...
The components are as follows:
| Component | Description | Why did we choose it? | Link |
|---|---|---|---|
| RCAuth | Token Translation. Used to generate x509 certificates for access to legacy services | EU wide, sustainable infrastructure component | https://rcauth.eu |
| VOMS | Attribute Authority & Membership Management. Legacy authorisation database for WLCG, must be integrated for backwards compatibility | Pre-existing. Backwards compatibility | https://italiangrid.github.io/voms/ |
| CERN HR DB | Attribute Authority. CERN's source of identity vetting information | Pre-existing. Backwards compatibility | N/A |
| INDIGO-IAM | One option for the proxy and membership management component | Implements multiple components, easier maintenance. Product used by other communities. | https://www.indigo-datacloud.eu/identity-and-access-management |
| EGI-Check-in | The second option for the proxy and membership management component | Implements multiple components, easier maintenance. Product used by other communities. | https://www.egi.eu/services/check-in/ |
Architecture
The architecture includes every component of the AARC BPA.
...
Videos for the AARC supported pilot for EGI-Check-in are available at https://www.dropbox.com/sh/0u9d5fzuxrjyu3k/AAClKTVLpJRC5YN2kh0JlKsGa?dl=0 link
User links x509 certificate with federated credentials
| Step | Screenshots |
|---|---|
| User registers with the system using a federated account |
 |
| User associates x509 user certificate with their account |
|
User submits a physics job
| Step | Screenshot (TBC) |
|---|---|
| User follows registration flow above | |
| User requests token from command line (Device Code Flow) |
|
| User submits a job in the normal way |
Demo EGI Check-in videos
The various functionalities provided by EGI Check-in are available through mini videos demonstrating the below functionalities/flows:
- Trying to add a non-WLCG experiment member into the system
- Adding a WLCG Experiment member into the system( Create the user, obtain an RCAuth certificate, register into VOMS)
- Group management
- HRDB periodic syncing
- Invite multiple people via email from an administrator's account
- SSH key authentication for RCAuth proxy retrieval
- Token exchange and device code
Visit the following link to view.
Further information
AARC's specific role in this pilot is to coordinate the efforts, ensure that AARC recommendations are considered and to support the enhancement of EGI-Check-in.
Was BPA useful to achieve this results? WLCG is looking at two existing AAI solutions that are broadly in line with the BPA already.
Sustainability? The aim of this pilot is to provide a recommendation for WLCG to deploy a BPA compliant AAI. This will be physically hosted at CERN. The pilot is directly useful in providing prototypes, proof of concept, and demonstrations.