...
| LDAP Facade | Moonshot | Unity | CILogon | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Description | |||||||||
| Protocols | |||||||||
| Translate from | SAML 2 | SAML/RADIUS | (one time) passwords challenge-response X509 LDAP/AD SAML OpenId OAuth | SAML OpenId OAuth | |||||
| Translate to | LDAP | GSS-API | Web UI SAML 2 Web SAML 2 WS OpenId OAuth1 LDAP (under development) | X509 | |||||
| Typical Use Case | |||||||||
| Use Case | Access to resource via ssh/sftp, gridFTP in plans | Access to web and non-web resources , e.g. GSS enabled SSH server, Apache, MS Exchange | Translation between different SSO protocols, (inter-) federation, IdMaaS | Provide certificates for accessing grid resources (gridFTP, WS, Globus Gatekeeper) | |||||
| Example | bwIDM (Federation of non Web-based Services in the State of Baden-Württemberg) | EUPanData (access to data using Shibboleth authentication) | EUDAT B2ACCESS | CILogon Service (provide certificates for InCommon federation) | |||||
| Requirements | |||||||||
| R4 Community-based authorisation |  | | | | |||||
| R7 Federation solutions based on open and standards-based technologies | | | | | |||||
| R8 Persistent user identifiers | | | | | |||||
| R9 Unique user identities | | | | | |||||
| R11 Up-to-date identity information |
In the current implementation, the IdP must support either ECP or AQ SAML profile, which is not the common case for IdPs. | | | | |||||
| R12 User groups and roles |
Managing groups require defining rules based on attributes exposed by IdP. |
Roles are not supported by Unix accounts. | |
Support for groups usually requires some extensions to the (proxy) certificate (e.g. VOMS) not supported by plain CILogon. This functionality was added by AARC CILogon pilots. | |||||
| R14 Browser & non-browser based federated access | | |
For non-web access LDAP endpoint could be used, but:
| | |||||
