Speaker
Description
Distributed federated infrastructures contain services that require the deployment i.e. creation of accounts before users may access them. Examples include unix accounts or accounts in web-based systems, e.g. mailing lists or so. Often, site-local policies (e.g. on usernames) have to be respected and federated authorisation (Virtual Organisations) is mandatory. Which services are provisioned should be selected by the users themselves. Sometimes questions need to be asked back to the user (e.g. conflicting username, primary group to use) before an account can be provisioned. Once provisioned, login information needs to be displayed to the user. Once users do not need their services anymore they need to be able to trigger the removal of their accounts. A challenge is the automatic removal of service deployments belonging to users which e.g. leave a VO and as a result lack the authorisation for the use of the service.
With the Federated User Credential Deployment Portal (FEUDAL) we implemented a system that addresses these requirements. Its key features are the user-oriented webpage and the instantaneous deployment to the services of a VO. Users are presented with a list of available services and can select which they want to use. Publish-subscribe is used to communicate deployments, minimising latency for the user. Depending on the service, this enables us to immediately prompt for more information and to display e.g. service credentials after the user selected a service for deployment.
Any third party service may be created via an adapter approach. The adapters are run by the service administrators, not directly by Feudal. Adapters for provisioning users into unix systems, LDAP instances and dCache are already implemented. Feudal is integrated with all major AAIs, such as EGI-Checkin, Unity and eduTEAMS. A HTTP API is available for both users and the integration with other AAI.