Open-Source Single Sign-On (SSO) and IAM

open-source-single-sign-on-and-IAM

On wikipedia  you can get a list of all SSO platforms / frameworks, you can view the licenses of the products on there. You will see there are so many proprietary solutions and it makes it difficult as they are harder to test out.

We are trying to solve the problem of having one a single user and security systems making maintenance and security easier.

Furthmore, you don’t have a community of people looking at the code and finding bugs and security issues with the implementation. I also don’t like the model of only giving certain features to paid users – I mean security is ubiquotous and fundamental.

Some of the proprietary players:

  • Gluu
  • Okta
  • Auth0
  • Amazon Cognito
  • Aerobase

Some of the open source projects are old and difficult to test out.

Open Source Project:

However some king soul has created a gist comparing open source Single sign-on and IAM solutions. I have added the table below in case the author decides to delete it:

 AerobaseKeycloakWSO2 Identity ServerGluuCASOpenAMShibboleth IDP
OpenID Connectyesyesyesyesyesyesthird-party
Multi-factor authenticationyesyesyesyesyesyesyes
Admin UIyesyesyesyesyesyesno
Identity brokeringyesyesyes
MiddlewareNGINX, WildflyWildfly, JBOSSWSO2 CarbonJetty, Apache HTTPDany Java app serverany Java app serverJetty, Tomcat
Commercial supportyesnoyesyesthird-partyyesthird-party
Installation Difficultyeasyeasy (docker on openshift)hard
First Release20142008

It is also important to look at the OpenID Certification and ensure the product or project you choose has been certified.

That is important as there are pretty much 2 single sign-on protocols: SAML and OpenID Connect.

For me there are 2 clear winners: Keycloak and WSO2.

Update: Oops I though that Django-oidc-provider was an openid client – but it is not, it is a provider. It is in the same category as Keycloak, WSO2 and Dex. I haven’t dug too deep on it – just installed it.

Keycloak

  • Keycloak is a an opensource version of commercial derivative of Red Hat SSO which costs $8000 a year.
  • No patches for the Community Version
  • Users, Roles and Groups
  • User Stores: Single data source
  • Single sign-on: SAML2 and OpenID Connect
  • Fully featured attribute mapping
  • No per-application identity provider
  • Only inbound user provisioning
  • Superuser can manage all realms
  • OTP: Timebased OTP (TOTP), Counter-based OTP (HOTP) and Google Authenticator QR code
  • Multistep Auth: Limited with a set of predefined actions like Update password, terms and condition etc.
  • Easier, userfiendly with modern UI
  • Funcationality more rigid

WSO2 Identity Server

  • Commercial support at 19320 Euros a year.
  • No patches for the community version
  • Users and Roles only
  • User Stores: Mulitple data stores
  • Single sign-on: SAML2 and OpenID Connect
  • Fully featured attribute mapping
  • Has per-application identity provider
  • Inbound and outbound user provisioning with per-applicaiton config
  • Superuser cannot manage all tenants – only tenant admin
  • OTP: SMS, Email, Timebased OTP (TOTP) and Google Authenticator QR code
  • Multistep Auth: More flexible + complexity
  • Harder to install and configure, UI is a bit old
  • Functionality very open

 

Sources