WLCG Issuer Deployment Architecture (DRAFT)

A few key decisions needed for the deployment of IAM instances for WLCG include:

* What is the content of the iss claim? * How many IAM instances should be run? Should there be a single multi-tenant instance for WLCG or multiple instances?

Proposal (Brian)

* The iss claims will be of the form:

• https://cms.auth.cern.ch/
• https://atlas.auth.cern.ch/
• https://alice.auth.cern.ch/
• https://lhcb.auth.cern.ch/

• These locations need not be the same as the token issuer (i.e., IAM) but are clear and memorable. It might be strategic to split the issuer string from the IAM instance hostname from the very beginning to help emphasize portability.

This approach requires that the metadata doc will be available at https://cms.auth.cern.ch/.well-known/openid-configuration

This can be easily implemented with the current IAM. Needs to be understood how things will work when IAM will be based on Keycloak.

* These will start as single-tenant instances of IAM. This decouples the VOs from having to share a single version -- allowing a "pathfinder" VO to proceed more quickly than the others. * We will start with CMS and stand up the IAM instance at https://cms-iam.auth.cern.ch/. * This instance will not be pre-populated with users - rather users will have to register via CERN SSO. The integration with the CERN HR database will allow us to determine whether the user is actually a CMS user.