ⓘ This list is not meant to be exhaustive and is not guaranteed to be maintained. See the comments for updates and alternative options.
(Items in bold indicate possible concerns)
| Keycloak | WSO2 Identity Server | Gluu | CAS | OpenAM | Shibboleth IdP | |
|---|---|---|---|---|---|---|
| OpenID Connect/OAuth support | yes | yes | yes | yes | yes | yes |
| Multi-factor authentication | yes | yes | yes | yes | yes | yes |
| Admin UI | yes | yes | yes | yes | yes | no |
| OpenJDK support | yes | yes | partial² | yes | yes | partial |
| Identity brokering | yes | yes | yes | |||
| Middleware | Quarkus | WSO2 Carbon¹ | Jetty, Apache HTTPD | any Java app server | any Java app server | Jetty, Tomcat |
| Open source | yes | ⚠ nominally | yes | yes | yes | yes |
| Commercial support | yes | yes | yes | third-party | yes | third-party |
| Add federation metadata | no | yes | yes | |||
| Add metadata from URL | import only | yes | yes | |||
| Installation and configuration | easy | difficult | difficult |
-
WSO2 Carbon appears to be based on Tomcat
-
Gluu 4.0 comes bundled with Amazon Corretto, one specific distribution of OpenJDK. This is likely because it is built on top of Shibboleth, which only supports specific distributions of OpenJDK.
For anyone who's considering WSO2 Identity Server, be advised that you'll either need to pay for their service subscription or invest a significant amount of effort and time to get a production ready deployment.
The community edition of WSO2 IS is released in major versions only (e.g. 5.10.0, 5.11.0, etc). For whatever security vulnerabilities or bugs found between major versions, community users won't receive any update and are on their own. On the other hand, users of paid subscription of their WSO2 Update Manager (WUM) services are provided with closed sourced software patches. You may find in their documentations that certain features are available since 5.11.0.XX (e.g. https://is.docs.wso2.com/en/5.11.0/learn/configuring-uniqueness-of-claims/). It means that you can get that easily as a paid user, but not as a community user.
For security vulnerabilities, you'll have to watch the reports and evaluate if it's relevant to your deployment. Sometimes the mitigations are just configurations or one-off commands (e.g. https://docs.wso2.com/pages/viewpage.action?pageId=180948677). But some are lists of pull requests (e.g. https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1459). Given the complexity of the software, you'll need a significant amount of time to learn how to build from source, apply relevant pull requests, installing the patch, and all that to manage these.
For software bugs, you'll have to either wait for the next major version, or figure out relevant commits/pull requests and find a way to apply it yourself. Besides, bug fixes available for paid users are not always available in the public github repositories. You may notice some issues marked resolved but find no relevant code commits yet.
TLDR: WSO2 IS community edition is not suitable for production use unless you invest enough.