Speaker
Description
Account linking may be usefule at different places in the AAI
Architecture. Over the past years, we have seen account linking at the
Community-AAI, where multiple Home-Organisation logins may be used to log
in to a single account at the Community. This typically allows linking
attributes of services such as ORCID or Google. More recently this type
of account linking is being integrated in an additional proxy above the
Community-AAI. These additional proxies are known as "national Edu-ID".
They aim to support researcher mobility by allowing links to several
different, sometimes international, Home Organistions.
To complement these early (or northbound) linkings, we have designed and
implemented a system for late (or southbound) linking of accounts. Our use
case are users, that authenticate with their federated identity to a
modern service inside a particular computer centre. Computer centres are
often reluctant to invest early into new AAI systems. Their Unix-based
infrastructure (HPC Clusters, Filesystems) therefore do not support
federated identities. To allow our modern service to use this
infrastructure for federated users, we need to know to which Unix account
the federated user will be mapped, when logging in with an account local
to the computer centre.
ALISE, the Account LIkning SErvice, does exactly that. The web interface
asks the user to log in with the computer centre account. Once
authenticated, federated identities my be linked to the computer centre
account. The linkage information may be accessed via a REST API, so that
our modern service may use this information.
The initial setup is working for the VEGA HPC Centre in Slovenia, where an
instance of dCache needs to utilise local storage to read or write data,
that a VEGA HPC user owns.
| Topic | Trust and Security: Access control |
|---|
