The old Indico instance is available at http://indico-memoria.rnp.br

TAGPMA Workshop on Token-Based Authentication and Authorization (WoTBAN&AZ 2020)

America/New_York
Online

Online

Zoom Coordinates TBD
Derek Simmel (Pittsburgh Supercomputing Center)
Description

The Workshop on Token-Based Authentication and Authorization (WoTBAN&AZ 2020) is an online workshop to bring together developers and implementers of current token-based authentication and authorization methods, tools and infrastructures, to present and discuss their work and to inform the broader HPC, research and education (R&E), and information security communities regarding these topics. Of particular interest are requirements and methods for integration of token-based authentication and authorization with production systems and services in Science Gateways, HPC and Cloud environments.

We invite brief proposals (a paragraph is sufficent) for presentations, panels, or brief tutorials that fit into 50-minute sessions. The review committee will select 5 sessions for presentation, and invite the presenters of those sessions to participate in a panel discussion in the final session of the workshop. There must be at least one presenter for each session submission, but more are welcome to collaborate and present within a session.

Submission Deadline: Monday, November 16, 2020.

Address submissions and questions via e-mail to submissions@tagpma.org

To maximize opportunity for international participation, the workshop is scheduled to take place over two 3-hour sessions on the following days:

  • Monday, November 30, 2020 09:00-12:00 EST (UTC -5:00)
  • Tuesday, December 1, 2020 09:00-12:00 EST (UTC -5:00)

WoTBAN&AZ 2020 will be hosted online via the Zoom platform by The Americas Grid Policy Management Authority (TAGPMA), one of three regional PMAs that form the Interoperable Global Trust Federation (IGTF).

We plan to record sessions to make them available for online viewing following the workshop.

Workshop presentation materials will be also be gathered and made available for online access, together with a workshop findings summary paper, to be compiled after the end of the workshop.

We look forward to your submissions and participation!

There are no fees for this workshop. Please do register in advance using the link below, as the number of concurrent participants we can accommodate via Zoom is limited.

Registration
Participants - Registration
  • Monday, 30 November
    • 08:45 09:00
      Zoom Session Open: Test Your Connection

      Zoom session for the workshop will start and be available for participants to connect and check their audio and visual settings.

      Convener: Derek Simmel (Pittsburgh Supercomputing Center)
    • 09:00 09:05
      Welcome: Agenda Bashing

      Introductory comments and Agenda Bashing

      Convener: Derek Simmel (Pittsburgh Supercomputing Center)
    • 09:05 09:55
      Token Based Authorisation for WLCG

      The WLCG Authorization Working Group was formed in July 2017 with the objective to understand and meet the needs of a future-looking Authentication and Authorization Infrastructure (AAI) for Worldwide LHC Computing Grid (WLCG) experiments. Much has changed since the early 2000s when X.509 certificates presented the most suitable choice for authorization within the grid; progress in token based authorization and identity federation has provided an interesting alternative with notable advantages in usability and compatibility with external (commercial and academic) partners. The need for interoperability in this new model is paramount, as infrastructures and research communities become increasingly interdependent.

      Over the past three years, the working group has made significant steps towards defining a system to meet the technical needs highlighted by the community. A token based AAI has been identified, enhanced and deployed to allow several High Energy Physics experiments to integrate their clients and middleware. Key aspects of the work have been possible thanks to externally funded projects, allowing existing AAI components to be adapted to our needs, and individual contributions at several well attended hackathons. A cornerstone of the infrastructure is the reliance on a common token schema in line with evolving standards and best practices, allowing for maximum compatibility and easy cooperation with peer infrastructures and services. This schema is being updated as the working group gains practical experience. We present the progress so far, challenges faced and a look at next steps.

      Conveners: Andrea Ceccanti (INFN), Brian Bockelman (CERN), Hannah Short (CERN), Jim Basney (National Center for Supercomputing Applications)
    • 09:55 10:00
      5-minute Break 5m
    • 10:00 10:50
      Globus Auth: expanding the services ecosystem for protected data

      Globus provides a platform for research data management, and a key aspect of the platform is Globus Auth, a standards based solution (OAuth 2.0) for securing applications and services in the research ecosystem. Recently Globus updated the data management services, specifically Globus Connect, to use token based authentication for users, moving away from user certificates. Key motivations include flexible policy handling and support for browser-based/programmatic access to data (via HTTPS) in addition to the bulk access (via GridFTP). Updated data management services also include higher assurance features to support management of protected/restricted data such as PHI, PII and CUI. In support of this, several new features were added to Globus Auth that are now available as a platform for other services to leverage. In this talk, we’ll present some of the new features added such as authentication scoped to sessions, optionals scopes and streamlining of user interface for consents, and discuss our experience building user friendly interfaces on the new model.

      Convener: Rachana Ananthakrishnan (Globus, University of Chicago)
    • 10:50 11:00
      10-minute Break 10m
    • 11:00 11:50
      LIGO's use of SciTokens

      This panel will discuss ongoing work in LIGO to adopt SciTokens for capability-based access to resources. Panelists will discuss deployment progress on LIGO compute clusters (HTCondor), storage systems (XRootD), and collaboration services (LIGO SegDB), including applicable authorization policies. LIGO is pursuing a hybrid approach with multiple token issuers, including local token issuers on compute cluster login nodes that issue capabilities based on local logins along with a centralized OAuth token issuer (operated by CILogon) that issues capabilities based on LIGO LDAP group memberships. LIGO users do their work mostly on the command-line, so alternatives to OAuth browser-based workflows for token issuance are a priority.

      Conveners: Derek Weitzel (University of Nebraska, Open Science Grid, SciTokens), Duncan Brown (Syracuse University, pyCBC, SciTokens), Duncan Meacher (University of Wisconsin-Milwaukee, LIGO), Jim Basney (National Center for Supercomputing Applications, SciTokens), Zach Miller (University of Wisconsin-Madison, HTCondor, SciTokens)
    • 11:50 12:00
      Wrap-Up: Action Items and Adjourn
      Convener: Derek Simmel (Pittsburgh Supercomputing Center)
  • Tuesday, 1 December
    • 08:45 09:00
      Zoom Session Open: Test Your Connection

      Zoom session for the workshop will start and be available for participants to connect and check their audio and visual settings.

      Convener: Derek Simmel (Pittsburgh Supercomputing Center)
    • 09:00 09:05
      Welcome: Agenda Bashing

      Introductory comments and Agenda Bashing

      Convener: Derek Simmel (Pittsburgh Supercomputing Center)
    • 09:05 09:55
      XSEDE's Perspective on Token Assurance for Authentication and Authorization

      As XSEDE migrates its services, such as SSH and Globus Connect, from X.509 certificates to OAuth tokens, we must maintain an appropriate level of assurance for access to XSEDE resources. XSEDE has adopted IGTF assurance for X.509 certificates and REFEDS assurance for InCommon/eduGAIN SAML assertions, and the comparability between IGTF and REFEDS assurance levels (IGTF DOGWOOD/ASPEN to REFEDS low and IGTF BIRCH/CEDEAR to REFEDS medium) has enabled consistency across XSEDE authentication and authorization services. As an AEGIS participant, XSEDE is evaluating AARC-G048 ("Guidelines for Secure Operation of Attribute Authorities and other issuers of access-granting statements") as it applies to OAuth token issuers such as CILogon/SciTokens and Globus.

      In this panel, XSEDE staff will discuss project needs related to levels of assurance for OAuth tokens, the current state of OAuth implementation efforts (e.g., XSEDE OAuth SSH and Globus Higher Assurance Levels), and a new XSEDE IAM Policy under development. The panelists will also discuss interoperability requirements and solicit community input.

      Conveners: Brian Hom (XSEDE, San Diego Supercomputer Center), Derek Simmel (XSEDE, Pittsburgh Supercomputing Center), Jim Basney (National Center for Supercomputing Applications), Lee Liming (XSEDE, University of Chicago, Globus)
    • 09:55 10:00
      5-minute Break 5m
    • 10:00 10:50
      Fermilab's experience transitioning to token-based AAI technologies.

      As Fermilab becomes the host laboratory for international collaborations like DUNE, it is our goal to provide transparent access to computing resources for all of our scientific user community across organizational and national boundaries. Fermilab's Federated Identities project aims to integrate our current infrastructure with Federated-based Authentication and Authorization Infrastructure (AAI) technologies. Our goal is enabling scientific user's access without the burden of managing additional user accounts and forcing users to hold an extra set of authentication credentials.

      Fermilab started working with internal and external scientific services providers in order to transition away from X.509 certificates for user authentication towards newer technologies such as OAuth, OpenID Connect and JSON Web Tokens. During this session, we will present the updates we have made to our architecture to integrate token-based technologies. We will discuss the progress we made by integrating our authorization attributes repository (FERRY) with a token issuer operated by CILogon. An important addition to our current architecture is the deployment of a new online credential repository (Vault) in replacement of MyProxy. We will also discuss the current challenges we are facing, especially maintaining compliance with DoE security policies and requirements while expanding our current infrastructure with novel authentication and authorization mechanisms.

      Conveners: David Dykstra (Fermilab), Jeny Teheran (Fermilab), Mine Altunay Cheung (Fermilab)
    • 10:50 11:00
      10-minute Break 10m
    • 11:00 11:50
      Final Panel: What Have We Learned? What Do We Need? What Should We Do?
      Convener: Derek Simmel (Pittsburgh Supercomputing Center)
    • 11:50 12:00
      Wrap-Up: Thanks and Closing Remarks
      Convener: Derek Simmel (Pittsburgh Supercomputing Center)