsure who is delivering - Tom will check after to confirm that Maarten will be delivering.

WLCG IAM on new Version

  • WLCG IAM now on new version
  • IAM dashboard can now be controlled from the main dashboard rather than MitreID - less complicated. People can try the instance and report and issues found.
  • Update to Spring version
  • Petr: a few open tickets from VO Admin training from Andrea in Dec. Petr will try to ping these, as some are important and would like to see fixed in a release soon. Issues shown on IAM GitHub


  • Stefano: confusion around the subject for token issuer.
    Site Admin should be able to verify that https://atlas-auth.web.cern.ch/ is really the token issuer for ATLAS (Trust anchor).
    Not currently an official location with a list of token issuers. Is it possible to have a webpage to lookup which are the issuers defined by any given VO? Something similar is done by OSG - page on GitHub and another page (potential missmatch). Well known source for verifying issuer and issuer subjects.
    For VOMS details we can look in the EGI VO card - https://operations-portal.egi.eu/vo/view/voname/atlas (or rely on packages containing lsc/vomses config files)
  • Potential for Maarten to talk to EGI to understand this - will bring up at next meeting
There are minutes attached to this event. Show them.
The agenda of this meeting is empty