(r2) WLCGIssuerDeploymentArchitecture < LCG

LCG Web>WebPreferences>WLCGAuthorizationWG>WLCGIssuerDeploymentArchitecture (revision 2) (raw view)~~EditAttachPDF~~

---+ WLCG Issuer Deployment Architecture (DRAFT)

A few key decisions needed for the deployment of IAM instances for WLCG include:

* What is the content of the =iss= claim?
* How many IAM instances should be run?  Should there be a single multi-tenant instance for WLCG or multiple instances?

---+ Proposal (Brian)

* The =iss= claims will be of the form:
   * =https://cms.auth.cern.ch/=
   * =https://atlas.auth.cern.ch/=
   * =https://alice.auth.cern.ch/=
   * =https://lhcb.auth.cern.ch/=

   * These locations need not be the same as the token issuer (i.e., IAM) but are clear and memorable.  It might be strategic to split the issuer string from the IAM instance hostname from the very beginning to help emphasize portability.


This approach requires that the metadata doc will be available at https://cms.auth.cern.ch/.well-known/openid-configuration

This can be easily implemented with the current IAM. Needs to be understood how things will work when IAM will be based on Keycloak.


* These will start as single-tenant instances of IAM.  This decouples the VOs from having to share a single version -- allowing a "pathfinder" VO to proceed more quickly than the others.
* We will start with CMS and stand up the IAM instance at =https://cms-iam.auth.cern.ch/=.

Topic revision: r2 - 2020-03-17 - AndreaCeccanti1

LCG Wikis

LCG Service
Coordination

LCG Grid
Deployment

LCG
Apps Area

Public webs

Welcome Guest

- Cern Search
- TWiki Search
- Google Search
LCG All webs

Copyright &© 2008-2022 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback