WLCG AuthZ Call


Proposed agenda: 

Zoom meeting:

Please ensure you are signed up to project-lcg-authz@cern.ch to receive the meeting password!

Join Zoom Meeting

Meeting ID: 947 1885 7994
Password: <see email>
One tap mobile
+41432107042,,94718857994# Switzerland
+41432107108,,94718857994# Switzerland

Dial by your location
        +41 43 210 70 42 Switzerland
        +41 43 210 71 08 Switzerland
        +41 31 528 09 88 Switzerland
        +33 1 7037 9729 France
        +33 7 5678 4048 France
        +33 1 7037 2246 France
Meeting ID: 947 1885 7994
Find your local number: https://cern.zoom.us/u/abjrVtLBu4

Join by SIP

Join by H.323
Meeting ID: 947 1885 7994
Password: <see email>

Attendees: Hannah, Andrea, IanC, Alex, Brian, Tom, Enrico, Jeny, Julie, David, Linda, Marcelo, Jeffrey, Paul


  • Supercomputing HPC meeting https://docs.google.com/document/d/1yss1gDOtsH_-O_vL-saKnt1cwR3l_3Lr1nYomwKe4C0/edit
    • Kickoff meeting, SKA, PRACE, CERN, GEANT
    • WLCG presented
    • eduTEAMs presented, would have been good to mention IAM
    • Demonstrators for data access and authentication 
    • Signup sheet to follow demonstrators
  • Hackathon https://indico.cern.ch/event/953075/
    • Generally a success, EU and US attendance
      • Particularly on the 1st day
    • Defined set of achievable objectives, e.g.
      • Update smoke test scripts to use JWT (checks if transfers are working correctly)
      • Data transfer workflows proof of concepts
      • JWT compliance test suite (identified some bugs), Token Factory produces malformed tokens to verify
      • Group AuthZ for Rucio etc.
      • Mapping VO level identity to local user identity, now under development by Brian
      • Simplifying enrolment flows
        • Although some VOs want human check too
      • Transitioning IAM in production for VOs
        • ATLAS & LHCb would like an instance 
    • Notes linked from agenda
  • Choice between WLCG IAMs or CERN IdP, e.g. Jupyter Notebook
    • CERN IdP integrates with e-groups which is useful for services that already have users in e-groups
    • Missing a few things
      • Experiment AUP, depends whether grid service should be reserved ONLY for HR DB checked individuals
      • How are experiment e-groups managed? This is probably not be equivalent with HR DB check
    • Must be behind IAM if
      • WLCG token schema, or integrating with others
      • Require verified membership 
    • Need to check policy and see if HR DB membership and e-group are equivalent https://documents.egi.eu/public/RetrieveFile?docid=79&filename=EGI-SPG-VOManagement-V1_0.pdf&version=6 (Auth assurance policy to be updated)
      • Perhaps less important now that we have personID in the token (x.509 were decoupled)
      • Should update policies as part of this effort
    • We should also try to retire VOMS Admin, this would boost membership and uptake
      • Many services still relying on grid map files, this needs to be available in IAM
      • LOTS of work :) schedule for early next year
        • Some enhancements required in IAM
        • Load tests (need estimates)
        • Test migrations
        • Technical migration (Laurence Field is service owner)
        • User onboarding documentation & processes per VO
        • Policies
  • Personal Data in UserInfo endpoint
    • Can configure scopes per client, IAM now configured not to display info.
      • For services that need this information we should enable scopes and ensure that tokens are exchanged appropriately to be able to access the information
      • Generally, Bearer tokens should not have profile or email scope that exposes UserInfo data. If the information is needed, the tokens should be exchanged for one that is allowed those scopes
      • This could be easy and quick to change if needed
    • Closing UserInfo endpoint would break spec  
    • But let's consider...
      • This data is available in current system (X.509)
      • Seems little concern from GDPR perspective (e.g. French authority said this level of data was low concern)
      • Scopes and audiences are designed to limit power
      • If a token can be used to launch jobs etc, surely getting an email address is less impactful
      • Email addresses are useful (this is professional email in most cases)


  • Hannah to set up meetings with ATLAS and LHCb
    • Joel Closier (LHCb)
    • Alessandro de Salvo (ATLAS)
  • Hannah request comments on Audience MR
  • Dave K to set up a policy maker group to understand whether policies on membership need tweaking (new version due anyway as policies are outdated)
  • Hannah to invite Laurence to the next meeting
  • Hannah make Google doc for VOMS Admin deprecation etc. https://docs.google.com/document/d/1Mk24GET8q2BIIpkl-ccIIziNF4IbehX_NvfrqCDDqjY/edit?usp=sharing
  • Hannah send summary of personal data issues
There are minutes attached to this event. Show them.
The agenda of this meeting is empty