Skip to content

What is Motley Cue?#

Motley Cue is at the core of our modular system that enables the use of token-based based (OpenID-Connect) federated identities for accessing Unix based resources. It is protocol independent and already today supports SSH and WebDAV.

Motley Cue is a daemon that provides an API to act as a middleware between federated identities and Unix systems. Think of it as a smart translator that takes your OpenID Connect identity and seamlessly maps it to a proper Unix account on SSH or webDAV servers.

Motley Cue at a glance#

  • โœ… Fully automated login - no manual token pasting.
  • ๐Ÿ” Secure and traceable access via federated identities.
  • ๐Ÿง  Smart account provisioning - no need for pre-created Unix users (though supported).
  • ๐Ÿ”„ Seamless integration with existing SSH workflows.

Developed as part of the ssh-oidc ecosystem, motley_cue handles user authorization, identity mapping, and just-in-time account provisioning.

Key Features#

  • ๐ŸŽญ Federated Identity Integration
    Maps OIDC identities to Unix accountsโ€”no need for pre-existing usernames or public keys.
  • ๐ŸŒ Multi-Provider Support
    Works with multiple OpenID Connect providers simultaneously (Google, university accounts, research federations, etc.)
  • ๐Ÿš€ Just-in-Time Provisioning (Optional)
    Automatically creates user accounts on first login if needed, reducing admin overhead.
  • โšก REST API Powered
    Offers a clean API for easy integration with client tools, PAM modules, or the ssh-online-ca oinit
  • ๐ŸŽฏ Smart Authorization
    Supports complex access decisions based on virtual organization memberships, group affiliations, and assurance levels
  • ๐Ÿ”„ Account Lifecycle Management
    Handles the full user lifecycle: creation, updates, suspension, and deletion
  • ๐Ÿงฉ Backend Flexibility
    Supports local Unix accounts, LDAP, and custom user management systems
  • ๐Ÿ›ก๏ธ Security First
    Token validation, user verification, and secure account mapping built-in. Can be deployed behind a reverse proxy with SSL, minimizing attack surface and ensuring secure token handling.

Bottom Line: Motley Cue eliminates the headache of manual user management for federated SSH access - users just show up with their tokens and get working accounts automatically!

Projects using Motley Cue#

Motley Cue itself is protocol agnostic. It is currently used in two projects.

SSH-OIDC#

(This documentation)

Our ssh-client, ssh-server, and ssh-online-ca components interface with motley cue.

WebDAV#

In a PoC, Motley Cue was also used with WebDAV (via apache mod_webdav and mod_setuid) to access files in the context of a Unix user to which the federated user was mapped.

More details at https://codebase.helmholtz.cloud/kit-scc-sdm/onlinestorage/httpd-webdav

Last change: Aug 18, 2025 11:21:32