Last modified 7 years ago Last modified on 09/12/14 17:07:48

Markus, Patrick, Dennis, Paul, Bernd, Arsen.

This meeting's main focus is to find out what people have been up to and what are their future plans.


Marcus has been hacking ssh to put assertion into the password field. Currently, the idea is that the user authenticates using SAML-WebSSO with their web browser against some minimal SP, which allows the user to download their SAML assertion. With this assertion the user can use the (more-or-less) stock ssh client to connect to the ssh server, sending the SAML assertion in the password field. The LDAP façade accepts the username + assertion as valid login credentials and allows the user to log in.

There is a problem where the default ssh client does not expect a password bigger than 1k. The solution is simple and upstream are being asked to fix it.

Marcus is also waiting for feedback from someone doing something similar.

The plan is to set up a proof of principal that open-source software can use the assertions. This is one ssh server that anyone who as a valid SAML assertion from an EduGain? IdP can use. This should be ready in a few months.

Users need to enrol before they can use the service. This creates an entry in the KIT LDAP service. LDAP server is shared amongst various KIT services so, in principal, the user can subsequent use various KIT services.

Ultimately, people should be able to come from "somewhere" (some EduGain? IdP) and use scp/sftp to fetch their data. Maybe later on they will be able to log into the service and run analysis jobs.

KIT has a group management tool. A user is part of KIT groups, as described by the LDAP service. Becoming part of a group is a manual step.


Dennis has become the official contact person for Federated Identity at GSI.

Dennis plans to establish a test-bed to allow the distributed communities that GSI supports to understand Fed Identity and to see if integrating it makes sense for them. The plan is to provide a test IdP so these communities can add SAML support to their services. These services are typically web-based, such as project management tools, log-book tools, etc.

There should be advise for the users on how to integrate their services with GSI IdP. This could be in the form of a FAQ or a wiki page with user-submitted headings.

Dennis also plans to investigate having a UNITY service as the management layer for groups.

UNITY may also be useful in acting as an IdP for "homeless users". Ultimately people should use their home IdP, so this would be for a transition period, but this period might be quite long. Dennis needs to investigate what UNITY can provide. There was some discussion about how to contact the user communities: direct communication is OK, but he should keep both DSIT and DLCL informed.

Dennis is still working on joining DFN production AAI. They are still waiting on documents being signed.

Once GSI joins DFN production AAI, Dennis will install the AAI plugin on the main wiki. With this, anyone from DFN-AAI can use the wiki by authenticating with their local IdP.


Shiraz is the most detailed, up-to-date view of current work, but unfortunately he wasn't available. Bernd described how UNITY are working on adding OAuth2 support.

Bernd's also been working on a stand-alone use-case for the uftp software. He hopes to make a release this week. In this setup, uftp allows the user to do username+password authentication for data transfers, with flexible user-mapping.

There's currently no support for SAML+based uftp authentication.

Running a production LSDMA instance of UNITY. It should be possible for LSDMA to make use of the EUDAT UNITY instance. This is run in a semi-production fashion; Shiraz has more details. It supports SAML Web-SSO.

The code also supports querying user attributes via a query attribute end-point. It maybe enable now, but Bernd was not sure of the details. This would allow an SP to query which groups someone is a member of.

An alternative approach is to use chaining/proxying mode, where UNITY is the IdP, but redirects the client to some back-end IdP. The assertion from the UNITY server includes information from the back-end IdP + group-membership. Support for this is available in the version of UNITY currently installed as the EUDAT instance, but Bernd wasn't sure whether or not it was enabled.

UNITY may be interesting for allowing homeless users for GSI. Registration requires approval.

Marcus described how umbrella IdP allows pretty much anyone to create an account but, at KIT, these accounts are not trusted. Only after the user has shown their passport to someone at KIT is the account allowed access. This showing the passport is needed only once.

The OpenID Connect use-case follows the Human Brain Project, which requires this authentication scheme. Bernd anticipates having this ready for Q1 2015.


Arsen has been working on trying to get the DFN SLCS service working for him. They haven't enabled ECP support and are running an older version of GridShib? that doesn't support the CGI-form method of requesting a credential. Instead, it only supports the Java-client method, requiring the user to download a Java WebApp? and run it. This WebApp? connects to GridShib? CA server to make the request.

Some initial exchange with DFN left Arsen trying to get the Java WebApp? working for him with ECP.

Paul double-checked whether, in order to support our users, we would need two things: ECP support and CGI-form support. The latter would require DFN-AAI to upgrade the version of the GridShib? software their using.

We agreed that Arsen should write to the DFN-AAI people clearly asking them on what time-scale they plan to support ECP and the CGI-form method of requesting an X.509 credential. Arsen agreed to circulate this email with Marcus, Patrick and Paul who can help disambiguate it. Arsen has also been working on demonstrating the LDAP façade by integrating it with an application (ssh). They are also in discussion with the LDAP façade developers on how to integrate it with GridFTP service, as discussed at the DESY LSDMA-WP1 meeting.

They hope to have something up for Q1 2015.


There has been no direct work on WP1 since the LSDMA meeting in Berlin. But Paul has been working with the DESY team to get a production IdP running by the systems group.

There is increased interest from different dCache communities, including EGI via CDMI and Swestore. Plus work on demonstrating running dCache's web interface authenticating via SAML Web-SSO.

Thanks everyone for connecting!

No planned meeting before the next LSDMA All-Hands meeting; we can chase up any threads via the mailing list.