...
Choosing software to construct your AAI can be a minefield. You have probably heard of many names of software and services but are not sure what they do or whether you need them. The sections below do not provide an exhaustive list but strive to demystify the words and include lessons learned by our community. Please note:this be aware the resources listed below are curated by the AARC-Community curated resource. Ongoing input is welcome!
...
Service | Community Notes |
Significant experience in running AAIs that support AARC guidelines | |
Significant experience in running AAIs that support AARC guidelines | |
GEANT Core AAI (eduTEAMS) | Significant experience in running AAIs that support AARC guidelines |
Primary target: users of the B2 Suite from EUDAT | |
The MyAccessID Identity and Access Management Service is provided by GEANT with the purpose of offering a common Identity Layer for Infrastructure Service Domains (ISDs). | |
Primary target: DE | |
Primary target: NL | |
UK-IRIS | Primary target: UK |
Primary target: Life Sciences. LS AAI is one of the instances powered by AARC-based Perun AAI solution. LS AAI targets Life Science RIs, offering community management and integrated computational platforms and data services. It is operated jointly by Masaryk University and CSC, which also provide user support and CSIRT. | |
Components for data quality, data standards, and technical infrastructure standards and APIs needed to federate sensitive health data access in genomics. Depends on Life Science Login. | |
A multi-tenant capable hosted Community AAI. Provides VO management supports SAML and OIDC and includes a proxy to interact with other proxies, like eduID or generic infrastructure proxies. See also didmos below. Primary target: DE but some customers outside | |
The RCIAM solution by GRNET is a suite of open-source IAM tools, aligned with the AARC Blueprint Architecture. It includes a multi-protocol Service Proxy (based on a Keycloak fork) supporting OAuth2, OpenID Connect, and SAML; a Keycloak group management extension enabling authorisation; and a service management portal for onboarding and managing services (based on the RCIAM Federation Registry). It is used, for example, by EGI Check-in and the EOSC EU Node Infrastructure Proxy for EOSC Core Services. |
...
Software | Community Notes |
Most experience is with the community version rather than the Redhat build, which offers a support model. Keycloak has been found to be highly performant but is geared towards common industry use cases, i.e. service and identity provider integration is managed manually by Keycloak admins with the expectation that there is a fairly low number of them. Community experience with Keycloak highlights the following adaptations that are often made:
| |
Built-in support for AARC guidelines is being developed. INDIGO IAM provides backwards compatibility features for VOMS Proxy authorisation required by some legacy grid infrastructure. Note that there is no support for SAML services, only OAuth. | |
Provides features beyond AARC AAI, including account provisioning in LDAP which is out of scope for many research communities. Initially built as an open source alternative to Microsoft MIM. | |
didmos (NFDI, DAASI) | didmos is a modular open-source Identity and Access Management framework by DAASI International that provides flexible authentication and authorization services through components like the Authenticator (supporting SAML/OIDC protocols through Satosa or an integration with Shibboleth IdP), Core (for access control), and Federation Services, enabling organisations to implement customized IAM solutions. Import of users and attributes from databases can be configured, e.g. from an ERP or SAP. Support can be configured for command line workflows. SAML and OIDC/Oauth2 are supported for SSO integration. The company DAASI International can offer assistance with service setup and support. |
Unity (B2Access, HIFIS, NFDI) | Unity IDM is an open-source identity and access management platform that serves as the core technology behind B2ACCESS, supporting federated authentication through SAML, OAuth2, and X.509 protocols to enable single sign-on across European research infrastructures operated by EUDAT and hosted at Forschungszentrum Jülich. |
RegAPP (NFDI) | RegApp is an open-source federated identity management system developed at KIT's SCC that provides authentication and authorization infrastructure (AAI). Regapp supports SAML, OpenID Connect, LDAP protocols and two-factor authentication |
REMS | Resource Entitlement Management System (Finland) - in CSC Github (https://github.com/CSCfi/rems) |
AcademicID (NFDI) | Academic ID is an authentication service developed and operated by GWDG that provides single sign-on access to their Cloud platform and various IT services for universities and research institutions in Lower Saxony through federated authentication via DFN-AAI. (To check: AcademicID can be self-hosted, but rather is also is a solution hosted by GWDG - Peter Gietz). |
Perun AAI is a comprehensive open-source AAI solution based on community standards (like AARC and REFEDS) and focused on supporting research infrastructures. Its two main components are Perun IdM for user identity and access management, including the capability to (de)provision local service access; and Perun ProxyIdP for SSO, attribute enrichment and service level access control. Additional side components are available for specific use cases. Perun AAI is co-developed by ISO27k-certified teams at CESNET and Masaryk University which also host and operate most instances, the largest in the 10-100k user range and hundreds of services. | |
The software behind CILogon. Actively developed with support from Incommon. |
...