Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Comparison of open-source SSO implementations

(Items in bold indicate possible concerns)

Keycloak WSO2 Identity Server Gluu CAS OpenAM Shibboleth IdP LemonLDAP::NG
OpenID Connect/OAuth support yes yes yes yes yes third-party yes
Multi-factor authentication yes yes yes yes yes yes yes
Admin UI yes yes yes yes yes no yes
OpenJDK support yes yes no³ yes yes partial N/A (Perl)
Identity brokering yes yes yes yes
Middleware Wildfly, JBOSS WSO2 Carbon¹ Jetty, Apache HTTPD any Java app server any Java app server Jetty, Tomcat Apache HTTP, Nginx, etc
Open source yes yes² yes yes yes yes yes
Commercial support yes yes yes third-party yes third-party third-party
Add federation metadata no yes yes yes
Add metadata from URL no yes yes yes
Installation and configuration easy difficult difficult moderate
  1. WSO2 Carbon appears to be based on Tomcat

  2. The downloadable binaries on their site don't appear to include the latest security patches. While you could compile and package yourself from the source code, it's not clear if the latest security patches are open-sourced. (http://lists.jboss.org/pipermail/keycloak-user/2016-August/007281.html)

  3. "we don't QA OpenJDK. So if you make that switch, we can't support it."

@mabujaber
Copy link

mabujaber commented Mar 3, 2020

@nunojpg That's a great question; I didn't intentionally set out to only add Java-based apps, but Java's so prevalent in the enterprise space it seems that's what happened.

100 MB is pretty tight. I found a couple options written in Go, which in theory could use less memory than something Java-based, but I have no experience with them:

https://gethydra.sh/
https://github.com/dexidp/dex

Good luck!

@nunojpg That's a great question; I didn't intentionally set out to only add Java-based apps, but Java's so prevalent in the enterprise space it seems that's what happened.

100 MB is pretty tight. I found a couple options written in Go, which in theory could use less memory than something Java-based, but I have no experience with them:

https://gethydra.sh/
https://github.com/dexidp/dex

Good luck!

This based on .NET
https://identityserver.io/

@bmaupin
Copy link
Author

bmaupin commented Mar 4, 2020

@mabujaber
Copy link

mabujaber commented Mar 4, 2020

@mabujaber

This based on .NET
https://identityserver.io/

That looks like the same framework already proposed by @EraYaN

you're right

@vanjaaaa
Copy link

vanjaaaa commented May 1, 2020

FusionAuth seems interesting to add, community version(has 'all common needed' features) is free and opensource
For my company I need to compare also several sso solutions (free and opensource only) , from this list: https://en.wikipedia.org/wiki/List_of_single_sign-on_implementations

At my excel I have separated columns free and opensource.
For better comparison and understanding of sso solutions I also added this columns which I can recommend
to anyone who work on similar :
-"authorization supported?" (for several only authentication is),
-installation? (easy medium difficult),
-integration? (with different FE BE technologie, also e/m/d),
-mobile apps? (android, ios) supported or not
-Liveness (num /frequency of releases , github issues resolvance etc) ,
-Modern/popular?
..
I need to go more in depth to several solutions next weeks, so
anyone who work on similar - do not hesitate to contact me to share information and knowledge:)

@coudot
Copy link

coudot commented May 3, 2020

FusionAuth seems interesting to add, community version(has 'all common needed' features) is free and opensource

Sadly, FusionAuth does not seems Open Source any more. See https://fusionauth.io/license

It should be removed from this list.

@inbarbarkai
Copy link

inbarbarkai commented Oct 14, 2020

@bmaupin IdentityServer4 is becoming legacy. Starting from November 2021, all development will be on a commercial version only.

@bmaupin
Copy link
Author

bmaupin commented Oct 14, 2020

@bmaupin IdentityServer4 is becoming legacy. Starting from November 2021, all development will be on a commercial version only.

@inbarbarkai I left IdentityServer off the list since the open-source version is a framework rather than a full SSO product. If it's going closed-source that's one more reason not to include it. Thanks!

@EraYaN
Copy link

EraYaN commented Nov 2, 2020

There is also https://www.fusiondirectory.org/en/ which is open source (https://repos.fusiondirectory.org/sources/)

@bmaupin IdentityServer4 is becoming legacy. Starting from November 2021, all development will be on a commercial version only.

@inbarbarkai Also it seems like they are releasing the new version under the RPL (Reciprocal Public License)

@coudot
Copy link

coudot commented Nov 2, 2020

There is also https://www.fusiondirectory.org/en/ which is open source (https://repos.fusiondirectory.org/sources/)

This is not Single Sign On but Identity Management. Anyway this is a great product that is inside FusionIAM (https://fusioniam.org/) in which we find the SSO solution LemonLDAP::NG (https://lemonldap-ng.org)

@erdemontas
Copy link

erdemontas commented Jan 27, 2021

Which of these products handle multi tenancy the best? I read some issues about keycloak is getting slower +100 tenant(realm in its context). Is there anyone experiencing such ?

@alfem
Copy link

alfem commented Feb 8, 2021

Have you heard about ADAS SSO? It is opensource and PHP based: http://www.adas-sso.com/en/sso/sso.php

@coudot
Copy link

coudot commented Feb 8, 2021

Have you heard about ADAS SSO? It is opensource and PHP based: http://www.adas-sso.com/en/sso/sso.php

Was not able to find the source code, do you know where it is published?

@alfem
Copy link

alfem commented Feb 8, 2021

It is opensource although source is not openly published. You must ask for the sofware in this page: http://www.adas-sso.com/en/extra/download.php

@coudot
Copy link

coudot commented Feb 8, 2021

Well, a very bad practice. Not sure this software should be listed here.

@alfem
Copy link

alfem commented Feb 8, 2021

Well, a very bad practice. Not sure this software should be listed here.

I agree with you about it is a bad and nonsensical practice.

But I do not see why it must not be included. Loads of people confuses opensource licensed with "downloadable for free on a web page". Adas-SSO is Apache 2 licensed, so it is is opensource.

Adding it to this list It's up to the owner I supposse.

@bmaupin
Copy link
Author

bmaupin commented Feb 8, 2021

Hmm, an interesting conundrum! adAS does seem to be Apache-licensed, and filling out the form (even with fake data) starts the download immediately. I think it's pretty lame they put the download behind a form, but I'd be okay adding it to the list unless someone can point to documentation that might somehow disqualify this from being open-source (e.g. something from the OSI or FSF). I wasn't able to find anything myself.

I don't know enough about the product to be able to add it to the list but if someone could help me fill out the rows I don't mind adding it.

@mffap
Copy link

mffap commented Mar 9, 2021

@bmaupin thanks for the comparison. Would it be possible to add ZITADEL to the list?

  • OpenID Connect/OAuth support : yes
  • Multi-factor authentication: yes (FIDO2 Passwordless, U2F, SMS)
  • Admin UI: yes
  • OpenJDK support: not needed
  • Identity brokering: yes
  • Middleware: K8s, CockroachDB
  • Open source: yes (Apache 2.0)
  • Commercial support: yes
  • Add federation metadata: no
  • Add metadata from URL: yes (OIDC)
  • Installation: easy (Container)
  • Configuration: medium

Please let me know in case you may have any questions. Thanks.

@trajano
Copy link

trajano commented Mar 12, 2021

This needs a row that tells us how configurable it is as a 12-factor app primarily if it can be mostly done using environment variables or command line parameters without storing any state in the container that is running it.

@bmaupin
Copy link
Author

bmaupin commented Mar 12, 2021

@mffap, interesting, thanks! Can it be run on-premise? The documentation is a bit vague and seems to suffer from buzzwords.

Stay tuned, we will soon publish a guide how you can deploy a hyperconverged system with our automation tooling called ORBOS.

https://github.com/caos/zitadel#run-your-own-iam

“hyperconverged”

The word you've entered isn't in the dictionary.

https://www.merriam-webster.com/dictionary/hyperconverged

😅

@bmaupin
Copy link
Author

bmaupin commented Mar 12, 2021

This needs a row that tells us how configurable it is as a 12-factor app primarily if it can be mostly done using environment variables or command line parameters without storing any state in the container that is running it.

@trajano Is your goal to determine which of these applications can be easily run in a container? I do think that would be helpful. If nothing else I could add a column for which of them have available container images, which should be a good indication of how easy it would be to run them in a container. For example, KeyCloak provides a container image right on its download page. I'll try to fill it out as best as I can, but help is always welcome.

@trajano
Copy link

trajano commented Mar 12, 2021

Thanks @bmaupin actually almost all of these can run in a container, but something like Keycloak cannot be configured easily without the UI. Whereas (I am hoping) CAS would be even if the installation and configuration is more difficult because it's infrastructure as code.

@mffap
Copy link

mffap commented Mar 12, 2021

Can it be run on-premise? The documentation is a bit vague and seems to suffer from buzzwords.

Fair enough 😂. Yes ZITADEL runs on any CNCF conform Kubernetes, on-prem or with a cloud provider of your liking.

With our partner-product ORBOS, we build Kubernetes with all the automation and standard tools for Day 2 Ops. Helpful for on-prem scenarios on bare-metal or VM. But you could use other similar OSS tools.

Because all the infrastructure-as-code, storage (eg, Cockroach DB) and monitoring etc. is shipped in one bundle, we like to call this hyperconverged infrastructure, as we abstract away the underlying infrastructure.

@bmaupin
Copy link
Author

bmaupin commented May 12, 2021

@trajano Good point! What would be a good way to word this? Maybe "completely configurable through text files"?

I know Shibboleth IdP can be, whereas I don't believe KeyCloak can, as you mentioned. I have little experience with the others, although I believe CAS can as well.

@liu7yong
Copy link

liu7yong commented Jul 20, 2021

How about UAA from Cloud Foundry?
I think it could be a competitive option.

@jae1911
Copy link

jae1911 commented Sep 24, 2021

At TeDomum.net, we are developing Hiboo, might be interesting.
It's made in Python.

https://forge.tedomum.net/acides/hiboo/hiboo

@trajano
Copy link

trajano commented Sep 24, 2021

@trajano Good point! What would be a good way to word this? Maybe "completely configurable through text files"?

  • Configurable through environment variables
  • Configurable through text files [nothing that you can use Docker to create an image with the text files embedded or using config/secret mounts]

@hooverdc
Copy link

hooverdc commented Sep 27, 2021

@lacek
Copy link

lacek commented Mar 28, 2022

According to Gluu's Docs, the requirement of Oracle JDK has been replaced with Amazon Corretto (a variant of OpenJDK). Besides, Shibboleth Docs mentions that IdP 4 fully supports Corretto 11 for Linux and OpenJDK 11 for RHEL/CentOS. So I guess footnote 3 should be updated to reflect the change.

@fmendez89
Copy link

fmendez89 commented Mar 29, 2022

Hi
Keycloak is transitioning to Quarkus, they have deprecated the Wildfly version and will be removed on June.

@philipgierszal
Copy link

philipgierszal commented Apr 16, 2022

@nunojpg That's a great question; I didn't intentionally set out to only add Java-based apps, but Java's so prevalent in the enterprise space it seems that's what happened.

100 MB is pretty tight. I found a couple options written in Go, which in theory could use less memory than something Java-based, but I have no experience with them:

https://gethydra.sh/ https://github.com/dexidp/dex

Good luck!

Hey, I see you mentioning Ory, which is a software solution I am currently looking into, how come it did not make it to the list?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment