Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  • A Membership Management Service (MMS)
    For this, currently, we use COmanage, an Internet2 initiative started some years ago an which has also been tested within AARC. Of the available solutions for group management, invites and attribute management we think this is the most future proof. SURF has direct connections with the developers of COmanage. Alternatives are Hexaa, Perun and, based on feedback on COmanage from the Dutch pilot partners, a self-built Collaboration Management System.
  • A Proxy & Identity Hub
    The Proxy is an SP-IdP Proxy. It can connect SAML Identity Providers, OIDC Providers, SAML Service Providers and OIDC Resource Providers, thus enabling teams to use their preferred identity sources and services regardless of the authentication protocol. The Proxy is responsible for aggregating the user attributes from various identity sources, enforcing community and platform wide policies and providing one persistent user identifier and a harmonised set of attributes to the connected services. For this, we currently use SATOSA ("A configurable proxy for translating between different authentication protocols such as SAML2, OpenID Connect and OAuth2") is used in the current phase to technically connect services so authentication requests can be managed. SUNET has been instrumental in development of SATOSA.

  • A Metadata Service (MDS)
    The Metadata Service aggregates the metadata of all the SAML Identity and Service Providers that are connected to the platform. It does so by aggregating the metadata feed of eduGAIN, while
    allowing the platform administrators to configure also other local or remote metadata sources. The MDS is an essential component of the platform directly connected to the eduTEAMS Proxy. For this we currently use pyFF, python Federation Feeder. pyFF also provides the WAYF. NORDUnet has been instrumental in development of PyFF.

  • Discovery Service (DS)
    The Discovery service provides a web interface for users to search and select their preferred identity provider. pyFF in SCZ also provides for the Discovery Service.
  • Besides those components, we also use the following to software and components to complete SCZ:
    • CMService
      For showing and managing Consent
    • LDAP
      Together with the membership management service like COmanage, and SATOSA, LDAP provides the technical basis for SCZ. In the LDAP database we store application specific passwords (ASP), public ssh/pgp keys, grid certificates etc, so non-web applications can retrieve them.
    • LSC-project: LSC, which "main goal is to provide a simple and efficient way of synchronizing any data source to a LDAP directory quickly", enables us to do fine graned syncing between our LDAP and that of SP's.