All Tools

 

The AARC project performed an extensive survey of the AAI tools and technologies in use in the research and education community. The tools are compared in the following tables in terms of their respective feature sets. The features have ben grouped in five distinct use cases, namely: authentication, attribute management, discovery services, credential translation and attribute aggregation.
Each table includes the features used for the comparison in the rows, and one column for every tool or technology. The purpose of this comparison is not to suggest a preferred tool for every use case, since different communities have different requirements and there may not be one-size-fits-all solution.
Tools can support several use cases, therefore tools may  appear in more than one table, based on the use cases they support.

Authentication tools

Authentication technologies are the software and libraries that can be used to allow users to authenticate, and optionally if allowed by the identity provider and requested by the service provider, providing the identity information to another service.

 

 LCMAPSKerberosMoonshotsimpleSAMLphpUNITY
Authentication
workflow
Password,
RemoteUser,
RemoteUserInternal,
X509, X509Internal,
SPNEGO/Kerberos,
IPAddress,External
X.509 proxy
certificate
Username/password,
OTP,Kerberos ticket
Username/password
(any RADIUS EAP-
supported mechanism)
Username/password
from user repository
(SQL/LDAP/
RADIUS), X509
authentication through
userCertificate, LDAP,
social media
 
Username/Passwor
d, Client Certificate,
LDAP, Social Media
Supported standards
SAML 1.1/2.0,
X509, Kerberos,
LDAP, SQL
X.509 (RFC5280
and RFC3820),
VOMS
RFC 4121,RFC 4120
RFC3748,
RFC5247,
RFC7055
SAML 1.1/2.0, X509,
OpenID, OAuth 2.0,
Kerberos, VOOT,
SQL, LDAP, RADIUS
SAML 1.1/2.0,
X.509, OIDC, LDAP
HA deployment
yesDeployed in the serviceYes
RADIUS service
can be run in HA
environments
Yes, through multiple
memcached service
instances

Yes, relying on

database layer

LicenceOpen SourceOpen SourceOpen SourceOpen SourceOpen SourceOpen Source
Expected support level

Supported by the

Shibboleth consortium

Supported by NIKHEF

Supported by

Linux distributions

Supported by Jsic

Collaborative support,

large user communities

Supported by ICM, JSC,

funded by PLGrid

 

Authorisation

Services can implement authorisation policies based on external information or locally. For distributed infrastructures in particular, it is common for services to use an external policy engine to take authorisation decisions. The purpose for this configuration is to support centralised management of authorisation policies for security reasons, as well as to simplify configuration at service level.
 ARGUSLCMAPSmod_auth_mellon
Type of input attributes
SAML2-XACML2 attributes
X.509 and VOMS
X.509 proxy certificates with VOMS
extensions
SAML2 attributes
Support for policy management
Yes, ARGUS can import policies from
remote PAPs
Config file allows complicated flows
of plugins, including callouts to
remote services (such as Argus).
Basic policies via Apache HTTP
server config files
LoA supportSupported but needs extra plugins
Yes, via lcmaps-plugins-vo-ca-ap
Yes, if LoA information
available through SAML
attributes
HA deploymentYesDeployed with the servicesYes
LicenceOpen SourceOpen SourceOpen Source
MaintenanceINFN/NIKHEFNIKHEFCommunity support Uninett

Attribute management tools

The attribute management services store information associated with a user credential, or more user credentials. Identity providers usually provide information, attributes, to describe the user identity, where attribute providers are used by third parties to associate other, community-specific, information with a user.
Typical examples of attributes are membership to a research group, access rights to a service or a dataset orspecific roles within the collaboration.
Tools:VOMSHEXAACOmanageGrouperPerunUNITY
Input Standard
X.509
SAML2
SAML (via Apache)
SQL, LDAP, XML
SAML2, X.509
SAML2, X.509
SAML2,
X.509,
LDAP,
OIDC
Output StandardsX.509, SAMLSAML2
VOOT, LDAP,
SAML (via Shib
IdP)
LDAP, VOOT,
SCIM, XML
SAML2, VOOT
OIDC,
SAML
Handle attribute
release consent
NoYesNoNoNoYes
Membership life-
cycle management
YesNoYesNoYesNo (Planned)
VO OrganizationYesYesYesYesYesYes
Delegated organization
of the VO Groups
YesNoYesYesYesYes
HA
deployment
AvailableNoAvailableAvailablePartially AvailableAvailable
LicenceOpen SourceOpen SourceOpen SourceOpen SourceOpen SourceOpen Source

Expected level of

support
Supported by INFN,
bug fixes.
Supported by
SZTAKI and NIIFI
Supported by
Internet2 TIER,
various grants, and
other sources
Supported by
Internet2 TIER,
various grants, and
other sources
Supported by
CESNET and
Masaryk University.
Maintenance and
development.
Supported by ICM,
JSC and Funded by
PLGrid

 

 

 

  • No labels

1 Comment

  1. I don't claim to understand everything here, but if you include mod_auth_mellon (which is an implementation of a SAML2 Service Provider, based on LASSO) in section "Authorisation" why not also add SimpleSAMLphp and Shibboleth, which both provide SAML2 SP implementations as well?

    Collaborative support also goes for Shibboleth – the Consortium does not itself provide support, it collects and redistributes funds to ensure continued support, documentation and development of the software. And since the Shib community is much larger than SimpleSAMLphp's (the latter being listed here with "large user communities") you could probably state the same for Shib.