50 likes | 171 Views
GGUS user a uthentication. Tiziana Ferrari/EGI.eu Peter Solagna /EGI.eu 05 -02-2013. Requirements (1/2). (1) Information from GGUS tickets must be accessible to all users for traceability of issues and sharing of information across one or multiple Vos (WLCG)
E N D
GGUS user authentication Tiziana Ferrari/EGI.eu Peter Solagna/EGI.eu 05-02-2013 GGUS user authentication
Requirements (1/2) • (1) Information from GGUS tickets must be accessible to all users for traceability of issues and sharing of information across one or multiple Vos (WLCG) • GGUS tickets must not include confidential information whatever user authentication mechanism is adopted (see following slide) • (2) Allow all users (including those not holding a X.509 certificate) to submit tickets • Usage of robot certificates and EuduGAIN credentials gaining popularity GGUS user authentication
Requirements (2/2) • (3) Users must be authenticated • GGUS must be protected from spam user e-mail verification needed • No identity vetting and e-mail verification when registering a new SSO account, membership of inspire-members SSO group does not satisfy (2) • (4) X.509 authentication must coexist with other user authentication mechanisms (WLCG) GGUS user authentication
Confidentiality • Information available from GGUS must not be confidential • Service operations security policy • “You shall use logged information, including information provided to you by Users, other Resource Centres, Service operations or by the Infrastructure Organization, only for administrative, operational, accounting, monitoring and security purposes. You shall apply due diligence in maintaining the confidentiality of logged information” • IP addresses, middleware packages, log extracts must not include confidential information the submitter must apply due diligence in this • Users holding a valid X.509 certificate are not necessarily more trustworthy GGUS user authentication
For discussion • EGI SSO no guarantee of user e-mail validity • Various implementation scenarios • Possible short term solution • Usage of an established IdP federation like REFED preferable • GGUS must become a Service Provider • GGUS service metadata to be distributed to IDPs of the federation and IDP metadata to be imported by GGUS • REFED can coexist with authentication of users with X.509 certificate who are not members of a federated IDP • E.g. of implementation: Portal of NGI_IT GGUS user authentication