<!-- This slide is blank to show the CERN logo. Hit "s" during presentation for speaker mode (see the notes). --> --- # CERN's Identity and Access Management CHEP November 7th 2019, Adelaide *Presented by Hannah Short, CERN IT* ###### Authored by the Malt AAI Project Team: P. Tedesco, A. Aguado Corman, D. Fernandez Rodriguez, M. Georgiou, J. Rische, C. Schuszter, H. Short --- # A Journey to Open Source  --- # Why change? * Microsoft based Identity Management stack strongly affected by **License Fee price increase** * Opportunity to **harmonise** CERN and WLCG Authentication & Authorization * Focus on Data **Privacy** requires new authorization model --- # Principles of change * Identify suitable **alternatives** based on use cases * Prioritise **Free and Open Source software** * Stick to **standards** * Contribute back and share knowledge --- # Before  --- # After  <!-- Note: SSO and LDAP are large cost components, FIM is not. Enabling OIDC and OAuth2, also what is happening in WLCG --> --- # Timeline ```mermaid gantt title AAI Roadmap section Single-Sign-On Design : 2018-01-01, 300d Development : 2018-12-31, 400d Pilot : 2019-09-30, 300d Migration : 2020-06-30, 900d section Directory Services Design : 2019-01-01, 300d Development : 2019-06-31, 400d Pilot : 2020-06-30, 300d Migration : 2021-01-30, 900d ``` --- # What's changing? --- # New Look  --- # Roles  *Application owners decide on roles for their application and map them to user groups* --- # Tokens *OIDC support in addition to SAML* ```json { "iss": "https://auth.cern.ch/auth/realms/cern", "aud": "oidc-attribute-viewer", "sub": "hshort", "typ": "ID", "cern_person_id": 777777, "name": "Hannah Short", "preferred_username": "hshort", "cern_roles": [ "testrole", "mfa_role" ], "given_name": "Hannah", "cern_preferred_language": "EN", "family_name": "Short", "email": "hannah.short@cern.ch", "eduperson_orcid": "0000-0003-2187-0980", "cern_upn": "hshort" } ``` --- # Researcher Lifecycle Management * Account linking * Retirees to maintain access without CERN accounts * [ORCID](https://orcid.org) Researcher Identifiers --- # Get involved! 1. Become pilot users of the new Single-Sign-On 2. Enable [OAuth2](https://oauth.net/2/)/[OIDC](https://openid.net/connect/) for your use cases (web, grid) 4. Follow the [Malt Project](https://malt.web.cern.ch/malt/)'s progress ---