Account Linking Service ALISE

Diana Gudu, Marcus Hardt, Paul Millar, Gabriel Zachmann

Sep 2024

ALISE

Account LInking SErvicE  (ALISE)
Account Linking Wonderland

Motivation

Use Case

  • Many different federated home accounts
    • (university, google, orcid, other-university)
    • I WILL NOT TALK ABOUT THIS
  • How to map a federated account to a local UNIX system
    • Everyone who’s only interested in the first one: LEAVE NOW









Where are we linking accounts















Which problem does ALISE solve?

  • Computer center requires local accounts
  • Federated service needs to map federated user to local account
  • How to decide whether or not to grant access?!!
  • Example
    • File on storage service: -rw-r--r-- 1 marcus ant-researchers 210 Oct 4 09:19 /projects/ant-science/alise.py
    • Access this file locally:
    cat /projects/ant-science/alise.py
    • Access this file via federated service:
    curl https://hpc.example.org/projects/ant-science/alise.py -H "Authorization: Bearer `oidc-token egi`"

How does it work?













  • SaaS (Service as a Service)
    • Provided for a given computer centre (hpc.example.com)

User Flow:

  1. User logs in with computer centre account
  2. User add multiple federated accounts
  3. Alise associates different logins with web-session cookie
  4. REST interface provides (authenticated) access to this mapping

Life demo

Example request

curl  https://alise.data.kit.edu/api/v1/target/vega-kc/mapping\
      /issuer/$(urlencode.py https%3A%2F%2Flogin.helmholtz.de%2Foauth2)\
      /user/$(urlencode.py 6c611e2a-2c1c-487f-9948-c058a36c8f0e)\
      ?apikey=bnginyourdreamsinyourdreamslxbmu | jq

Example output

{
  "internal": {
    "sub": "3c498039-1754-4f9d-b71c-5c13739e8875",
    "iss": "https://sso.sling.si:8443/auth/realms/SLING",
    "username": "marcush",
    "last_seen": -930016800,
    "display_name": "Marcus Hardt"
  },
  "external": [
    {
      "sub": "d7a53cbe3e966c53ac64fde7355956560282158ecac8f3d2c770b474862f4756@egi.eu",           
      "iss": "https://aai-demo.egi.eu/auth/realms/egi",
      "last_seen": 13552005600,
      "display_name": "Marcus Hardt"
    },
    {
      "sub": "104223951181002749851",
      "iss": "https://accounts.google.com/",
      "last_seen": 13552005600,
      "display_name": "Marcus H"
    },
    {
      "sub": "6c611e2a-2c1c-487f-9948-c058a36c8f0e",
      "iss": "https://login.helmholtz.de/oauth2",
      "last_seen": 13552005600,
      "display_name": "Marcus Hardt"
    }
  ]
}

API Key

Getting an apikey is simple:

curl  https://alise.data.kit.edu/api/v1/target/vega-kc/get_apikey \
      -H "Authorization: Bearer $(oidc-token egi)"

Timeline

Current state

  • Suppported Computer Centres:
    • VEGA
    • KIT
  • Supported Identity Providers:
    • EGI-Checkin
    • Google
    • Helmholtz-ID
  • Services making use of ALISE:
    • dCache

Future Work

  • Include more sites
  • Support LDAP
  • Integrate with ssh-oidc

Questions