...
Commonly used Software and Service ComponentsComponents
The following table is included to demystify some of the software or service terms you may come across in AARC BPA inspired AAIs. It is not an exhaustive list and input is welcome.
Software or Service | AARC BPA Component | Purpose | Community Notes |
User Identity (SAML as of 2025 - and OIDC in the future) | User authentication from home organisation to your Research Community | To use eduGAIN you will need to join a national federation. Some national federations may offer additional services, such as a hosted Identity provider, that you may find useful. OpenID Federation is a work in progress | |
User Identity (OIDC) | User authentication using their self-managed ORCID account | Many communities offer ORCID as a way for users to authenticate (or to add their ORCID ID as another attribute to their user object). ORCID supports OpenID. | |
Decentralised Identity | User Identity | User authentication use their self-managed identity | There is little current experience with using Decentralised Identity (e.g. Wallets). This is being explored in the AARC TREE project. |
User Identity (X.509) | User authentication with an end-user X.509 certificate. Required for some legacy grid workflows (e.g. for the physics community) | Only available to members of participating NRENs. | |
Access Protocol Translation “Discovery Service” | Users select their home organisation for authentication, which is persisted in their browser to improve usability. | You can use the hosted service or run it yourself (the underlying software is thiss-js). You can optionally configure a filter to show a limited set of identity providers. | |
Access Protocol Translation “Metadata Query” | A store of SAML metadata that is trusted by your Research Community and used by your discovery service | PyFF is recommended as a tool for filtering metadata but no longer as a Metadata Query engine | |
Access Protocol Translation “Metadata Query” | A store of SAML metadata that is trusted by your Research Community and used by your discovery service | An implementation of the metadata query protocol (MDQ) for JSON metadata only. Explore only if you are running a standalone instance of thiss-js and pyFF.io or similar and have performance challenges. | |
Access Protocol Translation “Proxy” | A configurable proxy for translating between different authentication protocols such as SAML2, OpenID Connect and OAuth2. | Other Identity Python modules are typically run alongside Satosa, such as the consent service, Seamless Access and/or PyFF. | |
Access Protocol Translation “Proxy” | A PHP based proxy with many extensions available. | Many research institutions run SimpleSAMLphp as the basis for their AAI. Despite the name it supports many protocols including OIDC. It can also be used as both an Identity or Service Provider supporting various protocols. | |
Access Protocol Translation “Proxy” | Java based Identity Provider with proxy support | Shibboleth Identity Provider is a SAML Identity Provider (IdP) with proxy support. Combined with the OpenID Connect Provider (OIDC OP) and OpenID Relying Party (OIDC RP) plugins, it acts as a full access protocol translation proxy. Plugins for OpenID Federation (OIDFed), OpenID for Verifiable Credential Issuance (OID4VCI) and OpenID for Verifiable Presentations (OID4VP) are under development. | |
End Services (OIDC) | OpenID Federations Trust Anchor | ||
End Services (OIDC) | OIDFed for services | Forward Authentication to add OIDFed to existing (OIDC) services | |
End Services (OIDC) | Access Tokens for long running jobs | (see also htgettoken & vault - to be added) | |
ssh-oidc | End Services (SSH) | SSH with federated identities | Multiple solutions exist. ssh-certificates seem to be preferable over PAM solutions. |
End Services (OIDC) | Enable command line OIDC workflows | oidc-agent is a set of tools to manage OpenID Connect tokens and make them easily usable from the command line. | |
End Services (OIDC) | Protect end services using the OpenID Connect protocol | OpenID Connect Relying Party module for the Apache web server Also add: other plugins, also for OAuth2 Resource servers and for NGINX: https://www.openidc.com/#software | |
End Services (SAML) | Protect end services using the SAML protocol | Shibboleth Service Provider is a SAML Service Provider (SP). In this context it is most interesting to research communities as a way to protect their end services using SAML without having to implement SAML oneself. See also Shibboleth IdP above. | |
Authorisation | Authorisation/Data access management support support (can be federated) | Resource Entitlement Management System is a service component that organises and harmonises and communicates (SAML, OIDC, GA4GH) resource access application process. Requires (federated) identity service. Similar to COManage and Perun? |