Attendees: Miguel, Andrea, Linda, Hannah, Nicolas, Brian, Maarten, Michel, David
Apologies: Romain

Notes:

• HR DB Integration & Privacy notice
  • DB connection rather than SSO - pilots agree this is not problematic
  • Must be hosted at CERN
  • HR must approve Privacy Statement
    • CERN template to be used - collect information from pilots
    • Provisioning needs to be included
      • IAM this functionality is more restricted than VOMS Admin
      • Checkin provisions VOMS and then VOMS privacy statement should be valid
• JWT Catalogue updates
  • Miguel/ALICE contributed
• LoA (Level of Assurance) in schema
  • OIDC and OAuth have specific claims for this
  • There are several profiles in the sector - RAF uses the eduPersonAssurance claim rather than the standard
  • If we only need assurance of authentication then maybe OIDC is OK
  • Q: where is our assurance coming from? This should help us answer what is needed
    • Identity Vetting is covered by HR DB
    • Affiliation is covered by HR DB
    • Authentication method varies - would need to propagate LoA from authentication point (even behind CERN SSO)
  • Suggestion to use labels and vocabulary from RAF and claims from OIDC
  • Decision to put a placeholder in the schema already, with the expectation that things will change
• Versioning
  • Should reflect that it's a WLCG version
  • Not necessarily numerically consecutive but might be helpful for namespace and comparison
  • Could add profile name (e.g. "WLCG") for namespacing, could also contain URI
  • Brian believes there will not be so many versions and that string comparison might not be too difficult, however still interest in numeric versioning plus profile string
  • Could also embed the version in the profile
  • Need to be sensitive to length of token
• Suggestion to have another pre-GDB in December
  • Complete schema
  • Assess pilots (should be running at CERN)
• AIM BEFORE CHRISTMAS
  • Pilots deployed within CERN and HR DB Connection
  • Proof of concept workflows for command line
  • NB: IAM lost a person, may be delays
• HR DB library not existing and structure changing. Andrea has legacy code in VOMS Admin that he will extract. Can potentially do in a way that is usable by e.g. Check-in
• WLCG AAI Privacy Notice: https://docs.google.com/document/d/1E35DEuptjz0CSWvmegECRjCvCMtCb2UFhtUXPeGA2To/edit?usp=sharing 
• Request from Dave K to present at HEPiX (to Andrea) - could potentially go (clashes with DI4R)
  • Andrea willing to attend
  • 20 minutes
  • Should make sure to coordinate with Paolo's talk
  • CHEP talk could be largely reused

Actions:

• @Nicolas/@Andrea both pilots to let Hannah know what kind of VM/Container required for deployment
• @Hannah to collect privacy statement data from pilots and combine with existing VOMS admin data
• @Maarten to put Hannah in loop for VOMS admin privacy notice work
• @Maarten to get CERN accounts for Nicolas & colleagues
• @Hannah to remind people to update JWT Token Catalogue
• @Nicolas to add schema placeholder for LoA
• @Brian to propose versioning methodology on the mailing list
• @Hannah to ask Ian C if we can take December pre-GDB 11th
• @Maarten to check clashing meetings in December
• @Andrea to send email to list to say that willing to present at HEPiX, just check no clashing proposal. Adapt CHEP talk for HEPiX