FIM4R 17th Workshop & EUGridPMA/EnCo

Europe/Zurich
40/S2-B01 - Salle Bohr (CERN)

40/S2-B01 - Salle Bohr

CERN

100
Show room on map
Description

CERN is very pleased to host the 17th FIM4R Workshop (15th - 16th of February), combined with an EUGridPMA/GN5-ENCo Meeting (13th - 14th of February).  

Please register below to participate and to gain access to the site if you plan to join in person. We look forward to seeing you!

Accommodation

  • An economic option is the CERN Hostel, which can be booked via this form
  • There are many hotels in Geneva and near Geneva Airport, all of which are easily accessible via the Tram 

Directions to CERN

On the CERN website you can find directions to CERN.

Public Transport

Transports Publics Genevois (TPG) provide good coverage of the area. If you are staying in a Hotel (not the CERN Hostel) you will be given a complementary travel card. Tram 18 takes you between CERN and the City Centre with a 'Billet Tout Genève validité 60''. Tickets can be purchased from machines at each stop. 

Room locations 

When you arrive at CERN you can request a paper map, or use the application https://maps.web.cern.ch 

  • Monday: 513/1-024
  • Tuesday: 28/S-029
  • Wednesday: 31/3-004 - IT Amphitheatre
  • Thursday: 40/S2-B01 - Salle Bohr
     
Registration
Participants
Participants
  • Adam Snook
  • Andreas Klotz
  • Casper Dreef
  • Cosmin Nistor
  • David Crooks
  • David Groep
  • David Kelsey
  • Derek Simmel
  • Eisaku Sakane
  • Eric Yen
  • Gerben Venekamp
  • Hannah Short
  • Ian Collier
  • Ian Neilson
  • Jeny Teheran
  • Jos Westerbeke
  • Kirenzi Juma
  • Lidija Milosavljevic
  • Maarten Kremers
  • Mads Freek Petersen
  • Marcus Albrecht
  • Marcus Hardt
  • Martin Kuba
  • Mauladi Mauladi
  • Miroslav Dobrucky
  • Mischa Sallé
  • Nicolas Liampotis
  • Niels van Dijk
  • Peter Gietz
  • Tangui Coulouarn
  • Tom Dack
  • Tommi Nyrönen
  • Valeria Ardizzone
  • Warren Anderson
  • Wolfgang Pempe
  • +16
    • 09:30 09:45
      EUGridPMA+: Welcome, agenda, minutes last meeting, note taker, introductions 15m 513/1-024

      513/1-024

      CERN

      50
      Show room on map
      Speaker: David Groep (Nikhef National institute for subatomic physics (NL))
      • Welcome 20m
    • 09:45 10:00
      Self-audit review & status of suspended authorities 15m 513/1-024

      513/1-024

      CERN

      50
      Show room on map
      Speaker: Cosmin Nistor
    • 10:00 10:15
      Developments in the Asia Pacific and the APGridPMA 15m 513/1-024

      513/1-024

      CERN

      50
      Show room on map
      Speakers: Eisaku Sakane, Eric Yen (Academia Sinica)
    • 10:15 10:45
      CA Update I: RCauth HA and its evolution 30m 513/1-024

      513/1-024

      CERN

      50
      Show room on map
      Speakers: Jens Jensen, Dr Mischa Sallé (NWO-I Nikhef), Mr Nicolas Liampotis
    • 10:45 11:15
      Coffee 30m 504/R

      504/R

    • 11:15 11:45
      CA Update II: UKeScience updates: catch-all services for WLCG hosts? 30m 513/1-024

      513/1-024

      CERN

      50
      Show room on map
      Speaker: John Kewley
    • 11:45 12:30
      PKIX technology topics 45m 513/1-024

      513/1-024

      CERN

      50
      Show room on map

      S/MIME BR evolution, splitting user S/MIME email and authentication credentials
      SHA-1 issues

      Speaker: David Groep (Nikhef National institute for subatomic physics (NL))
    • 12:30 14:00
      Lunch 1h 30m 504/R

      504/R

    • 14:15 14:30
      Evolving the AARC BPA, security, trust, and identity questions for RIs 15m 513/1-024

      513/1-024

      CERN

      50
      Show room on map
      Speakers: David Groep (Nikhef National institute for subatomic physics (NL)), David Kelsey (Science and Technology Facilities Council STFC (GB)), Licia Florio (GEANT)
    • 14:20 14:30
      EOSC Security and Trust Coordination in the future 10m 513/1-024

      513/1-024

      CERN

      50
      Show room on map

      updates on the EOSC security coordination, ISM policy development, and expectations

      Speaker: David Groep (Nikhef National institute for subatomic physics (NL))
    • 14:30 15:30
      Assurance and FIM4R (open space) 1h 513/1-024

      513/1-024

      CERN

      50
      Show room on map

      preparation slot
      open for other topics as they may arise!

    • 15:30 16:00
      Tea 30m 504/R

      504/R

    • 16:00 16:30
      Updates from the Americas, from ACCESS-CI, and the token transition 30m 513/1-024

      513/1-024

      CERN

      50
      Show room on map
      Speaker: Derek Simmel
    • 16:30 17:00
      WLCG Trust Evolution discussion 30m 513/1-024

      513/1-024

      CERN

      50
      Show room on map
    • 19:00 21:00
      Dinner 2h 40/S2-B01 - Salle Bohr

      40/S2-B01 - Salle Bohr

      CERN

      100
      Show room on map

      At La Meyrinoise pizzeria in Meyrin
      Table of 15 booked for « Anna »

    • 09:00 09:25
      FIM4R: Welcome 25m 31/3-004 - IT Amphitheatre

      31/3-004 - IT Amphitheatre

      CERN

      105
      Show room on map
      • Welcome to CERN 5m
        Speaker: Hannah Short (CERN)
      • Welcome to FIM4R 10m
        Speaker: Mr Maarten Kremers (SURF)
    • 09:25 10:45
      Community Updates 1h 20m 40/S2-B01 - Salle Bohr

      40/S2-B01 - Salle Bohr

      CERN

      100
      Show room on map
      • IRIS 20m
        Speakers: Thomas Dack, Mr Tom Dack (Science and Technology Facilities Council STFC (GB))

        Q: how many users and what type of services? 

        A: mostly access to Openstack and web tools. For Openstack we also need SSH. Poduction use cases. Not really job submission.

      • NFDI 20m
        Speakers: Marcus Hardt (Kalrsruhe Institute of Technology), Peter Gietz (DAASI International)

        Q: what is eduID

        A: german (DFN) user managed system which gives researchers with a persistent ID. They link their identifiers. 

        Comments: this all sounds wonderful, next stage is probably international eduID. Many countries offer this on a national level.

      • WLCG 20m
        Speakers: Berk Balci (Istanbul Technical University (TR)), Hannah Short (CERN)
      • Token based AuthN and AuthZ 20m
        Speaker: Derek Simmel
    • 10:45 11:05
      Coffee 20m 40/S2-B01 - Salle Bohr

      40/S2-B01 - Salle Bohr

      CERN

      100
      Show room on map
    • 11:05 11:50
      Passports and GA4GH 45m 40/S2-B01 - Salle Bohr

      40/S2-B01 - Salle Bohr

      CERN

      100
      Show room on map
      Speaker: Tommi Nyrönen (C)

      Many questions about how the technology works (overlap with OAuth/Macaroons).

      Question about whether this could be reused by other communities.

      Question about why the entitlement guidance from AARC wasn't used. Unclear but took into account other input from sources such as Google/Amazon. Started with 30 different proposals and finding a consensus was very difficult.

      Question about levels of assurance. It's a combined assurance model, depends on how many identities you link. If you link an e-ID you are at the max.

      Would be interesting to be able to influence e-ID Wallet.

    • 11:50 13:30
      Lunch 1h 40m 40/S2-B01 - Salle Bohr

      40/S2-B01 - Salle Bohr

      CERN

      100
      Show room on map
    • 13:30 14:00
      Development in HPCI and GakuNin 30m 40/S2-B01 - Salle Bohr

      40/S2-B01 - Salle Bohr

      CERN

      100
      Show room on map
      Speaker: Eisaku Sakane
    • 14:00 14:40
      FIM4R: Requirements for future EU projects 40m 40/S2-B01 - Salle Bohr

      40/S2-B01 - Salle Bohr

      CERN

      100
      Show room on map
      • In the past the AARC and AARC2 projects were funded by the European Commission (EC) partially based on input from FIM4R
      • There is a new EC call where we may be granted an "AARC3" project
      • What should be in it? Feedback requested from FIM4R
      • Expected output so far
        • New versin of the AARC BPA (Blueprint Architecture) focusing on Authorisation 
        • Continuation of policy activities
        • Support the adoption of AARC Guidelines by Research Communities
        • Compendium of Research and Education AAI practices -> input from FIM4R very much appreciated here
      • We need to be more inclusive than FIM4R, we need to get more input from other communities
      • How do we get in contact with these other communities? 
        • EOSC?
        • We have tried many times in the past without success
      • Tommi says that the complex part now is the Authorisation, this is a use case that would appreciate our help
      • Petr says that a funded project may help engage new communities. AARC did well in this the first time round but EOSC Future is not so successful.
      • DavidG says it's a very imbalanced playing field. Of all the clusters in EOSC only 2 could actually integrate in the EOSC AAI. 
      • DavidG says that maybe assurance from IdPs doesn't make sense. Perhaps it should be added from other sources.
      • Licia says IdPs are not suitable to provide many things (e.g. authorisation and assurance). We must decrease our reliance on them. Strugging to get much information delivered by IdPs in other projects. Brings new challenges e.g. who will fund authorisation providers?
      • Jos says that libraries can play a role 
      • What does Licia need now for the proposal?
        • Input to the Excellence section, i.e. how we can help overall objective of RI interoperability
        • Finalise list of partners (e.g. SURF)
          • Elixir (or EOSC Life) may make sense to join but there's few people

       

      Actions

      • Reach out to previous FIM4R Communities and see whether they have solved everything or not
    • 14:40 15:10
      Challenges of commercial SP Integration (Discussion) 30m 40/S2-B01 - Salle Bohr

      40/S2-B01 - Salle Bohr

      CERN

      100
      Show room on map

      There is a growing trend for IT departments to outsource services to third parties. This often has consequences for authentication and authorisation
      - How are these services integrated? Typically services can be registered behind an enterprise Single Sign-On but not always. This creates multiple authentication workflows for users at a cost to security.
      - Will account blocking be propagated?
      - Some large service suites offer SSO as a service and nudge organisations to migrate fully from their own independent SSO. Is this a good idea for research organisations?

      • We need some viable alternatives to microsoft/google - a "killer app"
      • In some countries they already try to move away from some providers, e.g. RENATER moving to opensource email, Denmark schools cannot use Google Docs
      • Petr: putting a proxy in between seems to help in many cases
      • Jos: we cannot get rid of commercial partners. We have to be sure that we manage our own data.
      • GAIAX is an attempt to be a GDPR compliant cloud provider
      • Was important in Helix Nebula /Archiver that cloud providers had to show that they support our standards and protocols (eduGAIN login)
      • This has been asked in many other places - we should contribute to those discussions
      • Would be interesting to see how large, microsoft based research communities perform technical tasks
      • Derek: The large providers probably won't have a collaborative mindset for some time
        • Have run into an issue with Duo security, once in the cost has dramatically increased. Dumping it and using something from the higher ed community that is cheaper. 
    • 15:10 15:30
      Coffee 20m 40/S2-B01 - Salle Bohr

      40/S2-B01 - Salle Bohr

      CERN

      100
      Show room on map
    • 15:30 16:30
      Browser Compatibility 1h 40/S2-B01 - Salle Bohr

      40/S2-B01 - Salle Bohr

      CERN

      100
      Show room on map

      Browsers are changing their rules about third party cookies (among other things). This directly impacts us in federated identity. What do we need to be aware of? What should we be doing? Heather will give us a presentation and there will be an open discussion.

      Speaker: Heather Flanagan

      This is an area where we do need to engage as those making technical decisions are not thinking about our use cases. There is a conference at the end of Feb, with other opportunities to engage later online. For FIM4R Communities this is likely to affect our use of proxies and WAYF persistence. 

    • 19:00 21:00
      Dinner 2h 40/S2-B01 - Salle Bohr

      40/S2-B01 - Salle Bohr

      CERN

      100
      Show room on map

      Bains des Paquis
      Please bring cash in Swiss francs. There are cash points in the restaurants at CERN.
      The menu is available at http://buvettedesbains.com/
      The standard dinner is Fondue (27chf) & half a sharing plate of ham (7.5chf) & wine (10chf) so please budget for about 45chf.
      To reach the location, catch the 18 tram down to Bel Air and walk along the lake to the Bains de Paquis (a pier that goes out into the lake).
      Reservation under the name "Anna"

    • 09:30 10:15
      Introduction to FIM4L 45m 40/S2-B01 - Salle Bohr

      40/S2-B01 - Salle Bohr

      CERN

      100
      Show room on map
      Speaker: Jos Westerbeke
      • Libraries now grant access to many online resources (e.g. publishers)
      • Previously libraries used IP based authentication (often through "easyProxy"), this is still the case for most places but Federated SSO use is increasing
      • Believes libraries can play an important role in managing identities 
        • Something libraries already do
        • A library should be a trusted place to study, including sensitive topics (this is equally valid online)
      • Established the FIM4L initiative around privacy for online library use
        • Libraries want to uphold principal of freedom of research 
        • Don't want to give all the data to the publishers 
      • fim4l.org, FIM4L is a working group in LIBER. Very few people but much interest.
        • Priority to come to a consensus on library policy for federated authentication that protects users identities
      • More and more libraries are joining the mailing list and working groups
      • Some publishers are shutting down IP based authorisation (some tried and rolled back)
      • First FIM4L document published and endorsed
        • Want users to have a choice in how much data is shared with publishers, many users prefer persistent identifiers (but only persistent for a single SP)
        • Publishers do not have to know who the library patrons are
      •  Relationship with publishers via contracts, identity model must be included
      • Comment from Nicole: eduGAIN will be rolling out the pseudonymous identifiers
      • Comment from Adam: There are different libraries all around the world with different budgets and service providers have vastly different pricing models.  So there are some libraries that don't have site-wide licenses (all users) and purchase stuff for specific campuses or partner colleges, or departments etc.  Service providers are the party that needs to authorize access to their services and using federated access, those authorization rules can usually be setup using pseudonymous data. e.g. scoped affiliation or entitlement

       

    • 10:15 10:35
      Coffee 20m 40/S2-B01 - Salle Bohr

      40/S2-B01 - Salle Bohr

      CERN

      100
      Show room on map
    • 10:35 11:15
      Federated shell access (job submission) 40m 40/S2-B01 - Salle Bohr

      40/S2-B01 - Salle Bohr

      CERN

      100
      Show room on map
      Speakers: Marcus Hardt (Kalrsruhe Institute of Technology), Marcus Hardt (KIT)
      • Disconnect of knowledge between people who understand Web SSO and SSH. Several workshops held
      • Plan to write a whitepaper. Collecting user stories will be useful here to map to the possible solutions.
    • 11:15 12:00
      Proxies in federations 45m 40/S2-B01 - Salle Bohr

      40/S2-B01 - Salle Bohr

      CERN

      100
      Show room on map

      How do proxies need to be managed to participate fully in identity federations?

      Speaker: David Kelsey (STFC - Science & Technology Facilities Council (GB))
    • 12:00 13:30
      Lunch 1h 30m 40/S2-B01 - Salle Bohr

      40/S2-B01 - Salle Bohr

      CERN

      100
      Show room on map
    • 13:30 14:05
      Sharing an attribute credential from Self-Sovereign Identity model to the FIM model. 35m 40/S2-B01 - Salle Bohr

      40/S2-B01 - Salle Bohr

      CERN

      100
      Show room on map
      Speaker: Mauladi Mauladi
    • 14:05 14:50
      Unconference topics 45m 40/S2-B01 - Salle Bohr

      40/S2-B01 - Salle Bohr

      CERN

      100
      Show room on map

      Slot for any common concerns that are raised over the 2 days, e.g. Keycloak users,

      • how can/should be influence the eID wallet? 
      • next meeting and location? 
      • should we set up a steering committee? 
      • Continue the FIM4L discussion
    • 14:50 15:00
      Wrapup 10m 40/S2-B01 - Salle Bohr

      40/S2-B01 - Salle Bohr

      CERN

      100
      Show room on map
      Speaker: Mr Maarten Kremers (SURF)