WLCG AuthZ WG Call

Name: WLCG AuthZ WG Call
Start: 2018-03-19T16:00:00+01:00
End: 2018-03-19T17:30:00+01:00
Location: No location set

Monday 19 Mar 2018, 16:00 → 17:30 Europe/Zurich

Description

Paolo to present the Future Authorisation Project
Discussion, interaction with CERN SSO
Review requirements matching for IAM/Checkin-COmanage https://docs.google.com/spreadsheets/d/1mC2U2H12RDHsOtk1OHQM3_HVbbflHfj-Y1Fv0yW_0KA/edit#gid=0
AOB

Registration

Participants

Hide

WLCG AuthZ Call

Attendees: Andrea, Hannah, Linda, Mario, Michel, Mine, Mischa, Nicolas, Paolo, Vincent, Maarten
Apologies: Brian, Romain

General aims of Group (for Paolo)
- Transition to a token based authorisation infrastructure
- Replace VOMS-Admin with a tool able to accept registration without certificate
- Provide token translation capabilities & a user friendly non-web process
Authorisation project underway, CERN services allow per service authorisation & account linking
- http://cern.ch/authorization-service
- Authentication *must* be done through CERN SSO (LDAP, SAML, OIDC)
- Identity is an abstraction of an account, multiple accounts can be linked
- Can define requirements for MFA, LoA
- Authorisation managed by the AuthSvc but can synch with an API
- Keycloak has an interesting overlap, with client roles
- Non-web. Planning to synchronise roles to an ldap server for kerberos based access (CERN Account only)
- Just starting
- Timeline: would like to have a pilot by the end of the year
- Long term goal to get rid of lightweight accounts
We need to bear in mind that not all WLCG VOs are CERN affiliated
- This is **important**
- Non LCG VOs manage their Identity Vetting elsewhere, e.g. Belle II managed by KEK
- Will need to do periodic checks with HR DB so must manage DB access as well as AuthN Attributes
Future CERN AAI will be able to offer
- SAML, OIDC & CERN Accounts
- Account linking
- Suspension
Features required by our WLCG AAI Component and not provided by CERN IT future AuthZ service
- Token translation -> x509, -> JWT
- Tokens issued by VO
- AUP signing
- Non-web?
- Membership Registration (is this needed if we can rely on an attribute from CERN HR DB?)
FERRY may want to evolve to whatever we come up with in this WG. Currently can only handle Fermilab accounts.
Requirements comparison
- Do we need 2FA for tokens when they are created, or on use?
- Integration, can web services switch easily? What to grid services need to do - they are moving to JWT anyway but will need the fixed schema? OAuth2 is typically a lot easier than SAML, as long as it is standard
- We do need to support both AuthZ scopes and groups/roles
- Additional discussion needed on site level blocking
Next Steps
- Wrap up Evaluation
- Discuss site level suspension
- Focus on functionality of VOMS-Admin and compare
  - Registration Procedure and impact on VO managers
  - Integration with HR DB
- WLCG Workshop; Maarten, Andrea, Mine (Remote)
- Post meeting discussion with Maarten, discuss whether a consistent ID that links to an individual should be available at the sites (AuthZ token)

ACTIONS

@Andrea and @Paolo to discuss Keycloak roles
@Hannah send link of JWT to group

There are minutes attached to this event. Show them.

- 1
  
  CDA Authorisation Project
  
  Speaker: Paolo Tedesco (CERN)
- 2
  
  Discussion, CERN SSO integration
  
  How much of the existing SSO infrastructure could/should we be using? How can the WLCG AAI be linked to CERN for some VOs (LHC) and not for others? Can we be relying on e-groups (or future authorisation project) for information on e.g. identity vetting?
- 3
  
  Review Requirements Matching
  
  https://docs.google.com/spreadsheets/d/1mC2U2H12RDHsOtk1OHQM3_HVbbflHfj-Y1Fv0yW_0KA/edit#gid=0