To allow easy access to SSH based services DeiC has made a SSH Certificate Authority proof-of-concept that issues short-lived SSH certificates based on a federated login. The system requires no specific client - or service side installed programs and makes it possible for the user to use all standard ssh services - as long at the certificate is valid. Depending on the configuration of the participating services the CA allows the user to use the same username/uid across all services. Optionally it can be combined with systemd-userdb services to allow for fully automated user management. The CA can also optionally issue host certificates so the users do not have to trust the servers on first use (TOFU).

Solving the above problems requires a lot of work, especially when dealing with a great number of researchers, or servers. Manually collecting SSH public keys from authorized users, making sure they belong to the user, and also figuring out when the user is no longer allowed to access the service is (quite) difficult.

See https://smallstep.comblog/use-ssh-certificates/ .

Federated SSO, on the other hand, scores well on the above criteria (User experience, scaling up, security) but is usually limited to the web.