Results

A Pilot pilot instance has been was deployed and has been registered in the eduGAIN metadata and is undergoing testing.underwent extensive testing using a number of existing LSC resources. Within the pilot, account linking between institutional identities and a user LSC identity was performed using a manual administration step.

Limitations

There are two areas where the use of federated identities is limited. Firstly, the the LIGO detectors are situated in remote locations loss of access to the internet are common and it would be impossible for anybody working thereto  connect to their home IdPs. Therefore, people working at or visiting the detectors will need to continue to use their LSC credentials and the local IdP replicas. Secondly, the LSC rely on X509 certificates to access compute clusters and other resources. Most users obtain their certificates from the CILogon service using the ligo-proxy-init command line tool which uses SAML ECP to obtain a certificate without a web browser. Although some institutional IdPs support ECP this is severely limited, and not expected to improve. Therefore, for users who require this they will still require a dedicated password to access this resource via the LIGO IdP.

Sustainability

Going forward an instance of COManage will be deployed to handle the account linking workflow, and as well as more aspects of user management. To move the pilot into production the SATOSA and PyFF services must be deployed in a fault tolerant manner. The LSC has recently deployed a fault tolerant instance of the main Identity Provider, and we will be take a similar approach to deploy this.

Further information

Following the completion of this pilot the service will be adopted into the LSC Identity and Access Management core services. A fault tolerant service will be maintained in the cloud.