The new CERN Authentication and Authorization
Transcript of The new CERN Authentication and Authorization
![Page 1: The new CERN Authentication and Authorization](https://reader031.fdocuments.in/reader031/viewer/2022012213/61df63c7457858400b3cbaf0/html5/thumbnails/1.jpg)
![Page 2: The new CERN Authentication and Authorization](https://reader031.fdocuments.in/reader031/viewer/2022012213/61df63c7457858400b3cbaf0/html5/thumbnails/2.jpg)
The new CERN Authentication
and Authorization
The new CERN Authentication and Authorization 2
Paolo Tedesco
Emmanuel Ormancey
Hannah Short
Tim Smith
![Page 3: The new CERN Authentication and Authorization](https://reader031.fdocuments.in/reader031/viewer/2022012213/61df63c7457858400b3cbaf0/html5/thumbnails/3.jpg)
Current situation
The new CERN Authentication and Authorization 3
![Page 4: The new CERN Authentication and Authorization](https://reader031.fdocuments.in/reader031/viewer/2022012213/61df63c7457858400b3cbaf0/html5/thumbnails/4.jpg)
Kerberos authentication
The new CERN Authentication and
Authorization4
Users
LXPlus, AFS
Terminal access
• Desktop/terminal login
• Console-based core services
• Local credentials
• No federation support
• "Guest" CERN accounts required
• No Multi-Factor Authentication (MFA) support
Active Directory
Kerberostokens
![Page 5: The new CERN Authentication and Authorization](https://reader031.fdocuments.in/reader031/viewer/2022012213/61df63c7457858400b3cbaf0/html5/thumbnails/5.jpg)
Single Sign-On authentication
The new CERN Authentication and
Authorization5
Browser access
• Support for Multi-Factor Authentication
• Support for federation
• Focused on (restricted to) web applicationsSAML / OAuth2
tokens
Users
Web App
Single Sign-On
![Page 6: The new CERN Authentication and Authorization](https://reader031.fdocuments.in/reader031/viewer/2022012213/61df63c7457858400b3cbaf0/html5/thumbnails/6.jpg)
Authorization
The new CERN Authentication and
Authorization6
Based on groups
• Local accounts required
• Policies limited to CERN users
Applications can use:
• LDAP / KRB (privacy concerns)
• SSO token (technical problems)
Groups Management
Groups
Active Directory
Single Sign-On
![Page 7: The new CERN Authentication and Authorization](https://reader031.fdocuments.in/reader031/viewer/2022012213/61df63c7457858400b3cbaf0/html5/thumbnails/7.jpg)
WLCG authentication
The new CERN Authentication and
Authorization7
'Federation like' X509 certificates
• Circles of trust (EUGridPMA, IGTF)
• Difficult user experience
Emerging alternatives & projects, based on
• SAML (e.g EduGain)
• OIDC (e.g. ORCID)
• OAuth2 (SciTokens, INDIGO-IAM)
Users
PKI
Grid nodes
Get certificate
Terminal access
VOMS
Certificate proxy
![Page 8: The new CERN Authentication and Authorization](https://reader031.fdocuments.in/reader031/viewer/2022012213/61df63c7457858400b3cbaf0/html5/thumbnails/8.jpg)
Future plans
The new CERN Authentication and Authorization 8
![Page 9: The new CERN Authentication and Authorization](https://reader031.fdocuments.in/reader031/viewer/2022012213/61df63c7457858400b3cbaf0/html5/thumbnails/9.jpg)
Opportunity for improvement
• Designing the next generation of CERN
authentication and authorization services
• Provide uniform access schemes and user
experience
• Similar architecture for CERN and HEP usage
The new CERN Authentication and
Authorization9
![Page 10: The new CERN Authentication and Authorization](https://reader031.fdocuments.in/reader031/viewer/2022012213/61df63c7457858400b3cbaf0/html5/thumbnails/10.jpg)
New authentication
The new CERN Authentication and
Authorization10
Users
Web app Grid nodes
SciTokens
Kerberos app(AFS, LxPlus)
Token conversion service
KeyCloak (SSO)
KeyCloak (CERN WLCG)
Kerberos
SAML / OAuth2 / OIDCTokens
• Tokens at the heart
• WLCG alignment
• Single Sign-On for all
• Token conversion service
![Page 11: The new CERN Authentication and Authorization](https://reader031.fdocuments.in/reader031/viewer/2022012213/61df63c7457858400b3cbaf0/html5/thumbnails/11.jpg)
New authorization
The new CERN Authentication and
Authorization11
CERN Identities (HR) DB
CERN Identities
Authorization Service
Identities
LDAP + Kerberos(FreeIPA)
Single Sign-On(Keycloak)
ResourcesManagement
Federated + social identities Permissions
Accounts, groups
Full federation support
Identities management
• Map account(s) to an identity
Application-specific roles
• Levels of Assurance, MFA
• Reduce privacy impact
![Page 12: The new CERN Authentication and Authorization](https://reader031.fdocuments.in/reader031/viewer/2022012213/61df63c7457858400b3cbaf0/html5/thumbnails/12.jpg)
Resources lifecycle and policies
Extend to non CERN accounts
• Support federated identities
• More Flexible policies
• Better granularity of allocation
• Federated identity ownership
The new CERN Authentication and
Authorization12
![Page 13: The new CERN Authentication and Authorization](https://reader031.fdocuments.in/reader031/viewer/2022012213/61df63c7457858400b3cbaf0/html5/thumbnails/13.jpg)
Changes ahead
• Changes and upgrades required in all services and applications
• Occasion for services to evolve • Align to token based authentication
• Widen their user scope
• Fall-back solutions for legacy services • Token conversion
The new CERN Authentication and
Authorization13
![Page 14: The new CERN Authentication and Authorization](https://reader031.fdocuments.in/reader031/viewer/2022012213/61df63c7457858400b3cbaf0/html5/thumbnails/14.jpg)
Links
The Road to the new CERN Authentication
(whitepaper)
CERN Authentication and Authorization
Infrastructure Design (informal architecture
overview)
The new CERN Authentication and
Authorization14
![Page 15: The new CERN Authentication and Authorization](https://reader031.fdocuments.in/reader031/viewer/2022012213/61df63c7457858400b3cbaf0/html5/thumbnails/15.jpg)