1 / 5

Identity Federation - HEP/WLCG

WLCG Group. Identity Federation - HEP/WLCG. FIM4R Meeting, Helsinki, Finland , 2-3 October 2013, D. Kelsey, R. Wartel. Use cases. Use cases in WLCG are: Web-based (grid portals used for job submission, wikis, etc.) CLI-based (job submission, admin tasks)

tola
Download Presentation

Identity Federation - HEP/WLCG

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WLCG Group Identity Federation - HEP/WLCG FIM4R Meeting, Helsinki, Finland, 2-3 October 2013, D. Kelsey, R. Wartel

  2. Use cases • Use cases in WLCG are: • Web-based (grid portals used for job submission, wikis, etc.) • CLI-based (job submission, admin tasks) • Use cases foreseen by the experiments for federated identities • Alice: Interested - but would rather the work to focus in priority on the Web use case • Atlas: Interested in both CLI and Web use case • CMS: No immediate adoption foreseen, but supportive of both CLI + Web use cases • LHCb: Interested - in particular in a CLI 2

  3. Technical work • Conduct no further work on an ECP-based CLI pilot for now • Pilot works, but ECP will not be available for some time, making deployment difficult • Investigate alternative solutions for a CLI (supported by CILogon) • Focus on the Web use case • Understand what WLCG users (LHC experiments) need exactly • Determine how the pilot should interface with existing services • Very little progress since the last meeting • Support can be provided by the WLCG working group • But experiments will have to do the integration work • Not perceived as an important priority in the short term 3

  4. Operational considerations • Identity federation brings more than implementation issues • Affects security incident handling and security operations • In the current model • Service providers implement user banning & conduct forensics • IdPs (e.g. certificate authority) perform (almost) no operational role • In a federated realm • IdPs implement emergency suspension and also collect essential traceability information • IdPs will therefore have to provide operational capabilities and actively participate in incident response • Providing operational capability is a significant change • Requires careful planning to ensure sufficient logging, expertise, communication channels, etc. are in place 4

  5. Attributes • HEP/WLCG has used user attributes for many years: • Full name + email address • Base attributes verified with high LoA (passport verification) • Additional attributes are aggregated later • VO membership and role • In the future, the same attributes will likely be used • LoA may (have to) vary however • These issues are actively discussed within the IGTF (http://www.igtf.net/) • HEP/WLCG needs few and simple attributes • But they need to be fully harmonised across administrative domains 5

More Related