WLCG Issuer Deployment Architecture (DRAFT)

A few key decisions needed for the deployment of IAM instances for WLCG include:

* What is the content of the iss claim? * How many IAM instances should be run? Should there be a single multi-tenant instance for WLCG or multiple instances?

Proposal (Brian)

* The iss claims will be of the form:

  • https://cms.auth.cern.ch/
  • https://atlas.auth.cern.ch/
  • https://lhcb.auth.cern.ch/
  • These locations need not be the same as the token issuer (i.e., IAM) but are clear and memorable. It might be strategic to split the issuer string from the IAM instance hostname from the very beginning to help emphasize portability.
* These will start as single-tenant instances of IAM. This decouples the VOs from having to share a single version -- allowing a "pathfinder" VO to proceed more quickly than the others. * We will start with CMS and stand up the IAM instance at https://cms-iam.auth.cern.ch/.
Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r1 - 2020-03-17 - BrianBockelman
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    LCG All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2022 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback