The old Indico instance is available at http://indico-memoria.rnp.br

TAGPMA Workshop on Token-Based Authentication and Authorization (WoTBAN&AZ 2020)

America/New_York
Zoom Coordinates

Zoom Coordinates

Join Zoom Meeting https://cmu.zoom.us/j/95682797458 For passcode, contact: dsimmel@psc.edu filus@psc.edu Meeting ID: 956 8279 7458 Dial by your location +1 267 831 0333 US (Philadelphia) +1 786 635 1003 US (Miami) +1 929 205 6099 US (New York) +1 301 715 8592 US (Washington D.C) +1 312 626 6799 US (Chicago) +1 470 250 9358 US (Atlanta) +1 470 381 2552 US (Atlanta) +1 646 518 9805 US (New York) +1 651 372 8299 US (St. Paul) +1 253 215 8782 US (Tacoma) +1 346 248 7799 US (Houston) +1 602 753 0140 US (Phoenix) +1 669 219 2599 US (San Jose) +1 669 900 6833 US (San Jose) +1 720 928 9299 US (Denver) +1 971 247 1195 US (Portland) +1 206 337 9723 US (Seattle) +1 213 338 8477 US (Los Angeles) Meeting ID: 956 8279 7458 Find your local number: https://cmu.zoom.us/u/acnDsIhJso Join by SIP 95682797458@zoomcrc.com Join by H.323 162.255.37.11 (US West) 162.255.36.11 (US East) 221.122.88.195 (China) 115.114.131.7 (India Mumbai) 115.114.115.7 (India Hyderabad) 213.19.144.110 (Amsterdam Netherlands) 213.244.140.110 (Germany) 103.122.166.55 (Australia) 209.9.211.110 (Hong Kong SAR) 64.211.144.160 (Brazil) 69.174.57.160 (Canada) 207.226.132.110 (Japan) Meeting ID: 956 8279 7458
Derek Simmel (Pittsburgh Supercomputing Center)
Description

The Workshop on Token-Based Authentication and Authorization (WoTBAN&AZ 2020) is an online workshop to bring together developers and implementers of current token-based authentication and authorization methods, tools and infrastructures, to present and discuss their work and to inform the broader HPC, research and education (R&E), and information security communities regarding these topics. Of particular interest are requirements and methods for integration of token-based authentication and authorization with production systems and services in Science Gateways, HPC and Cloud environments.

To maximize opportunity for international participation, the workshop is scheduled to take place over two 3-hour sessions on the following days:

  • Monday, November 30, 2020 09:00-12:00 EST (UTC -5:00)
  • Tuesday, December 1, 2020 09:00-12:00 EST (UTC -5:00)

WoTBAN&AZ 2020 will be hosted online via the Zoom platform by The Americas Grid Policy Management Authority (TAGPMA), one of three regional PMAs that form the Interoperable Global Trust Federation (IGTF).

We plan to record sessions to make them available for online viewing following the workshop.

Workshop presentation materials will be also be gathered and made available for online access, together with a workshop findings summary paper, to be compiled after the end of the workshop.

We look forward to your submissions and participation!

There are no fees for this workshop. Please do register in advance using the link below, as the number of concurrent participants we can accommodate via Zoom is limited.

  • Monday, 30 November
    • 08:45 09:00
      Zoom Session Open: Test Your Connection

      Zoom session for the workshop will start and be available for participants to connect and check their audio and visual settings.

      Convener: Derek Simmel (Pittsburgh Supercomputing Center)
    • 09:00 09:05
      Welcome: Agenda Bashing

      Introductory comments and Agenda Bashing

      Convener: Derek Simmel (Pittsburgh Supercomputing Center)
    • 09:05 09:55
      Token Based Authorisation for WLCG

      The WLCG Authorization Working Group was formed in July 2017 with the objective to understand and meet the needs of a future-looking Authentication and Authorization Infrastructure (AAI) for Worldwide LHC Computing Grid (WLCG) experiments. Much has changed since the early 2000s when X.509 certificates presented the most suitable choice for authorization within the grid; progress in token based authorization and identity federation has provided an interesting alternative with notable advantages in usability and compatibility with external (commercial and academic) partners. The need for interoperability in this new model is paramount, as infrastructures and research communities become increasingly interdependent.

      Over the past three years, the working group has made significant steps towards defining a system to meet the technical needs highlighted by the community. A token based AAI has been identified, enhanced and deployed to allow several High Energy Physics experiments to integrate their clients and middleware. Key aspects of the work have been possible thanks to externally funded projects, allowing existing AAI components to be adapted to our needs, and individual contributions at several well attended hackathons. A cornerstone of the infrastructure is the reliance on a common token schema in line with evolving standards and best practices, allowing for maximum compatibility and easy cooperation with peer infrastructures and services. This schema is being updated as the working group gains practical experience. We present the progress so far, challenges faced and a look at next steps.

      Conveners: Andrea Ceccanti (INFN), Brian Bockelman (CERN), Hannah Short (CERN), Jim Basney (National Center for Supercomputing Applications)
    • 09:55 10:00
      5-minute Break 5m
    • 10:00 10:50
      Globus Auth: expanding the services ecosystem for protected data

      Globus provides a platform for research data management, and a key aspect of the platform is Globus Auth, a standards based solution (OAuth 2.0) for securing applications and services in the research ecosystem. Recently Globus updated the data management services, specifically Globus Connect, to use token based authentication for users, moving away from user certificates. Key motivations include flexible policy handling and support for browser-based/programmatic access to data (via HTTPS) in addition to the bulk access (via GridFTP). Updated data management services also include higher assurance features to support management of protected/restricted data such as PHI, PII and CUI. In support of this, several new features were added to Globus Auth that are now available as a platform for other services to leverage. In this talk, we’ll present some of the new features added such as authentication scoped to sessions, optionals scopes and streamlining of user interface for consents, and discuss our experience building user friendly interfaces on the new model.

      Convener: Rachana Ananthakrishnan (Globus, University of Chicago)
    • 10:50 11:00
      10-minute Break 10m
    • 11:00 11:50
      LIGO's use of SciTokens

      This panel will discuss ongoing work in LIGO to adopt SciTokens for capability-based access to resources. Panelists will discuss deployment progress on LIGO compute clusters (HTCondor), storage systems (XRootD), and collaboration services (LIGO SegDB), including applicable authorization policies. LIGO is pursuing a hybrid approach with multiple token issuers, including local token issuers on compute cluster login nodes that issue capabilities based on local logins along with a centralized OAuth token issuer (operated by CILogon) that issues capabilities based on LIGO LDAP group memberships. LIGO users do their work mostly on the command-line, so alternatives to OAuth browser-based workflows for token issuance are a priority.

      Conveners: Derek Weitzel (University of Nebraska, Open Science Grid, SciTokens), Duncan Brown (Syracuse University, pyCBC, SciTokens), Duncan Meacher (University of Wisconsin-Milwaukee, LIGO), Jim Basney (National Center for Supercomputing Applications, SciTokens), Zach Miller (University of Wisconsin-Madison, HTCondor, SciTokens)
    • 11:50 12:00
      Wrap-Up: Action Items and Adjourn
      Convener: Derek Simmel (Pittsburgh Supercomputing Center)
  • Tuesday, 1 December
    • 08:45 09:00
      Zoom Session Open: Test Your Connection

      Zoom session for the workshop will start and be available for participants to connect and check their audio and visual settings.

      Convener: Derek Simmel (Pittsburgh Supercomputing Center)
    • 09:00 09:05
      Welcome: Agenda Bashing

      Introductory comments and Agenda Bashing

      Convener: Derek Simmel (Pittsburgh Supercomputing Center)
    • 09:05 09:55
      XSEDE's Perspective on Token Assurance for Authentication and Authorization

      As XSEDE migrates its services, such as SSH and Globus Connect, from X.509 certificates to OAuth tokens, we must maintain an appropriate level of assurance for access to XSEDE resources. XSEDE has adopted IGTF assurance for X.509 certificates and REFEDS assurance for InCommon/eduGAIN SAML assertions, and the comparability between IGTF and REFEDS assurance levels (IGTF DOGWOOD/ASPEN to REFEDS low and IGTF BIRCH/CEDEAR to REFEDS medium) has enabled consistency across XSEDE authentication and authorization services. As an AEGIS participant, XSEDE is evaluating AARC-G048 ("Guidelines for Secure Operation of Attribute Authorities and other issuers of access-granting statements") as it applies to OAuth token issuers such as CILogon/SciTokens and Globus.

      In this panel, XSEDE staff will discuss project needs related to levels of assurance for OAuth tokens, the current state of OAuth implementation efforts (e.g., XSEDE OAuth SSH and Globus Higher Assurance Levels), and a new XSEDE IAM Policy under development. The panelists will also discuss interoperability requirements and solicit community input.

      Conveners: Brian Hom (XSEDE, San Diego Supercomputer Center), Derek Simmel (XSEDE, Pittsburgh Supercomputing Center), Jim Basney (National Center for Supercomputing Applications), Lee Liming (XSEDE, University of Chicago, Globus)
    • 09:55 10:00
      5-minute Break 5m
    • 10:00 10:50
      Fermilab's experience transitioning to token-based AAI technologies.

      As Fermilab becomes the host laboratory for international collaborations like DUNE, it is our goal to provide transparent access to computing resources for all of our scientific user community across organizational and national boundaries. Fermilab's Federated Identities project aims to integrate our current infrastructure with Federated-based Authentication and Authorization Infrastructure (AAI) technologies. Our goal is enabling scientific user's access without the burden of managing additional user accounts and forcing users to hold an extra set of authentication credentials.

      Fermilab started working with internal and external scientific services providers in order to transition away from X.509 certificates for user authentication towards newer technologies such as OAuth, OpenID Connect and JSON Web Tokens. During this session, we will present the updates we have made to our architecture to integrate token-based technologies. We will discuss the progress we made by integrating our authorization attributes repository (FERRY) with a token issuer operated by CILogon. An important addition to our current architecture is the deployment of a new online credential repository (Vault) in replacement of MyProxy. We will also discuss the current challenges we are facing, especially maintaining compliance with DoE security policies and requirements while expanding our current infrastructure with novel authentication and authorization mechanisms.

      Conveners: David Dykstra (Fermilab), Jeny Teheran (Fermilab), Mine Altunay Cheung (Fermilab)
    • 10:50 11:00
      10-minute Break 10m
    • 11:00 11:50
      Final Panel: What Have We Learned? What Do We Need? What Should We Do?
      Convener: Derek Simmel (Pittsburgh Supercomputing Center)
    • 11:50 12:00
      Wrap-Up: Thanks and Closing Remarks
      Convener: Derek Simmel (Pittsburgh Supercomputing Center)