You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

 

 

 LDAP FacadeMoonshotUnityCILogon
Description

LDAP Facade is a solution to access non-web resources (e.g. available via SSH protocol) based on the idea of FACIUS.

LDAP Facade application works as SAML SP, implements web portal for admins (management) and users (resource provisioning), as well as LDAP and REST API interfaces for non-web resources.

Moonshot is a single, unifying technology that enables you to effectively manage and control access to a wide range of web and non-web services and applications.It builds on deployed, proven technology, including:

  • Authentication as used by eduroam (EAP/RADIUS)
  • Authorisation as used by many national federations (SAML)
  • Service/application integration as used by many major applications (GSI-API).

Unity is a complete solution for identity, federation and inter-federation management. It allows its administrators to enable authentication (or login) using various protocols, with different configurations for many relaying parties. The actual authentication can be performed using the built-in, feature-rich users database or can be delegated to one of supported upstream IdPs. The information obtained from upstream IdPs can be flexibly translated and merged with the local database (if needed) and re-exported using other protocols.

Thus typical Unity use case is working as IdP or token translation service.

CILogon is a solution that provides a federated X.509 Certification Authority. The users may login to CILogon web portal using credentials from their home institutionas and request (typically short-term) certificates and the service automatically signs the requested certificates. Then the certificate may be used to access non-web resources.
OrganizationKarlsruhe Institute of Technology (KIT)JiscICM (University of Warsaw)
PL-Grid
UNICORE
Cybersecurity Directorate, National Center for Supercomputing Applications, University of Illinois.
WWWhttp://wiki.data.kit.edu/index.php/LDAP-Facade

https://www.jisc.ac.uk/rd/projects/moonshot

https://wiki.moonshot.ja.net

http://www.unity-idm.euhttp://www.cilogon.org
Protocols
Translate fromSAML 2SAML/RADIUS(one time) passwords
challenge-response
X509
LDAP/AD
SAML
OpenId
OAuth
SAML
OpenId
OAuth
Translate toLDAPGSS-APIWeb UI
SAML 2 Web
SAML 2 WS
OpenId
OAuth1
LDAP (under development)
X509
Typical Use Case
Use CaseAccess to resource via ssh/sftp, gridFTP in plansAccess to web and non-web resources , e.g. GSS enabled SSH server, Apache, MS ExchangeTranslation between different SSO protocols, (inter-) federation, IdMaaSProvide certificates for accessing grid resources (gridFTP, WS, Globus Gatekeeper)
ExamplebwIDM (Federation of non Web-based Services in the State of Baden-Württemberg)EUPanData (access to data using Shibboleth authentication)EUDAT B2ACCESSCILogon Service (provide certificates for InCommon federation)
Requirements
R4 Community-based authorisation(tick)(tick)(tick)(tick)
R7 Federation solutions based on open and standards-based technologies(tick)(tick)(tick)(tick)
R8 Persistent user identifiers(tick)(tick)(tick)(tick)
R9 Unique user identities(tick)(tick)(tick)(tick)
R11 Up-to-date identity information

(question)

In the current implementation, the IdP must support either ECP or AQ SAML profile, which is not the common case for IdPs.

(tick)(tick)(tick)
R12 User groups and roles

(question)

Managing groups require defining rules based on attributes exposed by IdP.
Roles are not supported by Unix accounts.

(question)

Roles are not supported by Unix accounts.

(tick)

(question)

Support for groups usually requires some extensions to the (proxy) certificate (e.g. VOMS) not supported by plain CILogon. This functionality was added by AARC CILogon pilots.

R14 Browser & non-browser based federated access(tick)(tick)

(question)

For non-web access LDAP endpoint could be used, but:

  1. It us still under development
  2. It doesn't fulfil R11
(tick)
R1 User and Service Provider friendliness
User

(lightbulb)  Requires registration step (accept terms and conditions, setup local password if required) -to be done once via web interface.

(thumbs up) Standard/legacy client software

(thumbs up) If ECP or AQ SAML profile can be used,  the user may login directly to the resource

(thumbs down) If ECP or AQ SAML profile cannot be used,  the user must login to the web interface prior logging to the resource (both solutions with tokens or limited time accounts)

(thumbs down) Lack of help/howto.

(thumbs down) Standard/legacy client software doesn't work, additional components on user side must be installed

(thumbs up) Good documentation, mailing list and support

  
Service Provider

(thumbs down) Software is not packaged, must be compiled, deployed and  configured by the admin

(thumbs up) Good installation documentation

(thumbs up) The web portal is complex -gives lots of functionality (resource management, group management, rules, statistics)

(thumbs down) Lack of portal help/howto and general documentation (description of concepts etc.)

(thumbs down) There is need for certain versions of underlying software, thus it is recommended to install some pieces manually

(thumbs down) The piloting showed some issues with underlying software (e.g.

(thumbs down) Admin interface is not completely translated to English

(thumbs up) Complete servers on live-DVD

(thumbs down) Still there can be an issues after OS update

(thumbs down) Deployment on existing system may be more difficult

(thumbs up) Comprehensive documentation, mailing list and support

(lightbulb)  Requires authentication infrastructure -the approach is good to build things from scratch, but difficult to be deployed in existing infrastructure

  
     
  • No labels