...
Shibboleth | LCMAPS | Kerberos | Moonshot | simpleSAMLphp | UNITY | |
---|---|---|---|---|---|---|
Authentication workflow | Password, RemoteUser, RemoteUserInternal, X509, X509Internal, SPNEGO/Kerberos, IPAddress,External | X.509 proxy certificate | Username/password, OTP,Kerberos ticket | Username/password (any RADIUS EAP- supported mechanism) | Username/password from user repository (SQL/LDAP/ RADIUS), X509 authentication through userCertificate, LDAP, social media | Username/Passwor d, Client Certificate, LDAP, Social Media |
Supported standards | SAML 1.1/2.0, X509, Kerberos, LDAP, SQL | X.509 (RFC5280 and RFC3820), VOMS | RFC 4121,RFC 4120 | RFC3748, RFC5247, RFC7055 | SAML 1.1/2.0, X509, OpenID, OAuth 2.0, Kerberos, VOOT, SQL, LDAP, RADIUS | SAML 1.1/2.0, X.509, OIDC, LDAP |
HA deployment | yes | Deployed in the service | Yes | RADIUS service can be run in HA environments | Yes, through multiple memcached service instances | Yes, relying on database layer |
Licence | Open Source | Open Source | Open Source | Open Source | Open Source | Open Source |
Expected support level | Supported by the Shibboleth consortium | Supported by NIKHEF | Supported by Linux distributions | Supported by Jsic | Collaborative support, large user communities | Supported by ICM, JSC, funded by PLGrid |
Authorisation
Services can implement authorisation policies based on external information or locally. For distributed infrastructures in particular, it is common for services to use an external policy engine to take authorisation decisions. The purpose for this configuration is to support centralised management of authorisation policies for security reasons, as well as to simplify configuration at service level.
ARGUS | LCMAPS | mod_auth_mellon | |
---|---|---|---|
Type of input attributes | SAML2-XACML2 attributes X.509 and VOMS | X.509 proxy certificates with VOMS extensions | SAML2 attributes |
Support for policy management | Yes, ARGUS can import policies from remote PAPs | Config file allows complicated flows of plugins, including callouts to remote services (such as Argus). | Basic policies via Apache HTTP server config files |
LoA support | Supported but needs extra plugins | Yes, via lcmaps-plugins-vo-ca-ap | Yes, if LoA information available through SAML attributes |
HA deployment | Yes | Deployed with the services | Yes |
Licence | Open Source | Open Source | Open Source |
Maintenance | INFN/NIKHEF | NIKHEF | Community support Uninett |
...