WLCG AuthZ WG 26th Jan, 16:00 CET
Attendees
- Andrea, David, Linda, Kyle, Liviu, Mine, Romain, Hannah, Mario, Miguel, Vincent, Nicolas, Paul
Notes WLCG AuthZ Call
- Some gaps identified last time, notably
- Role choice
- VOMS Provisioning
- IAM
- Authentication types OK
- Assurance, can be restricted to Sirtfi & R&S
- VO membership management looks good
- Integration with HR DB ok, fairly flexible provisioning APIs
- Can control attribute release via scopes (like role selection)
- JWT tokens are used and fulfil the requirements for service authorisation
- Semi-Opaque ID can be resolved to identity information for security
- AuthZ attributes can be included in tokens where possible
- Suspension plugin for Argus
- Suspension should not be an issue with short-lived tokens, on the other hand central refresh service is single point of failure
- VOMS Provisioning (not in requirements list! Probably oversight)
- Investigating way to provision VOMS with attribute already in IAM
- Creating new VOMS users is a well understood problem
- Looking at binding between DN and IAM UserID
- Could use an incoming attribute from SAML or OIDC as certificate subject
- Or link DNs to an account
- Still looking into role provisioning
- Requirements **NOT** met
- Periodic credential verification, i.e. attribute freshness
- Work led by INFN. Key customers, EGI & WLCG
- EGI Checkin
- Group management with CoManage
- Combines attributes from different identities
- All AuthN providers supported
- Minimum LoA configurable
- Suspension and refresh look and feel is based on look of facebook/twitter
- Tokens are JWT
- SSH key authentication for proxy retrieval supported (done through CoManage)
- Hierarchical users, can suspend users below them
- Long lived token lifetime well defined, revocation mechanism in place
- Requirements **NOT** met
- CERN HR DB integration
- Role selection (but could do, have service where users can select a hat)
- Token exchange (for multi hop delegation), investigating
- Command line token retrieval, investigating
- Can be the hosted option, or SaaS solution
- EOSC Hub
- Both solutions included (& B2Access)
- There will be an integration between all 3 AAIs, some communities will want to use one entry point over the other
Next Steps
- Evaluate the different options more formally
- Impact of refresh server dependence, worth a longer discussion
Actions
- Hannah - schedule a next call for JWT Profile discussion
- Hannah set up an Evaluation Table
- Andrea & Nicolas - provide some test instances
- Romain, Hannah, Andrea & others - draft a strategy for the WG & share
- AARC Pilot team to continue planning and report back
There are minutes attached to this event.
Show them.
