TAGPMA Workshop on Token-Based Authentication and Authorization (WoTBAN&AZ 2020)

30 Nov 2020, 08:45 → 1 Dec 2020, 12:00 America/New_York

Zoom Coordinates

Derek Simmel (Pittsburgh Supercomputing Center)

The Workshop on Token-Based Authentication and Authorization (WoTBAN&AZ 2020) is an online workshop to bring together developers and implementers of current token-based authentication and authorization methods, tools and infrastructures, to present and discuss their work and to inform the broader HPC, research and education (R&E), and information security communities regarding these topics. Of particular interest are requirements and methods for integration of token-based authentication and authorization with production systems and services in Science Gateways, HPC and Cloud environments.

To maximize opportunity for international participation, the workshop took place over two 3-hour sessions on the following days:

• Monday, November 30, 2020 09:00-12:00 EST (UTC -5:00)
• Tuesday, December 1, 2020 09:00-12:00 EST (UTC -5:00)

WoTBAN&AZ 2020 was hosted online via the Zoom platform by The Americas Grid Policy Management Authority (TAGPMA), one of three regional PMAs that form the Interoperable Global Trust Federation (IGTF).

Workshop presentation materials are linked below in the agenda. Sessions were recorded and links to corresponding video files are also included below in the agenda.

(c) 2020 TAGPMA and Authors of contributed materials.

Monday, 30 November

08:45 → 09:00 Zoom Session Open: Test Your Connection

Zoom session for the workshop will start and be available for participants to connect and check their audio and visual settings.

Convener: Derek Simmel (Pittsburgh Supercomputing Center)

09:00 → 09:05 Welcome: Agenda Bashing

Introductory comments and Agenda Bashing

Convener: Derek Simmel (Pittsburgh Supercomputing Center)

09:05 → 09:55 Token Based Authorisation for WLCG

The WLCG Authorization Working Group was formed in July 2017 with the objective to understand and meet the needs of a future-looking Authentication and Authorization Infrastructure (AAI) for Worldwide LHC Computing Grid (WLCG) experiments. Much has changed since the early 2000s when X.509 certificates presented the most suitable choice for authorization within the grid; progress in token based authorization and identity federation has provided an interesting alternative with notable advantages in usability and compatibility with external (commercial and academic) partners. The need for interoperability in this new model is paramount, as infrastructures and research communities become increasingly interdependent.

Over the past three years, the working group has made significant steps towards defining a system to meet the technical needs highlighted by the community. A token based AAI has been identified, enhanced and deployed to allow several High Energy Physics experiments to integrate their clients and middleware. Key aspects of the work have been possible thanks to externally funded projects, allowing existing AAI components to be adapted to our needs, and individual contributions at several well attended hackathons. A cornerstone of the infrastructure is the reliance on a common token schema in line with evolving standards and best practices, allowing for maximum compatibility and easy cooperation with peer infrastructures and services. This schema is being updated as the working group gains practical experience. We present the progress so far, challenges faced and a look at next steps.

Conveners: Andrea Ceccanti (INFN), Brian Bockelman (CERN), Hannah Short (CERN), Jim Basney (National Center for Supercomputing Applications)

1.TokensInWLCG.mov (331MB) 20201130_TagPMA_WLCG.pdf

09:55 → 10:00 5-minute Break

10:00 → 10:50 Globus Auth: expanding the services ecosystem for protected data

Globus provides a platform for research data management, and a key aspect of the platform is Globus Auth, a standards based solution (OAuth 2.0) for securing applications and services in the research ecosystem. Recently Globus updated the data management services, specifically Globus Connect, to use token based authentication for users, moving away from user certificates. Key motivations include flexible policy handling and support for browser-based/programmatic access to data (via HTTPS) in addition to the bulk access (via GridFTP). Updated data management services also include higher assurance features to support management of protected/restricted data such as PHI, PII and CUI. In support of this, several new features were added to Globus Auth that are now available as a platform for other services to leverage. In this talk, we’ll present some of the new features added such as authentication scoped to sessions, optionals scopes and streamlining of user interface for consents, and discuss our experience building user friendly interfaces on the new model.

Convener: Rachana Ananthakrishnan (Globus, University of Chicago)

20201125-TAGPMA-Workshop-Globus.pdf 2.GlobusAuth.mov (407MB)

10:50 → 11:00 10-minute Break

11:00 → 11:50 LIGO's use of SciTokens

This panel will discuss ongoing work in LIGO to adopt SciTokens for capability-based access to resources. Panelists will discuss deployment progress on LIGO compute clusters (HTCondor), storage systems (XRootD), and collaboration services (LIGO SegDB), including applicable authorization policies. LIGO is pursuing a hybrid approach with multiple token issuers, including local token issuers on compute cluster login nodes that issue capabilities based on local logins along with a centralized OAuth token issuer (operated by CILogon) that issues capabilities based on LIGO LDAP group memberships. LIGO users do their work mostly on the command-line, so alternatives to OAuth browser-based workflows for token issuance are a priority.

Conveners: Derek Weitzel (University of Nebraska, Open Science Grid, SciTokens), Duncan Brown (Syracuse University, pyCBC, SciTokens), Duncan Meacher (University of Wisconsin-Milwaukee, LIGO), Jim Basney (National Center for Supercomputing Applications, SciTokens), Zach Miller (University of Wisconsin-Madison, HTCondor, SciTokens)

20201130-LIGO-SciTokens.pdf 3.LigoUseOfSciTokens.mov (508MB)

11:50 → 12:00 Wrap-Up: Action Items and Adjourn

Convener: Derek Simmel (Pittsburgh Supercomputing Center)

Tuesday, 1 December

08:45 → 09:00 Zoom Session Open: Test Your Connection

Zoom session for the workshop will start and be available for participants to connect and check their audio and visual settings.

Convener: Derek Simmel (Pittsburgh Supercomputing Center)

09:00 → 09:05 Welcome: Agenda Bashing

Introductory comments and Agenda Bashing

Convener: Derek Simmel (Pittsburgh Supercomputing Center)

09:05 → 09:55 XSEDE's Perspective on Token Assurance for Authentication and Authorization

As XSEDE migrates its services, such as SSH and Globus Connect, from X.509 certificates to OAuth tokens, we must maintain an appropriate level of assurance for access to XSEDE resources. XSEDE has adopted IGTF assurance for X.509 certificates and REFEDS assurance for InCommon/eduGAIN SAML assertions, and the comparability between IGTF and REFEDS assurance levels (IGTF DOGWOOD/ASPEN to REFEDS low and IGTF BIRCH/CEDEAR to REFEDS medium) has enabled consistency across XSEDE authentication and authorization services. As an AEGIS participant, XSEDE is evaluating AARC-G048 ("Guidelines for Secure Operation of Attribute Authorities and other issuers of access-granting statements") as it applies to OAuth token issuers such as CILogon/SciTokens and Globus.

In this panel, XSEDE staff will discuss project needs related to levels of assurance for OAuth tokens, the current state of OAuth implementation efforts (e.g., XSEDE OAuth SSH and Globus Higher Assurance Levels), and a new XSEDE IAM Policy under development. The panelists will also discuss interoperability requirements and solicit community input.

Conveners: Brian Hom (XSEDE, San Diego Supercomputer Center), Derek Simmel (XSEDE, Pittsburgh Supercomputing Center), Jim Basney (National Center for Supercomputing Applications), Lee Liming (XSEDE, University of Chicago, Globus)

20201201-XSEDE-Tokens.pdf 4.XSEDETokenAssurancePanel.mov (245MB)

09:55 → 10:00 5-minute Break

10:00 → 10:50 Fermilab's experience transitioning to token-based AAI technologies.

As Fermilab becomes the host laboratory for international collaborations like DUNE, it is our goal to provide transparent access to computing resources for all of our scientific user community across organizational and national boundaries. Fermilab's Federated Identities project aims to integrate our current infrastructure with Federated-based Authentication and Authorization Infrastructure (AAI) technologies. Our goal is enabling scientific user's access without the burden of managing additional user accounts and forcing users to hold an extra set of authentication credentials.

Fermilab started working with internal and external scientific services providers in order to transition away from X.509 certificates for user authentication towards newer technologies such as OAuth, OpenID Connect and JSON Web Tokens. During this session, we will present the updates we have made to our architecture to integrate token-based technologies. We will discuss the progress we made by integrating our authorization attributes repository (FERRY) with a token issuer operated by CILogon. An important addition to our current architecture is the deployment of a new online credential repository (Vault) in replacement of MyProxy. We will also discuss the current challenges we are facing, especially maintaining compliance with DoE security policies and requirements while expanding our current infrastructure with novel authentication and authorization mechanisms.

Conveners: David Dykstra (Fermilab), Jeny Teheran (Fermilab), Mine Altunay Cheung (Fermilab)

5.FermiLabTransitionToTokenBasedAAI.mov (543MB) WoTBAN_AZ_FNAL.pdf

10:50 → 11:00 10-minute Break

11:00 → 11:50 Final Panel: What Have We Learned? What Do We Need? What Should We Do?

Convener: Derek Simmel (Pittsburgh Supercomputing Center)

6.WotBANanAZ-Discussion.mov (1GB)

11:50 → 12:00 Wrap-Up: Thanks and Closing Remarks

Convener: Derek Simmel (Pittsburgh Supercomputing Center)