Skip to content

Instantly share code, notes, and snippets.

@bmaupin
Last active March 9, 2024 17:44
Star You must be signed in to star a gist
Save bmaupin/6878fae9abcb63ef43f8ac9b9de8fafd to your computer and use it in GitHub Desktop.
Comparison of some open-source SSO implementations

ⓘ This list is not meant to be exhaustive and is not guaranteed to be maintained. See the comments for updates and alternative options.

(Items in bold indicate possible concerns)

Keycloak WSO2 Identity Server Gluu CAS OpenAM Shibboleth IdP
OpenID Connect/OAuth support yes yes yes yes yes yes
Multi-factor authentication yes yes yes yes yes yes
Admin UI yes yes yes yes yes no
OpenJDK support yes yes partial² yes yes partial
Identity brokering yes yes yes
Middleware Quarkus WSO2 Carbon¹ Jetty, Apache HTTPD any Java app server any Java app server Jetty, Tomcat
Open source yes nominally yes yes yes yes
Commercial support yes yes yes third-party yes third-party
Add federation metadata no yes yes
Add metadata from URL import only yes yes
Installation and configuration easy difficult difficult
  1. WSO2 Carbon appears to be based on Tomcat

  2. Gluu 4.0 comes bundled with Amazon Corretto, one specific distribution of OpenJDK. This is likely because it is built on top of Shibboleth, which only supports specific distributions of OpenJDK.

@EraYaN
Copy link

EraYaN commented Nov 2, 2020

There is also https://www.fusiondirectory.org/en/ which is open source (https://repos.fusiondirectory.org/sources/)

@bmaupin IdentityServer4 is becoming legacy. Starting from November 2021, all development will be on a commercial version only.

@inbarbarkai Also it seems like they are releasing the new version under the RPL (Reciprocal Public License)

@coudot
Copy link

coudot commented Nov 2, 2020

There is also https://www.fusiondirectory.org/en/ which is open source (https://repos.fusiondirectory.org/sources/)

This is not Single Sign On but Identity Management. Anyway this is a great product that is inside FusionIAM (https://fusioniam.org/) in which we find the SSO solution LemonLDAP::NG (https://lemonldap-ng.org)

@erdemontas
Copy link

Which of these products handle multi tenancy the best? I read some issues about keycloak is getting slower +100 tenant(realm in its context). Is there anyone experiencing such ?

@alfem
Copy link

alfem commented Feb 8, 2021

Have you heard about ADAS SSO? It is opensource and PHP based: http://www.adas-sso.com/en/sso/sso.php

@coudot
Copy link

coudot commented Feb 8, 2021

Have you heard about ADAS SSO? It is opensource and PHP based: http://www.adas-sso.com/en/sso/sso.php

Was not able to find the source code, do you know where it is published?

@alfem
Copy link

alfem commented Feb 8, 2021

It is opensource although source is not openly published. You must ask for the sofware in this page: http://www.adas-sso.com/en/extra/download.php

@coudot
Copy link

coudot commented Feb 8, 2021

Well, a very bad practice. Not sure this software should be listed here.

@alfem
Copy link

alfem commented Feb 8, 2021

Well, a very bad practice. Not sure this software should be listed here.

I agree with you about it is a bad and nonsensical practice.

But I do not see why it must not be included. Loads of people confuses opensource licensed with "downloadable for free on a web page". Adas-SSO is Apache 2 licensed, so it is is opensource.

Adding it to this list It's up to the owner I supposse.

@bmaupin
Copy link
Author

bmaupin commented Feb 8, 2021

Hmm, an interesting conundrum! adAS does seem to be Apache-licensed, and filling out the form (even with fake data) starts the download immediately. I think it's pretty lame they put the download behind a form, but I'd be okay adding it to the list unless someone can point to documentation that might somehow disqualify this from being open-source (e.g. something from the OSI or FSF). I wasn't able to find anything myself.

I don't know enough about the product to be able to add it to the list but if someone could help me fill out the rows I don't mind adding it.

@mffap
Copy link

mffap commented Mar 9, 2021

@bmaupin thanks for the comparison. Would it be possible to add ZITADEL to the list?

  • OpenID Connect/OAuth support : yes
  • Multi-factor authentication: yes (FIDO2 Passwordless, U2F, SMS)
  • Admin UI: yes
  • OpenJDK support: not needed
  • Identity brokering: yes
  • Middleware: K8s, CockroachDB
  • Open source: yes (Apache 2.0)
  • Commercial support: yes
  • Add federation metadata: no
  • Add metadata from URL: yes (OIDC)
  • Installation: easy (Container)
  • Configuration: medium

Please let me know in case you may have any questions. Thanks.

@trajano
Copy link

trajano commented Mar 12, 2021

This needs a row that tells us how configurable it is as a 12-factor app primarily if it can be mostly done using environment variables or command line parameters without storing any state in the container that is running it.

@bmaupin
Copy link
Author

bmaupin commented Mar 12, 2021

@mffap, interesting, thanks! Can it be run on-premise? The documentation is a bit vague and seems to suffer from buzzwords.

Stay tuned, we will soon publish a guide how you can deploy a hyperconverged system with our automation tooling called ORBOS.

https://github.com/caos/zitadel#run-your-own-iam

“hyperconverged”

The word you've entered isn't in the dictionary.

https://www.merriam-webster.com/dictionary/hyperconverged

😅

@bmaupin
Copy link
Author

bmaupin commented Mar 12, 2021

This needs a row that tells us how configurable it is as a 12-factor app primarily if it can be mostly done using environment variables or command line parameters without storing any state in the container that is running it.

@trajano Is your goal to determine which of these applications can be easily run in a container? I do think that would be helpful. If nothing else I could add a column for which of them have available container images, which should be a good indication of how easy it would be to run them in a container. For example, KeyCloak provides a container image right on its download page. I'll try to fill it out as best as I can, but help is always welcome.

@trajano
Copy link

trajano commented Mar 12, 2021

Thanks @bmaupin actually almost all of these can run in a container, but something like Keycloak cannot be configured easily without the UI. Whereas (I am hoping) CAS would be even if the installation and configuration is more difficult because it's infrastructure as code.

@mffap
Copy link

mffap commented Mar 12, 2021

Can it be run on-premise? The documentation is a bit vague and seems to suffer from buzzwords.

Fair enough 😂. Yes ZITADEL runs on any CNCF conform Kubernetes, on-prem or with a cloud provider of your liking.

With our partner-product ORBOS, we build Kubernetes with all the automation and standard tools for Day 2 Ops. Helpful for on-prem scenarios on bare-metal or VM. But you could use other similar OSS tools.

Because all the infrastructure-as-code, storage (eg, Cockroach DB) and monitoring etc. is shipped in one bundle, we like to call this hyperconverged infrastructure, as we abstract away the underlying infrastructure.

@bmaupin
Copy link
Author

bmaupin commented May 12, 2021

@trajano Good point! What would be a good way to word this? Maybe "completely configurable through text files"?

I know Shibboleth IdP can be, whereas I don't believe KeyCloak can, as you mentioned. I have little experience with the others, although I believe CAS can as well.

@liu7yong
Copy link

How about UAA from Cloud Foundry?
I think it could be a competitive option.

@jae1911
Copy link

jae1911 commented Sep 24, 2021

At TeDomum.net, we are developing Hiboo, might be interesting.
It's made in Python.

https://forge.tedomum.net/acides/hiboo/hiboo

@trajano
Copy link

trajano commented Sep 24, 2021

@trajano Good point! What would be a good way to word this? Maybe "completely configurable through text files"?

  • Configurable through environment variables
  • Configurable through text files [nothing that you can use Docker to create an image with the text files embedded or using config/secret mounts]

@hooverdc
Copy link

@lacek
Copy link

lacek commented Mar 28, 2022

According to Gluu's Docs, the requirement of Oracle JDK has been replaced with Amazon Corretto (a variant of OpenJDK). Besides, Shibboleth Docs mentions that IdP 4 fully supports Corretto 11 for Linux and OpenJDK 11 for RHEL/CentOS. So I guess footnote 3 should be updated to reflect the change.

@fmendez89
Copy link

Hi
Keycloak is transitioning to Quarkus, they have deprecated the Wildfly version and will be removed on June.

@philipgierszal
Copy link

@nunojpg That's a great question; I didn't intentionally set out to only add Java-based apps, but Java's so prevalent in the enterprise space it seems that's what happened.

100 MB is pretty tight. I found a couple options written in Go, which in theory could use less memory than something Java-based, but I have no experience with them:

https://gethydra.sh/ https://github.com/dexidp/dex

Good luck!

Hey, I see you mentioning Ory, which is a software solution I am currently looking into, how come it did not make it to the list?

@lacek
Copy link

lacek commented Jul 10, 2022

For anyone who's considering WSO2 Identity Server, be advised that you'll either need to pay for their service subscription or invest a significant amount of effort and time to get a production ready deployment.

The community edition of WSO2 IS is released in major versions only (e.g. 5.10.0, 5.11.0, etc). For whatever security vulnerabilities or bugs found between major versions, community users won't receive any update and are on their own. On the other hand, users of paid subscription of their WSO2 Update Manager (WUM) services are provided with closed sourced software patches. You may find in their documentations that certain features are available since 5.11.0.XX (e.g. https://is.docs.wso2.com/en/5.11.0/learn/configuring-uniqueness-of-claims/). It means that you can get that easily as a paid user, but not as a community user.

For security vulnerabilities, you'll have to watch the reports and evaluate if it's relevant to your deployment. Sometimes the mitigations are just configurations or one-off commands (e.g. https://docs.wso2.com/pages/viewpage.action?pageId=180948677). But some are lists of pull requests (e.g. https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1459). Given the complexity of the software, you'll need a significant amount of time to learn how to build from source, apply relevant pull requests, installing the patch, and all that to manage these.

For software bugs, you'll have to either wait for the next major version, or figure out relevant commits/pull requests and find a way to apply it yourself. Besides, bug fixes available for paid users are not always available in the public github repositories. You may notice some issues marked resolved but find no relevant code commits yet.

TLDR: WSO2 IS community edition is not suitable for production use unless you invest enough.

@d3btech
Copy link

d3btech commented Nov 7, 2022

How about adding Authelia in the list also?

@raph
Copy link

raph commented Sep 12, 2023

Authentik, Authelia and Zitadel should be added

@d3btech
Copy link

d3btech commented Sep 12, 2023

Ory Hydra is a promising project. Anyone here used Spring Authentication Server, need some expert reviews on the product.

@adriy-be
Copy link

adriy-be commented Feb 20, 2024

Keycloak WSO2 Identity Server Gluu CAS OpenAM Shibboleth IdP ZITADEL Authentik Authelia lemonldap-ng logto
OpenID Connect/OAuth support yes yes yes yes yes yes yes yes yes yes yes
Multi-factor authentication yes yes yes yes yes yes yes yes yes yes yes
Admin UI yes yes yes yes yes no yes Yes yes yes
OpenJDK support yes yes partialý yes yes partial not needed not needed not needed
Identity brokering yes yes yes yes yes yes
Middleware Quarkus WSO2 Carbon? Jetty, Apache HTTPD any Java app server any Java app server Jetty, Tomcat CockroachDB Apache, Nginx, uwsgi, PSGI, FastCGI Express
Open source yes ? nominally yes yes yes yes yes (Apache 2.0) yes yes yes (GPL) yes (MPL-2.0 license)
Commercial support yes yes yes third-party yes third-party yes yes yes yes
Add federation metadata no yes yes no yes yes
Add metadata from URL import only yes yes yes yes yes
Installation and configuration easy difficult difficult easy/medium easy/medium easy

Authentik and Authelia should be verified and completed.
Thanks to

@coudot
Copy link

coudot commented Feb 20, 2024

Hello,

it seems that @LemonLDAPNG is missing, I add the data here and let you decide if you want to include it in the table:

  • OpenID Connect/OAuth support : yes
  • Multi-factor authentication : yes
  • Admin UI : yes
  • OpenJDK support : not needed
  • Identity brokering : yes
  • Middleware : Apache, Nginx, uwsgi, PSGI, FastCGI
  • Open source : yes (GPL)
  • Commercial support : yes (@Worteks)
  • Add federation metadata : yes
  • Add metadata from URL : yes
  • Installation and configuration : easy/medium

@mabujaber
Copy link

https://logto.io/
OpenID Connect/OAuth support : yes
Multi-factor authentication : yes
Admin UI : yes
OpenJDK support : not needed
Identity brokering : yes
Middleware : Express
Open source : yes (MPL-2.0 license)
Commercial support : yes
Add federation metadata : yes
Add metadata from URL : yes
Installation and configuration : easy

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment