Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

 LDAP FacadeMoonshotUnityCILogon
Description    
Protocols
Translate fromSAML 2SAML/RADIUS(one time) passwords
challenge-response
X509
LDAP/AD
SAML
OpenId
OAuth
SAML
OpenId
OAuth
Translate toLDAPGSS-APIWeb UI
SAML 2 Web
SAML 2 WS
OpenId
OAuth1
LDAP (under development)
X509
Typical Use Case
Use CaseAccess to resource via ssh/sftp, gridFTP in plansAccess to web and non-web resources , e.g. GSS enabled SSH server, Apache, MS ExchangeTranslation between different SSO protocols, (inter-) federation, IdMaaSProvide certificates for accessing grid resources (gridFTP, WS, Globus Gatekeeper)
ExamplebwIDM (Federation of non Web-based Services in the State of Baden-Württemberg)EUPanData (access to data using Shibboleth authentication)EUDAT B2ACCESSCILogon Service (provide certificates for InCommon federation)
Requirements
R4 Community-based authorisation(tick)(tick)(tick)(tick)
R7 Federation solutions based on open and standards-based technologies(tick)(tick)(tick)(tick)
R8 Persistent user identifiers(tick)(tick)(tick)(tick)
R9 Unique user identities(tick)(tick)(tick)(tick)
R11 Up-to-date identity information

(question)

In the current implementation, the IdP must support either ECP or AQ SAML profile, which is not the common case for IdPs.

(tick)(tick)(tick)
R12 User groups and roles

(question)

Managing groups require defining rules based on attributes exposed by IdP.
Roles are not supported by Unix accounts.

(question)

Roles are not supported by Unix accounts.

(tick)

(question)

Support for groups usually requires some extensions to the (proxy) certificate (e.g. VOMS) not supported by plain CILogon. This functionality was added by AARC CILogon pilots.

R14 Browser & non-browser based federated access(tick)(tick)

(question)

For non-web access LDAP endpoint could be used, but:

  1. It us still under development
  2. It doesn't fulfil R11
(tick)
R1 User and Service Provider friendliness
User

(lightbulb)  Requires registration step (accept terms and conditions, setup local password if required) -to be done once via web interface.

(thumbs up) Standard client software

(thumbs up) If ECP or AQ SAML profile can be used,  the user may login directly to the resource

(thumbs down) If ECP or AQ SAML profile cannot be used,  the user must login to the web interface prior logging to the resource (both solutions with tokens or limited time accounts)

(thumbs down) Lack of help/howto.

        
Service Provider

(thumbs down) Software is not packaged, must be compiled, deployed and  configured by the admin

(thumbs up) Good installation documentation

(thumbs up) The web portal is complex -gives lots of functionality (resource management, group management, rules, statistics)

(thumbs down) Lack of portal help/howto and general documentation (description of concepts etc.)

(thumbs down) There is need for certain versions of underlying software, thus it is recommended to install some pieces manually

(thumbs down) The piloting showed some issues with underlying software (e.g.

(thumbs down) Admin interface is not completely translated to English