All Tools
The AARC project performed an extensive survey of the AAI tools and technologies in use in the research and education community. The tools are compared in the following tables in terms of their respective feature sets. The features have ben grouped in five distinct use cases, namely: authentication, attribute management, discovery services, credential translation and attribute aggregation.
Each table includes the features used for the comparison in the rows, and one column for every tool or technology. The purpose of this comparison is not to suggest a preferred tool for every use case, since different communities have different requirements and there may not be one-size-fits-all solution.
Tools can support several use cases, therefore tools may appear in more than one table, based on the use cases they support.
Authentication tools
Authentication technologies are the software and libraries that can be used to allow users to authenticate, and optionally if allowed by the identity provider and requested by the service provider, providing the identity information to another service.
| LCMAPS | Kerberos | Moonshot | simpleSAMLphp | UNITY | ||
|---|---|---|---|---|---|---|
Authentication workflow | Password, RemoteUser, RemoteUserInternal, X509, X509Internal, SPNEGO/Kerberos, IPAddress,External | X.509 proxy certificate | Username/password, OTP,Kerberos ticket | Username/password (any RADIUS EAP- supported mechanism) | Username/password from user repository (SQL/LDAP/ RADIUS), X509 authentication through userCertificate, LDAP, social media | Username/Passwor d, Client Certificate, LDAP, Social Media |
| Supported standards | SAML 1.1/2.0, X509, Kerberos, LDAP, SQL | X.509 (RFC5280 and RFC3820), VOMS | RFC 4121,RFC 4120 | RFC3748, RFC5247, RFC7055 | SAML 1.1/2.0, X509, OpenID, OAuth 2.0, Kerberos, VOOT, SQL, LDAP, RADIUS | SAML 1.1/2.0, X.509, OIDC, LDAP |
HA deployment | yes | Deployed in the service | Yes | RADIUS service can be run in HA environments | Yes, through multiple memcached service instances | Yes, relying on database layer |
| Licence | Open Source | Open Source | Open Source | Open Source | Open Source | Open Source |
| Expected support level | Supported by the Shibboleth consortium | Supported by NIKHEF | Supported by Linux distributions | Supported by Jsic | Collaborative support, large user communities | Supported by ICM, JSC, funded by PLGrid |
Authorisation
Services can implement authorisation policies based on external information or locally. For distributed infrastructures in particular, it is common for services to use an external policy engine to take authorisation decisions. The purpose for this configuration is to support centralised management of authorisation policies for security reasons, as well as to simplify configuration at service level.
| ARGUS | LCMAPS | mod_auth_mellon | |
|---|---|---|---|
| Type of input attributes | SAML2-XACML2 attributes X.509 and VOMS | X.509 proxy certificates with VOMS extensions | SAML2 attributes |
| Support for policy management | Yes, ARGUS can import policies from remote PAPs | Config file allows complicated flows of plugins, including callouts to remote services (such as Argus). | Basic policies via Apache HTTP server config files |
| LoA support | Supported but needs extra plugins | Yes, via lcmaps-plugins-vo-ca-ap | Yes, if LoA information available through SAML attributes |
| HA deployment | Yes | Deployed with the services | Yes |
| Licence | Open Source | Open Source | Open Source |
| Maintenance | INFN/NIKHEF | NIKHEF | Community support Uninett |
Attribute management tools
The attribute management services store information associated with a user credential, or more user credentials. Identity providers usually provide information, attributes, to describe the user identity, where attribute providers are used by third parties to associate other, community-specific, information with a user.
Typical examples of attributes are membership to a research group, access rights to a service or a dataset orspecific roles within the collaboration.
| Tools: | VOMS | HEXAA | COmanage | Grouper | Perun | UNITY |
|---|---|---|---|---|---|---|
| Input Standard | X.509 | SAML2 | SAML (via Apache) | SQL, LDAP, XML | SAML2, X.509 | SAML2, X.509 SAML2, X.509, LDAP, OIDC |
| Output Standards | X.509, SAML | SAML2 | VOOT, LDAP, SAML (via Shib IdP) | LDAP, VOOT, SCIM, XML | SAML2, VOOT | OIDC, SAML |
Handle attribute release consent | No | Yes | No | No | No | Yes |
Membership life- cycle management | Yes | No | Yes | No | Yes | No (Planned) |
| VO Organization | Yes | Yes | Yes | Yes | Yes | Yes |
Delegated organization of the VO Groups | Yes | No | Yes | Yes | Yes | Yes |
HA deployment | Available | No | Available | Available | Partially Available | Available |
| Licence | Open Source | Open Source | Open Source | Open Source | Open Source | Open Source |
Expected level of support | Supported by INFN, bug fixes. | Supported by SZTAKI and NIIFI | Supported by Internet2 TIER, various grants, and other sources | Supported by Internet2 TIER, various grants, and other sources | Supported by CESNET and Masaryk University. Maintenance and development. | Supported by ICM, JSC and Funded by PLGrid |
1 Comment
Peter Brand
I don't claim to understand everything here, but if you include
mod_auth_mellon(which is an implementation of a SAML2 Service Provider, based on LASSO) in section "Authorisation" why not also add SimpleSAMLphp and Shibboleth, which both provide SAML2 SP implementations as well?Collaborative support also goes for Shibboleth – the Consortium does not itself provide support, it collects and redistributes funds to ensure continued support, documentation and development of the software. And since the Shib community is much larger than SimpleSAMLphp's (the latter being listed here with "large user communities") you could probably state the same for Shib.