WLCG AuthZ Meeting


Proposed Agenda


Attendees: Andrea, Brian, Dave, David, Hannah, Maarten, Michel, Mine, Mischa, Nicolas


  • Ability to authenticate with OIDC, SAML, X.509 and local username/password credentials
  • Provisioning service for users and groups, adding and changing users on demand by trusted 3rd party
  • VO registration
    • Inspired by VOMS-Admin
    • Can be configured to automatically enroll users from a trusted IdP, e.g. CERN SSO 
    • One master identity, uniquely identified by an email, that can then have linked identities
    • Users, to link certificates to their identity, need to prove ownership of the certificate private key (i.e. have the certificate installed in the browser
    • Administrators, or third-party authorized apps via provisioning APIs,
      can link certificates to users without owning the cert key
    • Persistent ID attribute from IdP users for linking
    • Can whitelist IdPs based on e.g. Sirtfi compliance
  • Group management
    • Hierarchical or flat groups, flexible
      • All groups provided in tokens at all times
    • No roles, use scopes to control specific privilege requests 
      • Question of mapping to VOMS pending
      • Users may want to change their “role” between user and admin, should be done by scopes
  • Implements user and group provisioning APIs compliant with the SCIM 2 standard
  • CLI support
    • Can do username/password OAuth flow but credentials are exposed to the client (not just IdP) so not recommended
      • Get OIDC response including access token
      • Put access token in local env variable
      • Interact with services
    • Recommended flow (no password exposed)
      • curl to get an endpoint and a user code
      • navigate to endpoint and enter code
      • token available on command line
      • Requires browser - almost like a 2nd factor 
  • Plans to have VOMS provisioning soon
  • IAM has SSH linking support in API


EGI Check-in

  • Based on SimpleSAMLPhp, translation between multiple protocols
  • Uses COmanage 
    • Concept of collaborations (COs) rather than VOs
  • Hierarchical groups
  • Plan to use groups inside COUs to represent roles
  • Users identified as CO person
  • Registration form very customisable 
  • Use of EGI proxy for authentication (demo not in eduGAIN so use socialID if testing)
    • Affiliation and organisation picked from SAML token if provided
    • AUP
  • SSH key portal, enables LDAP provisioning
    • Enables certificate download on command line
  • Extension for provisioning users in VOMS, near future, plan to use API
  • Browser flow to generate OIDC refresh token that could be put into a script for command line access
  • Roles? User member of COU, so they get COU role. There are no other “role” concepts, would expect to use groups to do the same thing
  • Not using scopes, using group information directly (ability to change “hats”/roles?)



  • Need to be able to change role/group and not necessarily have super-user by default
  • VOMS provisioning is still being worked out by both services


There are minutes attached to this event. Show them.
    • 4:00 PM 4:20 PM
      INDIGO IAM Demo 20m
      Speaker: Andrea Ceccanti
    • 4:20 PM 4:40 PM
      EGI Check-in 20m
      Speaker: Mr Nicolas Liampotis (Greek Research and Technology Network - GRNET)
    • 4:40 PM 5:00 PM
      Demo Discussion 20m
    • 5:00 PM 5:20 PM
      Review Comments on requirements 20m