Choosing software to construct your AAI can be a minefield. You have probably heard of many names of software and services but are not sure what they do or whether you need them. The sections below do not provide an exhaustive list but strive to demystify the words and include lessons learned by our community. Ongoing input is welcome.
Many items below receive support through the European Commission and/or NRENs, highlighting the importance of sustainable funding models for AAI.
Several software solutions can provide all, or nearly all, of the components that you will need for your AAI. Care must be taken to configure them in a way that supports the AARC guidelines.
The NFDI project completed a feature comparison between several offerings that may be useful for further information https://www.nfdi-aai.de/community-aai-software/#feature-matrix
Some of the following are offered free of charge whilst others operate on a paid subscription. The best place to start to see whether you are eligible is often your national NREN.
Service | Community Notes |
Significant experience in running AAIs that support AARC guidelines | |
Significant experience in running AAIs that support AARC guidelines | |
Significant experience in running AAIs that support AARC guidelines | |
Primary target: users of the B2 Suite from EUDAT | |
Primary target: DE | |
Primary target: NL | |
UK-IRIS | Primary target: UK |
Primary target: Life Sciences. LS AAI is one of the instances powered by AARC-based Perun AAI solution. LS AAI targets Life Science RIs, offering community management and integrated computational platforms and data services. It is operated jointly by Masaryk University and CSC, which also provide user support and CSIRT. | |
Components for data quality, data standards, and technical infrastructure standards and APIs needed to federate sensitive health data access in genomics. Depends on Life Science Login. | |
A multi-tenant capable hosted Community AAI. Provides VO management supports SAML and OIDC and includes a proxy to interact with other proxies, like eduID or generic infrastructure proxies. See also didmos below. Primary target: DE but some customers outside | |
The RCIAM solution by GRNET is a suite of open-source IAM tools, aligned with the AARC Blueprint Architecture. It includes a multi-protocol Service Proxy (based on a Keycloak fork) supporting OAuth2, OpenID Connect, and SAML; a Keycloak group management extension enabling authorisation; and a service management portal for onboarding and managing services (based on the RCIAM Federation Registry). It is used, for example, by EGI Check-in and the EOSC EU Node Infrastructure Proxy for EOSC Core Services. |
If you plan to host your own AAI we strongly suggest benefiting from the AARC Community’s existing knowledge of the following software solutions. Reinventing the AAI wheel can be a long and painful process and the AARC Community is here to help. Contact information is available at https://aarc-community.org/
Software | Community Notes |
Most experience is with the community version rather than the Redhat build, which offers a support model. Keycloak has been found to be highly performant but is geared towards common industry use cases, i.e. service and identity provider integration is managed manually by Keycloak admins with the expectation that there is a fairly low number of them. Community experience with Keycloak highlights the following adaptations that are often made:
| |
Built-in support for AARC guidelines is being developed. INDIGO IAM provides backwards compatibility features for VOMS Proxy authorisation required by some legacy grid infrastructure. Note that there is no support for SAML services, only OAuth. | |
Provides features beyond AARC AAI, including account provisioning in LDAP which is out of scope for many research communities. Initially built as an open source alternative to Microsoft MIM. | |
didmos (NFDI, DAASI) | didmos is a modular open-source Identity and Access Management framework by DAASI International that provides flexible authentication and authorization services through components like the Authenticator (supporting SAML/OIDC protocols through Satosa or an integration with Shibboleth IdP), Core (for access control), and Federation Services, enabling organisations to implement customized IAM solutions. Import of users and attributes from databases can be configured, e.g. from an ERP or SAP. Support can be configured for command line workflows. SAML and OIDC/Oauth2 are supported for SSO integration. The company DAASI International can offer assistance with service setup and support. |
Unity (B2Access, HIFIS, NFDI) | Unity IDM is an open-source identity and access management platform that serves as the core technology behind B2ACCESS, supporting federated authentication through SAML, OAuth2, and X.509 protocols to enable single sign-on across European research infrastructures operated by EUDAT and hosted at Forschungszentrum Jülich. |
RegAPP (NFDI) | RegApp is an open-source federated identity management system developed at KIT's SCC that provides authentication and authorization infrastructure (AAI). Regapp supports SAML, OpenID Connect, LDAP protocols and two-factor authentication |
REMS | Resource Entitlement Management System (Finland) - in CSC Github (https://github.com/CSCfi/rems) |
AcademicID (NFDI) | Academic ID is an authentication service developed and operated by GWDG that provides single sign-on access to their Cloud platform and various IT services for universities and research institutions in Lower Saxony through federated authentication via DFN-AAI. (To check: AcademicID can be self-hosted, but rather is a solution hosted by GWDG - Peter Gietz). |
Perun AAI is a comprehensive open-source AAI solution based on community standards (like AARC and REFEDS) and focused on supporting research infrastructures. Its two main components are Perun IdM for user identity and access management, including the capability to (de)provision local service access; and Perun ProxyIdP for SSO, attribute enrichment and service level access control. Additional side components are available for specific use cases. Perun AAI is co-developed by ISO27k-certified teams at CESNET and Masaryk University which also host and operate most instances, the largest in the 10-100k user range and hundreds of services. | |
The software behind CILogon. Actively developed with support from Incommon. |
The following table is included to demystify some of the software or service terms you may come across in AARC BPA inspired AAIs. It is not an exhaustive list and input is welcome.
Software or Service | AARC BPA Component | Purpose | Community Notes |
Authentication (SAML as of 2025 - and OIDC in the future) | User authentication from home organisation to your Research Community | To use eduGAIN you will need to join a national federation. Some national federations may offer additional services, such as a hosted Identity provider, that you may find useful. OpenID Federation is a work in progress | |
Authentication (OIDC) | User authentication using their self-managed ORCID account | Many communities offer ORCID as a way for users to authenticate (or to add their ORCID ID as another attribute to their user object). ORCID supports OpenID. | |
Decentralised Identity | Authentication | User authentication use their self-managed identity | There is little current experience with using Decentralised Identity (e.g. Wallets). This is being explored in the AARC TREE project. |
Authentication (X.509) | User authentication with an end-user X.509 certificate. Required for some legacy grid workflows (e.g. for the physics community) | Only available to members of participating NRENs. | |
Access Protocol Translation “Discovery Service” | Users select their home organisation for authentication, which is persisted in their browser to improve usability. | You can use the hosted service or run it yourself (the underlying software is thiss-js). You can optionally configure a filter to show a limited set of identity providers. | |
Access Protocol Translation “Metadata Query” | A store of SAML metadata that is trusted by your Research Community and used by your discovery service | PyFF is recommended as a tool for filtering metadata but no longer as a Metadata Query engine | |
Access Protocol Translation “Metadata Query” | A store of SAML metadata that is trusted by your Research Community and used by your discovery service | An implementation of the metadata query protocol (MDQ) for JSON metadata only. Explore only if you are running a standalone instance of thiss-js and pyFF.io or similar and have performance challenges. | |
Access Protocol Translation “Proxy” | A configurable proxy for translating between different authentication protocols such as SAML2, OpenID Connect and OAuth2. | Other Identity Python modules are typically run alongside Satosa, such as the consent service, Seamless Access and/or PyFF. | |
Access Protocol Translation “Proxy” | A PHP based proxy with many extensions available. | Many research institutions run SimpleSAMLphp as the basis for their AAI. Despite the name it supports many protocols including OIDC. It can also be used as both an Identity or Service Provider supporting various protocols. | |
Access Protocol Translation “Proxy” | Java based Identity Provider with proxy support | Shibboleth Identity Provider is a SAML Identity Provider (IdP) with proxy support. Combined with the OpenID Connect Provider (OIDC OP) and OpenID Relying Party (OIDC RP) plugins, it acts as a full access protocol translation proxy. Plugins for OpenID Federation (OIDFed), OpenID for Verifiable Credential Issuance (OID4VCI) and OpenID for Verifiable Presentations (OID4VP) are under development. | |
Services (OIDC) | OpenID Federations Trust Anchor | ||
Services (OIDC) | OIDFed for services | Forward Authentication to add OIDFed to existing (OIDC) services | |
Services (OIDC) | Access Tokens for long running jobs | (see also htgettoken & vault - to be added) | |
ssh-oidc | Services (SSH) | SSH with federated identities | Multiple solutions exist. ssh-certificates seem to be preferable over PAM solutions. |
Services (OIDC) | Enable command line OIDC workflows | oidc-agent is a set of tools to manage OpenID Connect tokens and make them easily usable from the command line. | |
Services (OIDC) | Protect end services using the OpenID Connect protocol | OpenID Connect Relying Party module for the Apache web server Also add: other plugins, also for OAuth2 Resource servers and for NGINX: https://www.openidc.com/#software | |
Services (SAML) | Protect end services using the SAML protocol | Shibboleth Service Provider is a SAML Service Provider (SP). In this context it is most interesting to research communities as a way to protect their end services using SAML without having to implement SAML oneself. See also Shibboleth IdP above. | |
Authorisation | Authorisation/Data access management support support (can be federated) | Resource Entitlement Management System is a service component that organises and harmonises and communicates (SAML, OIDC, GA4GH) resource access application process. Requires (federated) identity service. Similar to COManage and Perun? |