UmbrellaID Workshop: Keycloak

Tuesday 3 May 2022, 09:30 → 16:30 Europe/Zurich

UmbrellaID is the federated identity system for the users of the (European) large neutron and photon facilities.

This one day training is dedicated to the PaN community IT people that want to enable community AAI for their users. At the end of the training it is expected that you understand what UmbrellaID and the EOSC AAI federation is. A hands on session shall demonstrate how to integrate your services with UmbrellaID using Keycloak.

If you want to actively participate in the hands on session, you need to have your own Keycloak installation, see the following checklist. If you don't have that, you can still participate in the workshop and also take part in the hands on session as an observer.

Checklist for the hands on session:

• An installation of Keycloak
• Internet access from the host where they have installed Keycloak (ideally direct access, but HTTP proxy and reverse HTTP proxy are also valid)
• DNS resolution for the host with Keycloak installed should be in place and should be identical from
  everywhere (I.E. the machine should be referenced with the same domain name from the RI/lab intranet and public internet network)
• A valid X509 server certificate

The session recordings can be found here:

1. https://umbrellaid.org/zoom/2022-05-03-UmbrellaID-Workshop-Session-1.mp4
2. https://umbrellaid.org/zoom/2022-05-03-UmbrellaID-Workshop-Session-2.mp4

09:30 → 09:45 Welcome

Speaker: Rolf Krahl (Helmholtz-Zentrum Berlin für Materialien und Energie (HZB))

09:45 → 10:15 Introduction to UmbrellaID

What is UmbrellaID
How to request the integration of a service.

Speakers: Björn Erik Abt (PSI - Paul Scherrer Institut), Jean-François Perrin (ESRF)

2022 UmbrellaiD introduction.pdf

2022 UmbrellaiD introduction.pptx

10:15 → 10:45 Overview of the EOSC AAI Federation

Speaker: Christos Kanellopoulos

Introduction to the AARC BPA and the EOSC AAI.pdf

Introduction to the AARC BPA and the EOSC AAI.pptx

10:45 → 11:05 Morning Virtual Coffee Break

11:05 → 11:25 Authorisation Model

2 possible models will be presented
- Local mapping of identities at the SP level.
- Community model.

Speaker: Jean-François Perrin (ESRF)

Authorisation Models.pdf

Authorisation Models.pptx

11:25 → 12:15 SSO protocols: SAML and OIDC

Introduction of protocols.
Explanation of the workflows.
How are the tokens travelling?
Tools for debugging.
Q&A

Speakers: Björn Erik Abt (PSI - Paul Scherrer Institut), Christos Kanellopoulos

SSO-SAML.pdf

SSO-SAML.pptx

12:15 → 13:30 Lunch

13:30 → 13:50 cURL demonstration of OIDC and the integration in your application

Speakers: Björn Erik Abt (PSI - Paul Scherrer Institut), Christos Kanellopoulos

13:50 → 14:05 Keycloak introduction

Why setting up a local SSO for your organisation?
Why Keycloak?

Speaker: Jean-François Perrin (ESRF)

SSO - Keycloack.pdf

SSO - Keycloack.pptx

14:05 → 15:35 Hands on session: connecting your Keycloak to UmbrellaID

In order to get the full benefit from this session, participants need to have access to a running Keycloak accessible from the Internet. It should have access to the internet and should be accessible from the internet (ideally direct access, but HTTP proxy and reverse HTTP proxy are also valid scenarios to get these access). DNS resolution should be in place and should be identical from everywhere (I.E. the machine should be referenced with the same domain name from the RI/lab intranet and public internet network), you also need to have a valid X509 server certificate. Your Keycloak instance will be linked it to the UmbrellaID (acceptance or production) environment to demonstrate the full flow.

Speakers: Antoine Roux (ESRF), Christos Kanellopoulos, Jean-François Perrin (ESRF)

keycloak.pdf

15:35 → 15:50 Afternoon Virtual Coffee Break

15:50 → 16:10 Moonshot

Introduction to non web authentication
Demonstration of Moonshot

Speaker: Björn Erik Abt (PSI - Paul Scherrer Institut)

Moonshot-UmbrellaID.pdf

Moonshot-UmbrellaID.pptx

16:10 → 16:30 Wrapup and Q&A