WLCG AuthZ WG Call




WLCG AuthZ Call

Attendees: Andrea, Hannah, Linda, Mario, Michel, Mine, Mischa, Nicolas, Paolo, Vincent, Maarten
Apologies: Brian, Romain

  • General aims of Group (for Paolo)
    • Transition to a token based authorisation infrastructure
    • Replace VOMS-Admin with a tool able to accept registration without certificate
    • Provide token translation capabilities & a user friendly non-web process
  • Authorisation project underway, CERN services allow per service authorisation & account linking
    •  http://cern.ch/authorization-service
    • Authentication *must* be done through CERN SSO (LDAP, SAML, OIDC)
    • Identity is an abstraction of an account, multiple accounts can be linked
    • Can define requirements for MFA, LoA
    • Authorisation managed by the AuthSvc but can synch with an API
    • Keycloak has an interesting overlap, with client roles 
    • Non-web. Planning to synchronise roles to an ldap server for kerberos based access (CERN Account only)
    • Just starting
    • Timeline: would like to have a pilot by the end of the year
    • Long term goal to get rid of lightweight accounts
  • We need to bear in mind that not all WLCG VOs are CERN affiliated
    • This is **important**
    • Non LCG VOs manage their Identity Vetting elsewhere, e.g. Belle II managed by KEK
    • Will need to do periodic checks with HR DB so must manage DB access as well as AuthN Attributes
  • Future CERN AAI will be able to offer
    • SAML, OIDC & CERN Accounts
    • Account linking
    • Suspension
  • Features required by our WLCG AAI Component and not provided by CERN IT future AuthZ service
    • Token translation -> x509, -> JWT
    • Tokens issued by VO
    • AUP signing
    • Non-web?
    • Membership Registration (is this needed if we can rely on an attribute from CERN HR DB?)
  • FERRY may want to evolve to whatever we come up with in this WG. Currently can only handle Fermilab accounts.
  • Requirements comparison
    • Do we need 2FA for tokens when they are created, or on use?
    • Integration, can web services switch easily? What to grid services need to do - they are moving to JWT anyway but will need the fixed schema? OAuth2 is typically a lot easier than SAML, as long as it is standard
    • We do need to support both AuthZ scopes and groups/roles
    • Additional discussion needed on site level blocking
  • Next Steps
    • Wrap up Evaluation
    • Discuss site level suspension
    • Focus on functionality of VOMS-Admin and compare
      • Registration Procedure and impact on VO managers
      • Integration with HR DB
    • WLCG Workshop; Maarten, Andrea, Mine (Remote)
    • Post meeting discussion with Maarten, discuss whether a consistent ID that links to an individual should be available at the sites (AuthZ token)


  • @Andrea and @Paolo to discuss Keycloak roles
  • @Hannah send link of JWT to group
There are minutes attached to this event. Show them.
    • 16:00 16:20
      CDA Authorisation Project 20m
      Speaker: Paolo Tedesco (CERN)
    • 16:30 16:50
      Discussion, CERN SSO integration 20m

      How much of the existing SSO infrastructure could/should we be using? How can the WLCG AAI be linked to CERN for some VOs (LHC) and not for others? Can we be relying on e-groups (or future authorisation project) for information on e.g. identity vetting?

    • 17:00 17:20
      Review Requirements Matching 20m