<!-- This slide is blank to show the CERN logo. Hit "s" during presentation for speaker mode (see the notes). --> --- # CERN & WLCG FIM4R Update *Presented by Hannah Short, CERN IT* ###### Input from Malt AAI Project Team and the WLCG Authorization Working Group --- # What is CERN? - CERN is a Laboratory that runs - Physics experiments - Research computing - Experiment membership vetting - CERN hosts multiple online services for Research as an SP Proxy in eduGAIN - CERN acts as an IdP in eduGAIN for its researchers ![](https://codimd.web.cern.ch/uploads/upload_f36fca8c710d2e3842d2a42c177be864.png =250x150) --- # What is the WLCG? - Worldwide Large Hadron Collider (LHC) Computing Grid - Computing Infrastructure to handle the high data throughput of large experiments - Distributed between 170 computing centres - Highly configurable; each experiment uses it in different ways and has a different set of authorized users ![](https://codimd.web.cern.ch/uploads/upload_9b18a86e41bd690fb2aad9217efc3433.jpg =250x150) --- # Authentication and Authorization || CERN | WLCG | | --- | --- | --- | | Web AuthN | ADFS based SP Proxy | X.509 | | Command line AuthN | Kerberos (CERN Accounts) | X.509 | | AuthZ | e-Groups | VOMS groups/roles | | ID Vetting | Known through account type | Experiment/Users Offices | *AuthZ = Authorization, AuthN = Authentication* --- # What's new? * Many changes in the past few years * Evolution of FIM technologies * Increased interest in Token based AuthN/Z from Physics community * Guidance from AARC * Now is the time for CERN and WLCG to align :) --- # What's new? ![](https://codimd.web.cern.ch/uploads/upload_57a3a465ca3a6fe9bfc63481e2640fee.png =400x400) *Project to Prioritize: Free, Open Source & No Vendor Lock-in* --- # Moving off Microsoft (CERN) - Many Microsoft components in current Authentication and Authorization stack - ADFS, AD, FIM, MIM - Appropriate open source alternatives found - CERN-wide Authorization handled via OAuth protected REST API - Account linking supported - Some custom development still required - Must remain easy for people to connect their Apps and define authorization --- # Moving away from X.509 (WLCG) - Working Group running for 2 years to define transition away from X.509 - Token Schema almost finalised - Pilot architectures tested, decided on [INDIGO IAM](https://github.com/indigo-iam), integrated behind CERN SSO - Will handle wlcg-specific workflows --- # CERN as an SP Proxy ![](https://codimd.web.cern.ch/uploads/upload_fe4d176be77b33b98f1d4dfbffd53388.png =700x450) --- # CERN as an IdP ![](https://codimd.web.cern.ch/uploads/upload_223ed8bf2735139bb256366896469def.png =700x450) --- # WLCG ![](https://codimd.web.cern.ch/uploads/upload_80f8a3dc6d1f8429a2918857cc88f581.png =700x450) --- # The result * Services adapted to their purpose and maintained by relevant user communities * SSO vs eduGAIN integration vs WLCG * Unified move to OAuth/OIDC * More intuitive user experience --- # Before ![](https://codimd.web.cern.ch/uploads/upload_33ea1d9d7d342f7fb1f45aef3ab0f297.png =450x500) --- # After ![](https://codimd.web.cern.ch/uploads/upload_775e4c9038e4e8389472953f0322767c.png =450x400) --- # After ![](https://codimd.web.cern.ch/uploads/upload_e286638ecbcc7f82a784dd3c088ca699.png =600x400) --- # Thanks, Questions? --- # Appendix --- # Infrastructure ![](https://codimd.web.cern.ch/uploads/upload_a38bf03e45395ce524f78a2b4be4e6f0.png =700x450) --- # Infrastructure | Component | | | --- | --- | | eduGAIN SP Proxy & eduGAIN IdP | [Satosa](https://github.com/IdentityPython/SATOSA) | | Disovery Service and Metadata Distribution Service | [PyFF](https://pyff.readthedocs.io/en/latest/) | | SSO | [Keycloak](https://www.keycloak.org) | | WLCG Proxy | [INDIGO IAM](https://github.com/indigo-iam) | | CERN LDAP | [FreeIPA](https://www.freeipa.org/page/Main_Page) | | Authorization API | In house development, REST | --- # Particular Challenges * Smooth CERN IdP transition (e.g. unique IDs based on ADFS GUID) * Change Management (many moving pieces) * Speed (code freeze required before accelerators are comissioned) * Support and documentation for community tools * Testing (thank goodness for https://samltest.id) ---
{"title":"CERN and WLCG","type":"slide","slideOptions":{"theme":"cern3","transition":"slide"}}