(Items in bold indicate possible concerns)
| Keycloak | WSO2 Identity Server | Gluu | CAS | OpenAM | Shibboleth IdP | LemonLDAP::NG | |
|---|---|---|---|---|---|---|---|
| OpenID Connect/OAuth support | yes | yes | yes | yes | yes | third-party | yes |
| Multi-factor authentication | yes | yes | yes | yes | yes | yes | yes |
| Admin UI | yes | yes | yes | yes | yes | no | yes |
| OpenJDK support | yes | yes | no³ | yes | yes | partial | N/A (Perl) |
| Identity brokering | yes | yes | yes | yes | |||
| Middleware | Wildfly, JBOSS | WSO2 Carbon¹ | Jetty, Apache HTTPD | any Java app server | any Java app server | Jetty, Tomcat | Apache HTTP, Nginx, etc |
| Open source | yes | yes² | yes | yes | yes | yes | yes |
| Commercial support | yes | yes | yes | third-party | yes | third-party | third-party |
| Add federation metadata | no | yes | yes | yes | |||
| Add metadata from URL | no | yes | yes | yes | |||
| Installation and configuration | easy | difficult | difficult | moderate |
-
WSO2 Carbon appears to be based on Tomcat
-
The downloadable binaries on their site don't appear to include the latest security patches. While you could compile and package yourself from the source code, it's not clear if the latest security patches are open-sourced. (http://lists.jboss.org/pipermail/keycloak-user/2016-August/007281.html)
-
"we don't QA OpenJDK. So if you make that switch, we can't support it."