<!--
This slide is blank to show the CERN logo.
Hit "s" during presentation for speaker mode (see the notes).
-->
---
# CERN & WLCG
FIM4R Update, 17/02/2020
*Presented by Hannah Short, CERN IT*
###### Input from Malt AAI Project Team and the WLCG Authorization Working Group
---
## What is CERN?
- CERN is a Laboratory that runs
- Physics experiments
- Research computing
- Experiment membership vetting
- CERN hosts multiple online services for Research as an SP Proxy in eduGAIN
- CERN acts as an IdP in eduGAIN for its researchers
![](https://codimd.web.cern.ch/uploads/upload_f36fca8c710d2e3842d2a42c177be864.png =250x150)
---
## What is the WLCG?
- Worldwide Large Hadron Collider (LHC) Computing Grid
- Computing Infrastructure to handle the high data throughput of large experiments
- Distributed between 170 computing centres
- Highly configurable; each experiment uses it in different ways and has a different set of authorized users
![](https://codimd.web.cern.ch/uploads/upload_9b18a86e41bd690fb2aad9217efc3433.jpg =250x150)
---
## Authentication and Authorization
|| CERN | WLCG |
| --- | --- | --- |
| Web AuthN | ADFS based SP Proxy | X.509 |
| Command line AuthN | Kerberos (CERN Accounts) | X.509 |
| AuthZ | e-Groups | VOMS groups/roles |
| ID Vetting | Known through account type | Experiment/Users Offices |
*AuthZ = Authorization, AuthN = Authentication*
---
## What's new?
* Many changes in the past few years
* Evolution of FIM technologies
* Increased interest in Token based AuthN/Z from Physics community
* Guidance from AARC
* Now is the time for CERN and WLCG to align :)
---
## What's new?
![](https://codimd.web.cern.ch/uploads/upload_57a3a465ca3a6fe9bfc63481e2640fee.png =400x400)
*Project to Prioritize: Free, Open Source & No Vendor Lock-in*
---
## Moving off Microsoft (CERN)
- Many Microsoft components in current Authentication and Authorization stack
- ADFS, AD, FIM, MIM
- Appropriate open source alternatives found
- CERN-wide Authorization handled via OAuth protected REST API
- Account linking supported
- Some custom development still required
- Must remain easy for people to connect their Apps and define authorization
---
## Moving away from X.509 (WLCG)
- Working Group running for 2 years to define transition away from X.509
- Token Schema almost finalised
- Pilot architectures tested, decided on [INDIGO IAM](https://github.com/indigo-iam), integrated behind CERN SSO
- Will handle wlcg-specific workflows
---
# CERN as an SP Proxy
![](https://codimd.web.cern.ch/uploads/upload_fe4d176be77b33b98f1d4dfbffd53388.png =700x450)
---
# CERN as an IdP
![](https://codimd.web.cern.ch/uploads/upload_223ed8bf2735139bb256366896469def.png =700x450)
---
# WLCG
![](https://codimd.web.cern.ch/uploads/upload_80f8a3dc6d1f8429a2918857cc88f581.png =700x450)
---
## The result
* Services adapted to their purpose and maintained by relevant user communities
* SSO vs eduGAIN integration vs WLCG
* Unified move to OAuth/OIDC
* More intuitive user experience
***Note; Certificate authentication will no longer be supported at CERN SSO***
---
## Our experience so far
| Component | Good | Not-so-good |
| --- | --- | --- |
| Satosa | Mostly works nicely | There are some features missing (e.g. encryption) |
| Pyff | Was a good tool | Useful features being deprecated |
| Keycloak | Good performance | Not set up for environments with large number of admins |
---
# Try it
https://users-portal.web.cern.ch
Please tell me if it doesn't work for you, we are still finalising config!
---
# Thanks, Questions?
---
# Appendix
---
# Infrastructure
![](https://codimd.web.cern.ch/uploads/upload_a38bf03e45395ce524f78a2b4be4e6f0.png =700x450)
---
# Infrastructure
| Component | |
| --- | --- |
| eduGAIN SP Proxy & eduGAIN IdP | [Satosa](https://github.com/IdentityPython/SATOSA) |
| Disovery Service and Metadata Distribution Service | [PyFF](https://pyff.readthedocs.io/en/latest/) |
| SSO | [Keycloak](https://www.keycloak.org) |
| WLCG Proxy | [INDIGO IAM](https://github.com/indigo-iam) |
| CERN LDAP | [FreeIPA](https://www.freeipa.org/page/Main_Page) |
| Authorization API | In house development, REST |
---
# Particular Challenges
* Smooth CERN IdP transition (e.g. unique IDs based on ADFS GUID)
* Change Management (many moving pieces)
* Speed (code freeze required before accelerators are comissioned)
* Support and documentation for community tools
* Testing (thank goodness for https://samltest.id)
---
{"title":"CERN and WLCG FIM4R 17/02/2020","type":"slide","slideOptions":{"theme":"cern3","transition":"slide"}}