Choose timezone
Your profile timezone:
Powered by Indico
v3.3.5
Zoom:
ID 637 6873 9808
Kenncode 808022
Einladungslink https://desy.zoom.us/j/63768739808
participants:
- Kilian Schwarz (DESY)
- Alexander Goeggelmann (PTB)
- Christiane Schneide (DESY)
- Sander Apweiler (FZJ)
- Rouven Spreckels (GSI)
- Ramin Marx (Uni HD)
Agenda:
TOP1: reduced paid request to unity
a) request document should be finalised with usual group of AAI experts
b) the document will be sent to Unity via Juelich
c) Unity will do a cost evaluation
c) Christiane will evaluate if PUNCH can take over the cost
TOP2: use case - add noticeboard forum to AAI
Replace current username/password system with AAI
SAML oder Oauth can be used
OpenIDC / mod_auth_openidc
https://github.com/OpenIDC/mod_auth_openidc
should be investigated.
This can be included via Apache
several strings need to be configured
and the URL needs to be specified
Scopes and attributes need to be defined.
programming language is PHP (SAML-PHP should be looked at, this is also able to speak OIDC)
https://hifis.net/doc/helmholtz-aai/howto-services/
==> for integrating services
https://hifis.net/doc/helmholtz-aai/howto-authorise-users
for integrating users
OIDC is newer
TOP3: Indico AAI dev
via paid request to unconventional.dev Indico will be made AAI group aware.
This means access to Indico areas can be restricted to members of specific PUNCH AAI groups.
The development uses the keycloak interface.
round table:
FZJ:
IAM is investigating which consortia need AAI and what solutions are the right ones. 3 workshops have been given.
Helmholtz AAI: extensions are being worked at. One example is how users can be removed from AAI in an automatised way, e.g. when users leave a centre.
Actually this works already. The workflow is complex. If a user has not connected for a certain time, then a request is being sent to IDP. Depending on the answer the account will be deleted.
Otherwise the user will receive an e-mail. If no answer is received then the account will first be deactivated, later then removed.
Also group membership broadcasts is being worked on, e.g. to services.
Participation in AARC Guidelines. There will be an EU financed project, AARC3.
The GrandUnifiedToken work group (also WLCG takes part here) is not being financed, and meets once per month. The idea is to unify the various approaches to tokens.
PTB:
no information
Uni HD:
nothing AAI specific. Working on moving confluence space to XWiki. First the content is being dumped as markdown and then again uploaded to XWiki. This way 90 GB has been moved.
Maybe at some point a PUNCH project can be generated based on this work.
GSI:
Automatised keycloak via Chef. Also first use cases have been automatised. Currently working on connecting XRootD including authentification.
There is a multi user plugin which can create SciToken compatible tokens. XRootD is being connected via Keycloak using userID and password as well as 3rd factor authentification.
Keycloak is then handing over to 3rd parties.
Functioning examples are already Voss Wiki, Gitlab, Mattermost.
Also single logout is being investigated. A user logs out once, and then via single logout everywhere.
Technically keycloak will connect with all other active sessions and is disconnecting then.
NextCloud has 3 different plugins.
Connection to O. Freyermuth shall be established.
TOP4:
AOB
none