WLCG Authorisation from X.509 to Tokens

The WLCG Authorisation Working Group was formed in July 2017 with the objective to understand and meet the needs of a future-looking Authentication and Authorisation Infrastructure (AAI) for WLCG experiments. Much has changed since the early 2000s when X.509 certificates presented the most suitable choice for authorisation within the grid; progress in token based authorisation and identity federation has provided an interesting alternative with notable advantages in usability and compatibility with external (commercial) partners. The need for interoperability in this new model is paramount as infrastructures and research communities become increasingly interdependent. Over the past two years, the working group has made significant steps towards identifying a system to meet the technical needs highlighted by the community during staged requirements gathering activities. Enhancement work has been possible thanks to externally funded projects, allowing existing AAI solutions to be adapted to our needs. A cornerstone of the infrastructure is the reliance on a common token schema in line with evolving standards and best practices, allowing for maximum compatibility and easy cooperation with peer infrastructures and services. We present the work of the group and an analysis of the anticipated changes in authorisation model by moving from X.509 to token based authorisation. A concrete example of token integration in Rucio is presented.

A Hybrid Scheme for an Interoperable Identity Federation System Based on Attribute Aggregation Method

Several countries have invested in building their identity management systems to equip citizens with infrastructures and tools to benefit from e-services. However, current systems still lack the interoperability requirement, which is the core issue that could lower the wide benefits of having an identity management system. In fact, in the existing systems, the user is allowed to choose only one partial identity from an identity provider (IdP) during a single session with a service provider (SP). However, in some scenarios, an SP needs to retrieve information about user’s identities managed by multiple IdPs. The potential method to tackle these shortcomings is attribute aggregation from multiple identity providers. A number of initiatives and projects on attribute aggregation have been explored. Nevertheless, these constructions do not fulfill some identity management requirements. This paper describes a new flexible model that aims to provide the necessary mechanisms to ensure attribute aggregation in order to meet the interoperability challenges of current identity management systems. The proposed scheme is a scalable solution, based on identity federation technologies, that introduces a new IdP called an account linking provider (ALP). The purpose of this ALP is to link together different accounts, holding end users’ attributes, whenever more than one source of data is needed to grant access to the requested web resource in a single session. Furthermore, the proposed identity federation system is based on a streamlined, cost-effective, and interoperable architecture, which makes this model suitable for large-scale identity federation environments.

IDENTITY FEDERATION MENGGUNAKAN LDAP UNTUK PROCESS-DRIVEN APPLICATION BERBASIS JBPM : STUDI KASUS ADMINISTRASI KERJA PRAKTIK MAHASISWA

Aplikasi berbasis proses atau process-driven application sebagai satu jenis aplikasi untuk menjalankan prosedur operasional dalam suatu organisasi. Keterlibatan beberapa pengguna dalam uturan pelaksanaan tugas atau task terkadang terjadi proses klaim jika task tersebut ditangani oleh salah satu anggota dalam kelompok, atau delegasi ke pengguna lain untuk menimalisir tertundanya penyelesaian proses. Sebuah organisasi dapat menggunakan basis data khusus untuk manajemen identitasnya seperti teknologi LDAP yang merepresentasikan basis data hirarkis sesuai struktur organisasi, disamping itu juga memfasilitasi single sign-on untuk otentikasi. Pada tulisan ini akan dikaji penggunaan LDAP pada OpenLDAP untuk pelaksanaan proses pada BPMS berbasis JBPM. Dari beberapa pengujian fungsi, didapat bahwa LDAP dapat membantu fungsi otentikasi dan otorisasi sehingga eksekusi proses dan task dapat dilaksanakan.