WLCG AuthZ Meeting


Proposed Agenda: 

  • Understand how well the INDIGO IAM Solution fits our requirements 
  • Understand how well the EGI Check-in Solution fits our requirements
  • AOB



WLCG AuthZ  WG 26th Jan, 16:00 CET


  • Andrea, David, Linda, Kyle, Liviu, Mine, Romain, Hannah, Mario, Miguel, Vincent, Nicolas, Paul


Notes WLCG AuthZ Call

  • Some gaps identified last time, notably
    • Role choice
    • VOMS Provisioning
  • IAM
    • Authentication types OK
    • Assurance, can be restricted to Sirtfi & R&S 
    • VO membership management looks good 
    • Integration with HR DB ok, fairly flexible provisioning APIs
    • Can control attribute release via scopes (like role selection)
    • JWT tokens are used and fulfil the requirements for service authorisation
    • Semi-Opaque ID can be resolved to identity information for security
    • AuthZ attributes can be included in tokens where possible
    • Suspension plugin for Argus
    • Suspension should not be an issue with short-lived tokens, on the other hand central refresh service is single point of failure
    • VOMS Provisioning (not in requirements list! Probably oversight)
      • Investigating way to provision VOMS with attribute already in IAM
      • Creating new VOMS users is a well understood problem
      • Looking at binding between DN and IAM UserID
        • Could use an incoming attribute from SAML or OIDC as certificate subject
        • Or link DNs to an account
      • Still looking into role provisioning
    • Requirements **NOT** met
      • Periodic credential verification, i.e. attribute freshness
    • Work led by INFN. Key customers, EGI & WLCG
  • EGI Checkin 
    • Group management with CoManage
    • Combines attributes from different identities
    • All AuthN providers supported
    • Minimum LoA configurable
    • Suspension and refresh look and feel is based on look of facebook/twitter
    • Tokens are JWT
    • SSH key authentication for proxy retrieval supported (done through CoManage)
    • Hierarchical users, can suspend users below them
    • Long lived token lifetime well defined, revocation mechanism in place
    • Requirements **NOT** met
      • CERN HR DB integration
      • Role selection (but could do, have service where users can select a hat) 
      • Token exchange (for multi hop delegation), investigating 
      • Command line token retrieval, investigating 
    • Can be the hosted option, or SaaS solution
  • EOSC Hub
    • Both solutions included (& B2Access)
    • There will be an integration between all 3 AAIs, some communities will want to use one entry point over the other

Next Steps

  • Evaluate the different options more formally
    • Impact of refresh server dependence, worth a longer discussion 


  • Hannah - schedule a next call for JWT Profile discussion
  • Hannah set up an Evaluation Table
  • Andrea & Nicolas - provide some test instances
  • Romain, Hannah, Andrea & others - draft a strategy for the WG & share
  • AARC Pilot team to continue planning and report back



There are minutes attached to this event. Show them.
The agenda of this meeting is empty