...
Choosing software to construct your AAI can be a minefield. You have probably heard of many names of software and services but are not sure what they do or whether you need them. The sections below do not provide an exhaustive list but strive to demystify the words and include lessons learned by our community. Please note:this be aware the resources listed below are curated by the AARC-Community curated resource. Ongoing input is welcome!
...
Software | Community Notes |
Most experience is with the community version rather than the Redhat build, which offers a support model. Keycloak has been found to be highly performant but is geared towards common industry use cases, i.e. service and identity provider integration is managed manually by Keycloak admins with the expectation that there is a fairly low number of them. Community experience with Keycloak highlights the following adaptations that are often made:
| |
Built-in support for AARC guidelines is being developed. INDIGO IAM provides backwards compatibility features for VOMS Proxy authorisation required by some legacy grid infrastructure. Note that there is no support for SAML services, only OAuth. | |
Provides features beyond AARC AAI, including account provisioning in LDAP which is out of scope for many research communities. Initially built as an open source alternative to Microsoft MIM. | |
didmos (NFDI, DAASI) | didmos is a modular open-source Identity and Access Management framework by DAASI International that provides flexible authentication and authorization services through components like the Authenticator (supporting SAML/OIDC protocols through Satosa or an integration with Shibboleth IdP), Core (for access control), and Federation Services, enabling organisations to implement customized IAM solutions. Import of users and attributes from databases can be configured, e.g. from an ERP or SAP. Support can be configured for command line workflows. SAML and OIDC/Oauth2 are supported for SSO integration. The company DAASI International can offer assistance with service setup and support. |
Unity (B2Access, HIFIS, NFDI) | Unity IDM is an open-source identity and access management platform that serves as the core technology behind B2ACCESS, supporting federated authentication through SAML, OAuth2, and X.509 protocols to enable single sign-on across European research infrastructures operated by EUDAT and hosted at Forschungszentrum Jülich. |
RegAPP (NFDI) | RegApp is an open-source federated identity management system developed at KIT's SCC that provides authentication and authorization infrastructure (AAI). Regapp supports SAML, OpenID Connect, LDAP protocols and two-factor authentication |
REMS | Resource Entitlement Management System (Finland) - in CSC Github (https://github.com/CSCfi/rems) |
AcademicID (NFDI) | Academic ID is an authentication service developed and operated by GWDG that provides single sign-on access to their Cloud platform and various IT services for universities and research institutions in Lower Saxony through federated authentication via DFN-AAI. (To check: AcademicID can be self-hosted, but rather is also is a solution hosted by GWDG - Peter Gietz). |
Perun AAI is a comprehensive open-source AAI solution based on community standards (like AARC and REFEDS) and focused on supporting research infrastructures. Its two main components are Perun IdM for user identity and access management, including the capability to (de)provision local service access; and Perun ProxyIdP for SSO, attribute enrichment and service level access control. Additional side components are available for specific use cases. Perun AAI is co-developed by ISO27k-certified teams at CESNET and Masaryk University which also host and operate most instances, the largest in the 10-100k user range and hundreds of services. | |
The software behind CILogon. Actively developed with support from Incommon. |
...