FIM4R 17th Workshop & EUGridPMA/EnCo

13 Feb 2023, 09:30 → 16 Feb 2023, 21:00 Europe/Zurich

40/S2-B01 - Salle Bohr (CERN)

CERN is very pleased to host the 17th FIM4R Workshop (15th - 16th of February), combined with an EUGridPMA/GN5-ENCo Meeting (13th - 14th of February).  

Please register below to participate and to gain access to the site if you plan to join in person. We look forward to seeing you!

Accommodation

• An economic option is the CERN Hostel, which can be booked via this form
• There are many hotels in Geneva and near Geneva Airport, all of which are easily accessible via the Tram 

Directions to CERN

On the CERN website you can find directions to CERN.

Public Transport

Transports Publics Genevois (TPG) provide good coverage of the area. If you are staying in a Hotel (not the CERN Hostel) you will be given a complementary travel card. Tram 18 takes you between CERN and the City Centre with a 'Billet Tout Genève validité 60''. Tickets can be purchased from machines at each stop. 

Room locations 

When you arrive at CERN you can request a paper map, or use the application https://maps.web.cern.ch 

• Monday: 513/1-024
• Tuesday: 28/S-029
• Wednesday: 31/3-004 - IT Amphitheatre
• Thursday: 40/S2-B01 - Salle Bohr
   

Monday 13 February

09:30 → 09:45 EUGridPMA+: Welcome, agenda, minutes last meeting, note taker, introductions

Speaker: David Groep (Nikhef National institute for subatomic physics (NL))

57-EUGridPMA-Geneva-intro.pdf

57-EUGridPMA-Geneva-intro.pptx

09:45 → 10:00 Self-audit review & status of suspended authorities

Speaker: Cosmin Nistor

10:00 → 10:15 Developments in the Asia Pacific and the APGridPMA

Speakers: Eisaku Sakane, Eric Yen (Academia Sinica)

APGridPMA4EUGridPMA57.pdf

10:15 → 10:45 CA Update I: RCauth HA and its evolution

Speakers: Jens Jensen, Dr Mischa Sallé (NWO-I Nikhef), Mr Nicolas Liampotis

RCauth Online CA service - 57th EUGridPMA (1).pdf

10:45 → 11:15 Coffee

11:15 → 11:45 CA Update II: UKeScience updates: catch-all services for WLCG hosts?

Speaker: John Kewley

UKCA-update2023.pdf

UKCA-update2023.pptx

11:45 → 12:30 PKIX technology topics

S/MIME BR evolution, splitting user S/MIME email and authentication credentials
SHA-1 issues

Speaker: David Groep (Nikhef National institute for subatomic physics (NL))

SMIME-BR-and-authN.pdf

SMIME-BR-and-authN.pptx

12:30 → 14:00 Lunch

14:15 → 14:30 Evolving the AARC BPA, security, trust, and identity questions for RIs

Speakers: David Groep (Nikhef National institute for subatomic physics (NL)), David Kelsey (Science and Technology Facilities Council STFC (GB)), Licia Florio (GEANT)

14:20 → 14:30 EOSC Security and Trust Coordination in the future

updates on the EOSC security coordination, ISM policy development, and expectations

Speaker: David Groep (Nikhef National institute for subatomic physics (NL))

14:30 → 15:30 Assurance and FIM4R (open space)

preparation slot
open for other topics as they may arise!

15:30 → 16:00 Tea

16:00 → 16:30 Updates from the Americas, from ACCESS-CI, and the token transition

Speaker: Derek Simmel

TAGPMA-Update-20230213-EUGridPMA57.pdf

16:30 → 17:00 WLCG Trust Evolution discussion

19:00 → 21:00 Dinner

At La Meyrinoise pizzeria in Meyrin
Table of 15 booked for « Anna »

Tuesday 14 February

09:00 → 10:30 Enabling Communities: first steps in GN5

Speakers: David Groep (Nikhef National institute for subatomic physics (NL)), Mr Maarten Kremers (SURF)

2023-02-14 GN5-1 WP5 EnCo KickOff.pptx.pdf

GN4-3 EnCo Policy Minutes and Workplan

GN5-1 EnCo Policy Notes and Workplan

10:30 → 11:00 Coffee

11:00 → 12:00 WLCG AAOPS assessment

Speaker: Hannah Short (CERN)

WLCG AAOPS assessment sheet

12:00 → 13:15 Lunch

13:15 → 14:45 eduTEAMS/EOSC Core AAI AAOPS assessment

Speaker: Christos Kanellopoulos

AAOPS Assessment supporting materials

14:45 → 15:00 Tea

15:00 → 16:00 UK-IRIS AAOPS assessment

Speakers: David Kelsey (Science and Technology Facilities Council STFC (GB)), Thomas Dack

UK-IRIS AAOPS assessment sheet

16:00 → 16:45 Trust lists and OIDC Federation

in light of the AAOPS assessment and peer review - planning for the EOSC ...

16:45 → 17:05 Planning for the next meeting

and for the FIM4R sessions on Wednesday and Thursday

Speaker: David Groep (Nikhef National institute for subatomic physics (NL))

19:00 → 21:00 Dinner

Demi-Lune Restaurant, Geneva old town.
Catch the tram 18 to Bel Air and walk up the hill through the old town.
Table booked for "Hannah Short"

Wednesday 15 February

09:00 → 09:25 FIM4R: Welcome

09:25 → 10:45 Community Updates

10:45 → 11:05 Coffee

11:05 → 11:50 Passports and GA4GH

Speaker: Tommi Nyrönen (C)

20230215-1MG-GDI-Passport-for-FIM4R.pdf

Many questions about how the technology works (overlap with OAuth/Macaroons).

Question about whether this could be reused by other communities.

Question about why the entitlement guidance from AARC wasn't used. Unclear but took into account other input from sources such as Google/Amazon. Started with 30 different proposals and finding a consensus was very difficult.

Question about levels of assurance. It's a combined assurance model, depends on how many identities you link. If you link an e-ID you are at the max.

Would be interesting to be able to influence e-ID Wallet.

11:50 → 13:30 Lunch

13:30 → 14:00 Development in HPCI and GakuNin

Speaker: Eisaku Sakane

EisakuSakane_Devs-HPCI-GakuNin.pdf

14:00 → 14:40 FIM4R: Requirements for future EU projects

• In the past the AARC and AARC2 projects were funded by the European Commission (EC) partially based on input from FIM4R
• There is a new EC call where we may be granted an "AARC3" project
• What should be in it? Feedback requested from FIM4R
• Expected output so far
  • New versin of the AARC BPA (Blueprint Architecture) focusing on Authorisation 
  • Continuation of policy activities
  • Support the adoption of AARC Guidelines by Research Communities
  • Compendium of Research and Education AAI practices -> input from FIM4R very much appreciated here
• We need to be more inclusive than FIM4R, we need to get more input from other communities
• How do we get in contact with these other communities? 
  • EOSC?
  • We have tried many times in the past without success
• Tommi says that the complex part now is the Authorisation, this is a use case that would appreciate our help
• Petr says that a funded project may help engage new communities. AARC did well in this the first time round but EOSC Future is not so successful.
• DavidG says it's a very imbalanced playing field. Of all the clusters in EOSC only 2 could actually integrate in the EOSC AAI. 
• DavidG says that maybe assurance from IdPs doesn't make sense. Perhaps it should be added from other sources.
• Licia says IdPs are not suitable to provide many things (e.g. authorisation and assurance). We must decrease our reliance on them. Strugging to get much information delivered by IdPs in other projects. Brings new challenges e.g. who will fund authorisation providers?
• Jos says that libraries can play a role 
• What does Licia need now for the proposal?
  • Input to the Excellence section, i.e. how we can help overall objective of RI interoperability
  • Finalise list of partners (e.g. SURF)
    • Elixir (or EOSC Life) may make sense to join but there's few people

 

Actions

• Reach out to previous FIM4R Communities and see whether they have solved everything or not

14:40 → 15:10 Challenges of commercial SP Integration (Discussion)

There is a growing trend for IT departments to outsource services to third parties. This often has consequences for authentication and authorisation
- How are these services integrated? Typically services can be registered behind an enterprise Single Sign-On but not always. This creates multiple authentication workflows for users at a cost to security.
- Will account blocking be propagated?
- Some large service suites offer SSO as a service and nudge organisations to migrate fully from their own independent SSO. Is this a good idea for research organisations?

• We need some viable alternatives to microsoft/google - a "killer app"
• In some countries they already try to move away from some providers, e.g. RENATER moving to opensource email, Denmark schools cannot use Google Docs
• Petr: putting a proxy in between seems to help in many cases
• Jos: we cannot get rid of commercial partners. We have to be sure that we manage our own data.
• GAIAX is an attempt to be a GDPR compliant cloud provider
• Was important in Helix Nebula /Archiver that cloud providers had to show that they support our standards and protocols (eduGAIN login)
• This has been asked in many other places - we should contribute to those discussions
• Would be interesting to see how large, microsoft based research communities perform technical tasks
• Derek: The large providers probably won't have a collaborative mindset for some time
  • Have run into an issue with Duo security, once in the cost has dramatically increased. Dumping it and using something from the higher ed community that is cheaper. 

15:10 → 15:30 Coffee

15:30 → 16:30 Browser Compatibility

Browsers are changing their rules about third party cookies (among other things). This directly impacts us in federated identity. What do we need to be aware of? What should we be doing? Heather will give us a presentation and there will be an open discussion.

Speaker: Heather Flanagan

2023-02-15-FIM4R-browsers.pdf

This is an area where we do need to engage as those making technical decisions are not thinking about our use cases. There is a conference at the end of Feb, with other opportunities to engage later online. For FIM4R Communities this is likely to affect our use of proxies and WAYF persistence. 

19:00 → 21:00 Dinner

Bains des Paquis
Please bring cash in Swiss francs. There are cash points in the restaurants at CERN.
The menu is available at http://buvettedesbains.com/
The standard dinner is Fondue (27chf) & half a sharing plate of ham (7.5chf) & wine (10chf) so please budget for about 45chf.
To reach the location, catch the 18 tram down to Bel Air and walk along the lake to the Bains de Paquis (a pier that goes out into the lake).
Reservation under the name "Anna"

Thursday 16 February

09:30 → 10:15 Introduction to FIM4L

Speaker: Jos Westerbeke

FIM4R CERN presentation 2023.pdf

FIM4R CERN presentation 2023.pptx

• Libraries now grant access to many online resources (e.g. publishers)
• Previously libraries used IP based authentication (often through "easyProxy"), this is still the case for most places but Federated SSO use is increasing
• Believes libraries can play an important role in managing identities 
  • Something libraries already do
  • A library should be a trusted place to study, including sensitive topics (this is equally valid online)
• Established the FIM4L initiative around privacy for online library use
  • Libraries want to uphold principal of freedom of research 
  • Don't want to give all the data to the publishers 
• fim4l.org, FIM4L is a working group in LIBER. Very few people but much interest.
  • Priority to come to a consensus on library policy for federated authentication that protects users identities
• More and more libraries are joining the mailing list and working groups
• Some publishers are shutting down IP based authorisation (some tried and rolled back)
• First FIM4L document published and endorsed
  • Want users to have a choice in how much data is shared with publishers, many users prefer persistent identifiers (but only persistent for a single SP)
  • Publishers do not have to know who the library patrons are
•  Relationship with publishers via contracts, identity model must be included
• Comment from Nicole: eduGAIN will be rolling out the pseudonymous identifiers
• Comment from Adam: There are different libraries all around the world with different budgets and service providers have vastly different pricing models.  So there are some libraries that don't have site-wide licenses (all users) and purchase stuff for specific campuses or partner colleges, or departments etc.  Service providers are the party that needs to authorize access to their services and using federated access, those authorization rules can usually be setup using pseudonymous data. e.g. scoped affiliation or entitlement

 

10:15 → 10:35 Coffee

10:35 → 11:15 Federated shell access (job submission)

Speakers: Marcus Hardt (Kalrsruhe Institute of Technology), Marcus Hardt (KIT)

Link to slides

• Disconnect of knowledge between people who understand Web SSO and SSH. Several workshops held
• Plan to write a whitepaper. Collecting user stories will be useful here to map to the possible solutions.

11:15 → 12:00 Proxies in federations

How do proxies need to be managed to participate fully in identity federations?

Speaker: David Kelsey (STFC - Science & Technology Facilities Council (GB))

Kelsey16feb23-snctfi.pdf

Kelsey16feb23-snctfi.pptx

12:00 → 13:30 Lunch

13:30 → 14:05 Sharing an attribute credential from Self-Sovereign Identity model to the FIM model.

Speaker: Mauladi Mauladi

FIM4R 16 Feb.pdf

14:05 → 14:50 Unconference topics

Slot for any common concerns that are raised over the 2 days, e.g. Keycloak users,

• how can/should be influence the eID wallet? 
• next meeting and location? 
• should we set up a steering committee? 
• Continue the FIM4L discussion

14:50 → 15:00 Wrapup

Speaker: Mr Maarten Kremers (SURF)