WLCG AuthZ Call

Friday 12 Oct 2018, 16:00 → 17:30 Europe/Zurich

Documents:

• Schemas at https://docs.google.com/document/d/1cNm4nBl9ELhExwLxswpxLLNTuz8pT38-b_DewEyEWug/edit?usp=sharing 

Proposed agenda:

1. JWT Token Catalogue Document sign-off https://docs.google.com/document/d/1XQvh2dxDivUstjQaS3K6tkpLyvXlEOR4QU8YtTzDqg4/edit 
2. Privacy policy update
3. Pilot CERN deployment update
4. Schema document comments

Outstanding Actions:

• @Nicolas/@Andrea both pilots to let Hannah know what kind of VM/Container required for deployment
• @Nicolas to add schema placeholder for LoA
• @Brian to propose versioning methodology on the mailing list

WLCGAAIPrivacyStatement.pdf

Attendees: Romain, Maarten, Brian, DavidC, Hannah, AndreaC

Notes: 

• Maybe organise face-to-face call Friday week of 22nd 
• We should consider data that is taken from users and used to generate DNs from RCAuth
• RCAuth currently requires consent rather than relying on legitimate interest. Could change in future. 
• This will certainly not be a final privacy statement
• RCAuth privacy statement https://rcauth.eu/privacy
• Do we want to keep data for ever, based on legitimate interest of academic traceability? Send to Management Board for input. VOMS is not necessarily the source of truth for who is in an experiment.
• We need to support the right to be forgotten?
• HR keeps VO information, that should be the source of truth
• Is LoA personal information? General consensus is No
• Checkin deployment
  • Accessed to CERN OpenStack and installed VM
• IAM
  • Not yet :)
• Deployment help
  • Open Stack documentation (will have to do firewall opening request for 443/80) http://clouddocs.web.cern.ch/clouddocs/ 
  • OpenShift documentation https://cern.service-now.com/service-portal/article.do?n=KB0004358, http://information-technology.web.cern.ch/services/PaaS-Web-App 
  • OAuth CERN SSO https://espace.cern.ch/authentication/CERN%20Authentication/OAuth.aspx
  • SAML CERN SSO https://espace.cern.ch/authentication/CERN%20Authentication/Configure%20a%20SAML2%20Application.aspx
  • DB On Demand (not required for now unless you want!) http://information-technology.web.cern.ch/services/database-on-demand
  • CA (CERN) https://ca.cern.ch/ca/
• What do we want from the pilots?
  • Deployed at CERN
  • Privacy policies approved by HR and HR DB view integrated in pilot deployment 
  • Ask us when you have Qs :)
• Nicolas has added content on LoA. Difficulty is that multi factor authentication is not included in RAF. 
  • Discussion on how we include it in tokens
  • Need additional time to consider whether this should be a base claim or only in the authorisation token
• BIG TOPIC, we need to clarify confusion between the different tokens

Actions:

• Hannah  -ping Mischa/Brian/Paul/Nicolas to clarify Qs on JWT Catalogue

• Hannah - ask Dave and Mischa how to handle this potential conflict between RCAuth providing certificate DNs vs RCAuth taking information from IdPs to generate DNs

• Romain - in Tuesday meeting ask management board on importance of keeping user records in WLCG AAI indefinitely (may also be possible to keep a subset of data that won't change?)

• Hannah - change "Experiment computing role of the person (e.g. "production manager")" to roles and groups

• Hannah - make changes to privacy statements and send to HR

• Hannah - make summary slides for Tuesday

• Pilots - deploy within CERN

• Hannah - send around a doodle for the week of the 22nd, likely Friday afternoon