Comparison of some open-source SSO implementations

open-source-sso.md

⚠️ This is not maintained. Feel free to check comments and/or forks for more current options.

Background

This was created years ago; at the time I'd been a Shibboleth admin for nearly a decade but we needed something that could handle OIDC/OAuth and that explicitly supported OpenJDK. After a lot of investigation, I really liked Keycloak/Red Hat Single Sign-On. More details here: Gluu vs keycloack vs wso2 identity management

Comparison

(Items in bold indicate possible concerns)

	Keycloak	WSO2 Identity Server	Gluu	CAS	OpenAM	Shibboleth IdP
OpenID Connect/OAuth support	yes	yes	yes	yes	yes	yes
Multi-factor authentication	yes	yes	yes	yes	yes	yes
Admin UI	yes	yes	yes	yes	yes	no
OpenJDK support	yes	yes	partial²	yes	yes	partial
Identity brokering	yes	yes	yes
Middleware	Quarkus	WSO2 Carbon¹	Jetty, Apache HTTPD	any Java app server	any Java app server	Jetty, Tomcat
Open source	yes	⚠ nominally	yes	yes	yes	yes
Commercial support	yes	yes	yes	third-party	yes	third-party
Add federation metadata	no	yes				yes
Add metadata from URL	import only	yes				yes
Installation and configuration	easy			difficult		difficult

1. WSO2 Carbon appears to be based on Tomcat

2. Gluu 4.0 comes bundled with Amazon Corretto, one specific distribution of OpenJDK. This is likely because it is built on top of Shibboleth, which only supports specific distributions of OpenJDK.

Hmm, an interesting conundrum! adAS does seem to be Apache-licensed, and filling out the form (even with fake data) starts the download immediately. I think it's pretty lame they put the download behind a form, but I'd be okay adding it to the list unless someone can point to documentation that might somehow disqualify this from being open-source (e.g. something from the OSI or FSF). I wasn't able to find anything myself.

I don't know enough about the product to be able to add it to the list but if someone could help me fill out the rows I don't mind adding it.

@bmaupin thanks for the comparison. Would it be possible to add ZITADEL to the list?

• OpenID Connect/OAuth support : yes
• Multi-factor authentication: yes (FIDO2 Passwordless, U2F, SMS)
• Admin UI: yes
• OpenJDK support: not needed
• Identity brokering: yes
• Middleware: K8s, CockroachDB
• Open source: yes (Apache 2.0)
• Commercial support: yes
• Add federation metadata: no
• Add metadata from URL: yes (OIDC)
• Installation: easy (Container)
• Configuration: medium

Please let me know in case you may have any questions. Thanks.

This needs a row that tells us how configurable it is as a 12-factor app primarily if it can be mostly done using environment variables or command line parameters without storing any state in the container that is running it.

@mffap, interesting, thanks! Can it be run on-premise? The documentation is a bit vague and seems to suffer from buzzwords.

Stay tuned, we will soon publish a guide how you can deploy a hyperconverged system with our automation tooling called ORBOS.

https://github.com/caos/zitadel#run-your-own-iam

“hyperconverged”

The word you've entered isn't in the dictionary.

https://www.merriam-webster.com/dictionary/hyperconverged

😅

This needs a row that tells us how configurable it is as a 12-factor app primarily if it can be mostly done using environment variables or command line parameters without storing any state in the container that is running it.

@trajano Is your goal to determine which of these applications can be easily run in a container? I do think that would be helpful. If nothing else I could add a column for which of them have available container images, which should be a good indication of how easy it would be to run them in a container. For example, KeyCloak provides a container image right on its download page. I'll try to fill it out as best as I can, but help is always welcome.

Thanks @bmaupin actually almost all of these can run in a container, but something like Keycloak cannot be configured easily without the UI. Whereas (I am hoping) CAS would be even if the installation and configuration is more difficult because it's infrastructure as code.

Can it be run on-premise? The documentation is a bit vague and seems to suffer from buzzwords.

Fair enough 😂. Yes ZITADEL runs on any CNCF conform Kubernetes, on-prem or with a cloud provider of your liking.

With our partner-product ORBOS, we build Kubernetes with all the automation and standard tools for Day 2 Ops. Helpful for on-prem scenarios on bare-metal or VM. But you could use other similar OSS tools.

Because all the infrastructure-as-code, storage (eg, Cockroach DB) and monitoring etc. is shipped in one bundle, we like to call this hyperconverged infrastructure, as we abstract away the underlying infrastructure.

@trajano Good point! What would be a good way to word this? Maybe "completely configurable through text files"?

I know Shibboleth IdP can be, whereas I don't believe KeyCloak can, as you mentioned. I have little experience with the others, although I believe CAS can as well.

How about UAA from Cloud Foundry?
I think it could be a competitive option.

At TeDomum.net, we are developing Hiboo, might be interesting.
It's made in Python.

https://forge.tedomum.net/acides/hiboo/hiboo

@trajano Good point! What would be a good way to word this? Maybe "completely configurable through text files"?

• Configurable through environment variables
• Configurable through text files [nothing that you can use Docker to create an image with the text files embedded or using config/secret mounts]

Shibboleth has first party support for OIDC now!

https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376878976/OIDC+OP

According to Gluu's Docs, the requirement of Oracle JDK has been replaced with Amazon Corretto (a variant of OpenJDK). Besides, Shibboleth Docs mentions that IdP 4 fully supports Corretto 11 for Linux and OpenJDK 11 for RHEL/CentOS. So I guess footnote 3 should be updated to reflect the change.

Hi
Keycloak is transitioning to Quarkus, they have deprecated the Wildfly version and will be removed on June.

@nunojpg That's a great question; I didn't intentionally set out to only add Java-based apps, but Java's so prevalent in the enterprise space it seems that's what happened.

100 MB is pretty tight. I found a couple options written in Go, which in theory could use less memory than something Java-based, but I have no experience with them:

https://gethydra.sh/ https://github.com/dexidp/dex

Good luck!

Hey, I see you mentioning Ory, which is a software solution I am currently looking into, how come it did not make it to the list?

For anyone who's considering WSO2 Identity Server, be advised that you'll either need to pay for their service subscription or invest a significant amount of effort and time to get a production ready deployment.

The community edition of WSO2 IS is released in major versions only (e.g. 5.10.0, 5.11.0, etc). For whatever security vulnerabilities or bugs found between major versions, community users won't receive any update and are on their own. On the other hand, users of paid subscription of their WSO2 Update Manager (WUM) services are provided with closed sourced software patches. You may find in their documentations that certain features are available since 5.11.0.XX (e.g. https://is.docs.wso2.com/en/5.11.0/learn/configuring-uniqueness-of-claims/). It means that you can get that easily as a paid user, but not as a community user.

For security vulnerabilities, you'll have to watch the reports and evaluate if it's relevant to your deployment. Sometimes the mitigations are just configurations or one-off commands (e.g. https://docs.wso2.com/pages/viewpage.action?pageId=180948677). But some are lists of pull requests (e.g. https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1459). Given the complexity of the software, you'll need a significant amount of time to learn how to build from source, apply relevant pull requests, installing the patch, and all that to manage these.

For software bugs, you'll have to either wait for the next major version, or figure out relevant commits/pull requests and find a way to apply it yourself. Besides, bug fixes available for paid users are not always available in the public github repositories. You may notice some issues marked resolved but find no relevant code commits yet.

TLDR: WSO2 IS community edition is not suitable for production use unless you invest enough.

How about adding Authelia in the list also?

Authentik, Authelia and Zitadel should be added

Ory Hydra is a promising project. Anyone here used Spring Authentication Server, need some expert reviews on the product.

	Keycloak	WSO2 Identity Server	Gluu	CAS	OpenAM	Shibboleth IdP	ZITADEL	Authentik	Authelia	lemonldap-ng	logto
OpenID Connect/OAuth support	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes
Multi-factor authentication	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes
Admin UI	yes	yes	yes	yes	yes	no	yes	Yes		yes	yes
OpenJDK support	yes	yes	partialý	yes	yes	partial	not needed			not needed	not needed
Identity brokering	yes	yes	yes				yes			yes	yes
Middleware	Quarkus	WSO2 Carbon?	Jetty, Apache HTTPD	any Java app server	any Java app server	Jetty, Tomcat	CockroachDB			Apache, Nginx, uwsgi, PSGI, FastCGI	Express
Open source	yes	? nominally	yes	yes	yes	yes	yes (Apache 2.0)	yes	yes	yes (GPL)	yes (MPL-2.0 license)
Commercial support	yes	yes	yes	third-party	yes	third-party	yes	yes		yes	yes
Add federation metadata	no	yes				yes	no			yes	yes
Add metadata from URL	import only	yes				yes	yes			yes	yes
Installation and configuration	easy		difficult		difficult	easy/medium				easy/medium	easy

Authentik and Authelia should be verified and completed.
Thanks to

• @mffap for zitadel
• @coudot for LemonLDAPNG
• @mabujaber for logto

Hello,

it seems that @LemonLDAPNG is missing, I add the data here and let you decide if you want to include it in the table:

• OpenID Connect/OAuth support : yes
• Multi-factor authentication : yes
• Admin UI : yes
• OpenJDK support : not needed
• Identity brokering : yes
• Middleware : Apache, Nginx, uwsgi, PSGI, FastCGI
• Open source : yes (GPL)
• Commercial support : yes (@Worteks)
• Add federation metadata : yes
• Add metadata from URL : yes
• Installation and configuration : easy/medium

https://logto.io/
OpenID Connect/OAuth support : yes
Multi-factor authentication : yes
Admin UI : yes
OpenJDK support : not needed
Identity brokering : yes
Middleware : Express
Open source : yes (MPL-2.0 license)
Commercial support : yes
Add federation metadata : yes
Add metadata from URL : yes
Installation and configuration : easy

https://logto.io/ OpenID Connect/OAuth support : yes Multi-factor authentication : yes Admin UI : yes OpenJDK support : not needed Identity brokering : yes Middleware : Express Open source : yes (MPL-2.0 license) Commercial support : yes Add federation metadata : yes Add metadata from URL : yes Installation and configuration : easy
@mabujaber thanks for the mention
@gao-sun @simeng-li @logto-io

Keycloak WSO2 Identity Server Gluu CAS OpenAM Shibboleth IdP ZITADEL Authentik Authelia lemonldap-ng logto
OpenID Connect/OAuth support yes yes yes yes yes yes yes yes yes yes yes
Multi-factor authentication yes yes yes yes yes yes yes yes yes yes yes
Admin UI yes yes yes yes yes no yes Yes yes yes
OpenJDK support yes yes partialý yes yes partial not needed not needed not needed
Identity brokering yes yes yes yes yes yes
Middleware Quarkus WSO2 Carbon? Jetty, Apache HTTPD any Java app server any Java app server Jetty, Tomcat CockroachDB Apache, Nginx, uwsgi, PSGI, FastCGI Express
Open source yes ? nominally yes yes yes yes yes (Apache 2.0) yes yes yes (GPL) yes (MPL-2.0 license)
Commercial support yes yes yes third-party yes third-party yes yes yes yes
Add federation metadata no yes yes no yes yes
Add metadata from URL import only yes yes yes yes yes
Installation and configuration easy difficult difficult easy/medium easy/medium easy
Authentik and Authelia should be verified and completed. Thanks to

• @mffap for zitadel
• @coudot for LemonLDAPNG
• @mabujaber for logto

Can you move Authentik to partially open-source, they have an enterprise repo that is not FOSS

Also Kanidm seems worth adding

Here's what i came up with:

	ZITADEL	Logto	Kanidm	Casdoor
Middleware	Postgres	Express	None	Postgres
Implementation language	Go	Typescript	Rust	Go

Just learned of INDIGO IAM - developed by INFN, Italy's nuclear physics institute: https://github.com/indigo-iam/iam

At first glance, it looks like another Java IAM solution but one targeted at the academic & research sector.