| LDAP Facade | Moonshot | Unity | CILogon | |
|---|---|---|---|---|
| Description | ||||
| Protocols | ||||
| Translate from | SAML 2 | SAML/RADIUS | (one time) passwords challenge-response X509 LDAP/AD SAML OpenId OAuth | SAML OpenId OAuth |
| Translate to | LDAP | GSS-API | Web UI SAML 2 Web SAML 2 WS OpenId OAuth1 LDAP (under development) | X509 |
| Typical Use Case | ||||
| Use Case | Access to resource via ssh/sftp, gridFTP in plans | Access to web and non-web resources , e.g. GSS enabled SSH server, Apache, MS Exchange | Translation between different SSO protocols, (inter-) federation, IdMaaS | Provide certificates for accessing grid resources (gridFTP, WS, Globus Gatekeeper) |
| Example | bwIDM (Federation of non Web-based Services in the State of Baden-Württemberg) | EUPanData (access to data using Shibboleth authentication) | EUDAT B2ACCESS | CILogon Service (provide certificates for InCommon federation) |
| Requirements | ||||
| R4 Community-based authorisation |  | | | |
| R7 Federation solutions based on open and standards-based technologies | | | | |
| R8 Persistent user identifiers | | | | |
| R9 Unique user identities | | | | |
| R11 Up-to-date identity information |
In the current implementation, the IdP must support either ECP or AQ SAML profile, which is not the common case for IdPs. | | | |
| R12 User groups and roles |
Managing groups require defining rules based on attributes exposed by IdP. |
Roles are not supported by Unix accounts. | |
Support for groups usually requires some extensions to the (proxy) certificate (e.g. VOMS) not supported by plain CILogon. This functionality was added by AARC CILogon pilots. |
| R14 Browser & non-browser based federated access | | |
For non-web access LDAP endpoint could be used, but:
| |
