Attendees: Andrea, Brian, Dave, David, Hannah, Maarten, Michel, Mine, Mischa, Nicolas
INDIGO IAM Demo
- Ability to authenticate with OIDC, SAML, X.509 and local username/password credentials
- Provisioning service for users and groups, adding and changing users on demand by trusted 3rd party
- VO registration
- Inspired by VOMS-Admin
- Can be configured to automatically enroll users from a trusted IdP, e.g. CERN SSO
- One master identity, uniquely identified by an email, that can then have linked identities
- Users, to link certificates to their identity, need to prove ownership of the certificate private key (i.e. have the certificate installed in the browser
- Administrators, or third-party authorized apps via provisioning APIs,
can link certificates to users without owning the cert key
- Persistent ID attribute from IdP users for linking
- Can whitelist IdPs based on e.g. Sirtfi compliance
- Group management
- Hierarchical or flat groups, flexible
- All groups provided in tokens at all times
- No roles, use scopes to control specific privilege requests
- Question of mapping to VOMS pending
- Users may want to change their “role” between user and admin, should be done by scopes
- Implements user and group provisioning APIs compliant with the SCIM 2 standard
- CLI support
- Can do username/password OAuth flow but credentials are exposed to the client (not just IdP) so not recommended
- Get OIDC response including access token
- Put access token in local env variable
- Interact with services
- Recommended flow (no password exposed)
- curl to get an endpoint and a user code
- navigate to endpoint and enter code
- token available on command line
- Requires browser - almost like a 2nd factor
- Plans to have VOMS provisioning soon
- IAM has SSH linking support in API
EGI Check-in
- Based on SimpleSAMLPhp, translation between multiple protocols
- Uses COmanage
- Concept of collaborations (COs) rather than VOs
- Hierarchical groups
- Plan to use groups inside COUs to represent roles
- Users identified as CO person
- Registration form very customisable
- Use of EGI proxy for authentication (demo not in eduGAIN so use socialID if testing)
- Affiliation and organisation picked from SAML token if provided
- AUP
- SSH key portal, enables LDAP provisioning
- Enables certificate download on command line
- Extension for provisioning users in VOMS, near future, plan to use API
- Browser flow to generate OIDC refresh token that could be put into a script for command line access
- Roles? User member of COU, so they get COU role. There are no other “role” concepts, would expect to use groups to do the same thing
- Not using scopes, using group information directly (ability to change “hats”/roles?)
Comments
- Need to be able to change role/group and not necessarily have super-user by default
- VOMS provisioning is still being worked out by both services
Actions
There are minutes attached to this event.
Show them.
