The Distributed Computing Access with Federated Identities (DCAFI) Project has been moving full steam ahead this summer. The short-term goal of the project is to move all Fermilab users from Fermi KCA, which is being planned to shut down at the end of September, to the new Certificate service provided by the CILogon Basic CA. However, the long-term goal is more ambitious than that: making access to Fermilab easy and convenient for all Fermilab users, even for those without Fermilab accounts. In the first phase of DCAFI, we allowed our users to get access to Fermilab by just using their SERVICES domain credentials, removing our dependency on Kerberos accounts. In the second phase of the project, we plan to use the native access credentials from a user’s home organization without forcing them to get new accounts at Fermilab. All of these changes will be integrated into the CILogon Basic CA and will be transparent to the user.
To accomplish our short-term goal, we have been transitioning experiments to CILogon Basic CA all summer. DUNE, MINOS, Mu2e, MicroBooNE, NOvA are among the VOs that have been transitioned. We are happy to report that so far the transition has been very smooth and had no significant impact on VO production. The mechanics of the change have been well hidden from the VOs and required minimal changes to VO-specific software. We have a handful of VOs left in our transition phase, which we will finish by the end of August. After the transition phase, we will start working on DCAFI Phase 2 which will truly bring the federated identities to our lab.
— Mine Altunay