Conveners
Fermilab's experience transitioning to token-based AAI technologies.
- Jeny Teheran (Fermilab)
- David Dykstra (Fermilab)
- Mine Altunay Cheung (Fermilab)
Description
As Fermilab becomes the host laboratory for international collaborations like DUNE, it is our goal to provide transparent access to computing resources for all of our scientific user community across organizational and national boundaries. Fermilab's Federated Identities project aims to integrate our current infrastructure with Federated-based Authentication and Authorization Infrastructure (AAI) technologies. Our goal is enabling scientific user's access without the burden of managing additional user accounts and forcing users to hold an extra set of authentication credentials.
Fermilab started working with internal and external scientific services providers in order to transition away from X.509 certificates for user authentication towards newer technologies such as OAuth, OpenID Connect and JSON Web Tokens. During this session, we will present the updates we have made to our architecture to integrate token-based technologies. We will discuss the progress we made by integrating our authorization attributes repository (FERRY) with a token issuer operated by CILogon. An important addition to our current architecture is the deployment of a new online credential repository (Vault) in replacement of MyProxy. We will also discuss the current challenges we are facing, especially maintaining compliance with DoE security policies and requirements while expanding our current infrastructure with novel authentication and authorization mechanisms.
