Speaker
Description
In recent years web-based workflows and applications have become more prevalent in the scientific process. From applying to a beamtime to data processing there are now multiple activities that happen in a browser. Along with this there has also been a shift from traditional logins via user database logins to Single-Sign On protocols like OpenID Connect (OIDC) and SAML2. This has also brought up the possibility of integrating users via federations like eduGAIN such that logins can be achieved by using users' credentials from their home institute.
In this talk we present the way we use federated identities at DESY in order to create local user accounts for scientists so they can gain access to applications. Special focus will be put on group (VO) management in Helmholtz ID and how this allows us to manage access to resources which are not granted by default to all federated users.
We present the integrations of Keycloak with our user management backend "Registry2" and how it integrates with existing backends like LDAP / SSSD such that e.g. POSIX capabilities can be used by importing group information from Helmholtz ID via the entitlement attribute.
| Zustimmung zu Streaming/Agree to streaming | ja/yes |
|---|---|
| Zustimmung zur Bereitstellung von Aufzeichnung/Agree to internal publication of recording | ja/yes |