<!-- This slide is blank to show the CERN logo. Hit "s" during presentation for speaker mode (see the notes). --> --- # CERN & WLCG FIM4R Update, 17/02/2020 *Presented by Hannah Short, CERN IT* ###### Input from Malt AAI Project Team and the WLCG Authorization Working Group --- ## What is CERN? - CERN is a Laboratory that runs - Physics experiments - Research computing - Experiment membership vetting - CERN hosts multiple online services for Research as an SP Proxy in eduGAIN - CERN acts as an IdP in eduGAIN for its researchers ![](https://codimd.web.cern.ch/uploads/upload_f36fca8c710d2e3842d2a42c177be864.png =250x150) --- ## What is the WLCG? - Worldwide Large Hadron Collider (LHC) Computing Grid - Computing Infrastructure to handle the high data throughput of large experiments - Distributed between 170 computing centres - Highly configurable; each experiment uses it in different ways and has a different set of authorized users ![](https://codimd.web.cern.ch/uploads/upload_9b18a86e41bd690fb2aad9217efc3433.jpg =250x150) --- ## Authentication and Authorization || CERN | WLCG | | --- | --- | --- | | Web AuthN | ADFS based SP Proxy | X.509 | | Command line AuthN | Kerberos (CERN Accounts) | X.509 | | AuthZ | e-Groups | VOMS groups/roles | | ID Vetting | Known through account type | Experiment/Users Offices | *AuthZ = Authorization, AuthN = Authentication* --- ## What's new? * Many changes in the past few years * Evolution of FIM technologies * Increased interest in Token based AuthN/Z from Physics community * Guidance from AARC * Now is the time for CERN and WLCG to align :) --- ## What's new? ![](https://codimd.web.cern.ch/uploads/upload_57a3a465ca3a6fe9bfc63481e2640fee.png =400x400) *Project to Prioritize: Free, Open Source & No Vendor Lock-in* --- ## Moving off Microsoft (CERN) - Many Microsoft components in current Authentication and Authorization stack - ADFS, AD, FIM, MIM - Appropriate open source alternatives found - CERN-wide Authorization handled via OAuth protected REST API - Account linking supported - Some custom development still required - Must remain easy for people to connect their Apps and define authorization --- ## Moving away from X.509 (WLCG) - Working Group running for 2 years to define transition away from X.509 - Token Schema almost finalised - Pilot architectures tested, decided on [INDIGO IAM](https://github.com/indigo-iam), integrated behind CERN SSO - Will handle wlcg-specific workflows --- # CERN as an SP Proxy ![](https://codimd.web.cern.ch/uploads/upload_fe4d176be77b33b98f1d4dfbffd53388.png =700x450) --- # CERN as an IdP ![](https://codimd.web.cern.ch/uploads/upload_223ed8bf2735139bb256366896469def.png =700x450) --- # WLCG ![](https://codimd.web.cern.ch/uploads/upload_80f8a3dc6d1f8429a2918857cc88f581.png =700x450) --- ## The result * Services adapted to their purpose and maintained by relevant user communities * SSO vs eduGAIN integration vs WLCG * Unified move to OAuth/OIDC * More intuitive user experience ***Note; Certificate authentication will no longer be supported at CERN SSO*** --- ## Our experience so far | Component | Good | Not-so-good | | --- | --- | --- | | Satosa | Mostly works nicely | There are some features missing (e.g. encryption) | | Pyff | Was a good tool | Useful features being deprecated | | Keycloak | Good performance | Not set up for environments with large number of admins | --- # Try it https://users-portal.web.cern.ch Please tell me if it doesn't work for you, we are still finalising config! --- # Thanks, Questions? --- # Appendix --- # Infrastructure ![](https://codimd.web.cern.ch/uploads/upload_a38bf03e45395ce524f78a2b4be4e6f0.png =700x450) --- # Infrastructure | Component | | | --- | --- | | eduGAIN SP Proxy & eduGAIN IdP | [Satosa](https://github.com/IdentityPython/SATOSA) | | Disovery Service and Metadata Distribution Service | [PyFF](https://pyff.readthedocs.io/en/latest/) | | SSO | [Keycloak](https://www.keycloak.org) | | WLCG Proxy | [INDIGO IAM](https://github.com/indigo-iam) | | CERN LDAP | [FreeIPA](https://www.freeipa.org/page/Main_Page) | | Authorization API | In house development, REST | --- # Particular Challenges * Smooth CERN IdP transition (e.g. unique IDs based on ADFS GUID) * Change Management (many moving pieces) * Speed (code freeze required before accelerators are comissioned) * Support and documentation for community tools * Testing (thank goodness for https://samltest.id) ---
{"title":"CERN and WLCG FIM4R 17/02/2020","type":"slide","slideOptions":{"theme":"cern3","transition":"slide"}}