Attendees: Miguel, Andrea, Linda, Hannah, Nicolas, Brian, Maarten, Michel, David
Apologies: Romain
Notes:
- HR DB Integration & Privacy notice
- DB connection rather than SSO - pilots agree this is not problematic
- Must be hosted at CERN
- HR must approve Privacy Statement
- CERN template to be used - collect information from pilots
- Provisioning needs to be included
- IAM this functionality is more restricted than VOMS Admin
- Checkin provisions VOMS and then VOMS privacy statement should be valid
- JWT Catalogue updates
- LoA (Level of Assurance) in schema
- OIDC and OAuth have specific claims for this
- There are several profiles in the sector - RAF uses the eduPersonAssurance claim rather than the standard
- If we only need assurance of authentication then maybe OIDC is OK
- Q: where is our assurance coming from? This should help us answer what is needed
- Identity Vetting is covered by HR DB
- Affiliation is covered by HR DB
- Authentication method varies - would need to propagate LoA from authentication point (even behind CERN SSO)
- Suggestion to use labels and vocabulary from RAF and claims from OIDC
- Decision to put a placeholder in the schema already, with the expectation that things will change
- Versioning
- Should reflect that it's a WLCG version
- Not necessarily numerically consecutive but might be helpful for namespace and comparison
- Could add profile name (e.g. "WLCG") for namespacing, could also contain URI
- Brian believes there will not be so many versions and that string comparison might not be too difficult, however still interest in numeric versioning plus profile string
- Could also embed the version in the profile
- Need to be sensitive to length of token
- Suggestion to have another pre-GDB in December
- Complete schema
- Assess pilots (should be running at CERN)
- AIM BEFORE CHRISTMAS
- Pilots deployed within CERN and HR DB Connection
- Proof of concept workflows for command line
- NB: IAM lost a person, may be delays
- HR DB library not existing and structure changing. Andrea has legacy code in VOMS Admin that he will extract. Can potentially do in a way that is usable by e.g. Check-in
- WLCG AAI Privacy Notice: https://docs.google.com/document/d/1E35DEuptjz0CSWvmegECRjCvCMtCb2UFhtUXPeGA2To/edit?usp=sharing
- Request from Dave K to present at HEPiX (to Andrea) - could potentially go (clashes with DI4R)
- Andrea willing to attend
- 20 minutes
- Should make sure to coordinate with Paolo's talk
- CHEP talk could be largely reused
Actions:
- @Nicolas/@Andrea both pilots to let Hannah know what kind of VM/Container required for deployment
- @Hannah to collect privacy statement data from pilots and combine with existing VOMS admin data
- @Maarten to put Hannah in loop for VOMS admin privacy notice work
- @Maarten to get CERN accounts for Nicolas & colleagues
- @Hannah to remind people to update JWT Token Catalogue
- @Nicolas to add schema placeholder for LoA
- @Brian to propose versioning methodology on the mailing list
- @Hannah to ask Ian C if we can take December pre-GDB 11th
- @Maarten to check clashing meetings in December
- @Andrea to send email to list to say that willing to present at HEPiX, just check no clashing proposal. Adapt CHEP talk for HEPiX