Abstract
BNL SDCC (Scientific Data and Computing Center) recently deployed a centralized identity management solution to support Single Sign On (SSO) authentication across multiple IT systems. The system supports federated login access via CILogon and InCommon and multi-factor authentication (MFA) to meet security standards for various application and services such as Jupyterhub / Invenio that are provided to the SDCC user community. CoManage (cloud-based) and FreeIPA / Keycloak (local) are utilized to provided complex authorization for authenticated users. This talk will focus on technical overviews and strategies to tackle the challenges/obstacles in our facility.
Highlights
The Scientific Data and Computing Center (SDCC) is the main scientific computing center at Brookhaven National Laboratory (BNL)
The SDCC manages computing for large collaborations like the experiments at the Relativistic Heavy Ion Collider at BNL and the ATLAS experiment at the Large Hadron Collider (LHC) at CERN [1, 2]
Keycloak is an open source identity management system that is the upstream code base for Red Hat’s single sign on (SSO) solution. It was chosen by the SDCC for its integration with FreeIPA, its support for OpenID Connect (OIDC), OAuth2, and SAML2, its ability to broker identities, and its support for multi-factor authentication (MFA) [6, 10, 16, 17]
Summary
The Scientific Data and Computing Center (SDCC) is the main scientific computing center at Brookhaven National Laboratory (BNL). From the facility side, managing user accounts is a growing burden as the number of users and supported groups increases To alleviate these problems, the SDCC has deployed a Keycloak based single sign on (SSO) system and is using it with CiLogon’s CoManage collaborative management platform and the InCommon Federation [6,7,8,9]. Keycloak is an open source identity management system that is the upstream code base for Red Hat’s SSO solution It was chosen by the SDCC for its integration with FreeIPA, its support for OpenID Connect (OIDC), OAuth, and SAML2, its ability to broker identities, and its support for multi-factor authentication (MFA) [6, 10, 16, 17]. OIDC/OAuth support was necessary to allow the SDCC to use commercial identity providers like Google and Facebook while SAML2 was needed to enable participation in academic federations like InCommon and eduGAIN [9, 11]
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
