Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Comparison of open-source SSO implementations

(Items in bold indicate possible concerns)

Keycloak WSO2 Identity Server Gluu CAS OpenAM Shibboleth IdP
OpenID Connect/OAuth support yes yes yes yes yes third-party
Multi-factor authentication yes yes yes yes yes yes
Admin UI yes yes yes yes yes no
OpenJDK support yes yes no³ yes yes partial
Identity brokering yes yes yes
Middleware Wildfly, JBOSS WSO2 Carbon¹ Jetty, Apache HTTPD any Java app server any Java app server Jetty, Tomcat
Open source yes yes² yes yes yes yes
Commercial support yes yes yes third-party yes third-party
Add federation metadata no yes yes
Add metadata from URL no yes yes
Installation and configuration easy difficult difficult
  1. WSO2 Carbon appears to be based on Tomcat

  2. The downloadable binaries on their site don't appear to include the latest security patches. While you could compile and package yourself from the source code, it's not clear if the latest security patches are open-sourced. (http://lists.jboss.org/pipermail/keycloak-user/2016-August/007281.html)

  3. "we don't QA OpenJDK. So if you make that switch, we can't support it."

@yanivmn

This comment has been minimized.

Copy link

yanivmn commented Jan 2, 2019

Aerobase IAM, an enterprise ready SSO.
@bmaupin can you update according to https://gist.github.com/yanivmn/16e5fdf75d2de28650b00a150209d734

@nikos

This comment has been minimized.

Copy link

nikos commented Jun 13, 2019

Added note about adding FusionAuth to the game.

@bmaupin

This comment has been minimized.

Copy link
Owner Author

bmaupin commented Jun 14, 2019

@yanivmn Aerobase IAM looks like it's simply built on top of Keycloak, so I'm not sure what value it adds compared to Keycloak. Also, it would've been nice if you had disclosed your affiliation with Aerobase. Cheers!

@bmaupin

This comment has been minimized.

Copy link
Owner Author

bmaupin commented Jun 14, 2019

Added updates based on comment from @ahochsteger

@bmaupin

This comment has been minimized.

Copy link
Owner Author

bmaupin commented Jun 14, 2019

@nikos Thanks for the suggestion, but unfortunately it appears that FusionAuth, while free, does not appear to be open-source. Thanks!

@rmros

This comment has been minimized.

Copy link

rmros commented Aug 10, 2019

Added note about adding FusionAuth to the game.

its not open source :)

@yanivmn

This comment has been minimized.

Copy link

yanivmn commented Aug 10, 2019

Hi @bmaupin,
Aerobase is a full enterprise ready product while keycloak is a development framework.
Some Differences:

  • Package installers for Major OS including Debian/RHEL/Windows.
  • Integrated WebServer including caching, load-balancing and SSL Offloading
  • OOTB Support for any Relational database (e.g, MSSQL, PosgtreSQL, MySQL ...)
  • Additional MFA alternatives including SMS/Push Notifications/Email
  • Commercial Support, there is no keycloak commercial support, only RHEL SSO.
  • B2B2C Virtual IDPs, Serve multiple IDPs using one cluster
  • Embedded OpenJDK
  • OS Management Services/Logrotate/Watchdogs
  • ...
@rmros

This comment has been minimized.

Copy link

rmros commented Aug 10, 2019

Hi @bmaupin,
Aerobase is a full enterprise ready product while keycloak is a development framework.
Some Differences:

  • Package installers for Major OS including Debian/RHEL/Windows.
  • Integrated WebServer including caching, load-balancing and SSL Offloading
  • OOTB Support for any Relational database (e.g, MSSQL, PosgtreSQL, MySQL ...)
  • Additional MFA alternatives including SMS/Push Notifications/Email
  • Commercial Support, there is no keycloak commercial support, only RHEL SSO.
  • B2B2C Virtual IDPs, Serve multiple IDPs using one cluster
  • Embedded OpenJDK
  • OS Management Services/Logrotate/Watchdogs
  • ...

where is main repository of Aerobase server?
its made via ruby?

@yanivmn

This comment has been minimized.

Copy link

yanivmn commented Aug 11, 2019

where is main repository of Aerobase server? http://github.com/aerobase/
its made via ruby? Yes

@nunojpg

This comment has been minimized.

Copy link

nunojpg commented Aug 27, 2019

Is there any option without Java, even with much less features? I mainly use auth0, but would like to offer a solution with for local authentication, supporting MFA and JWT, but within a budget of 100MB.

@ashledombos

This comment has been minimized.

Copy link

ashledombos commented Aug 27, 2019

May be interesting to add LemonLDAP::NG to this list :)

@bmaupin

This comment has been minimized.

Copy link
Owner Author

bmaupin commented Aug 27, 2019

@nunojpg That's a great question; I didn't intentionally set out to only add Java-based apps, but Java's so prevalent in the enterprise space it seems that's what happened.

100 MB is pretty tight. I found a couple options written in Go, which in theory could use less memory than something Java-based, but I have no experience with them:

https://gethydra.sh/
https://github.com/dexidp/dex

Good luck!

@nunojpg

This comment has been minimized.

Copy link

nunojpg commented Sep 7, 2019

LemonLDAP::NG looks to be a perfect match for me! Thanks!

@relsayed8205

This comment has been minimized.

Copy link

relsayed8205 commented Oct 18, 2019

Helpful comparison, thank you. I am interested on the comparing Keycloak with Apereo CAS. My applications are deployed on Tomcat and use spring-security for authentication. The documentation of spring-security directed me to the CAS server. However I noticed the diffculty in configuration and the unorganized documentation of CAS. I also used Keycloak in other projects and clearly it is easier to work with and has better documentation.

Is there a gain of using CAS with spring-security applications?
However I don't get the point of commercial support (Keycloak: yes, CAS: thirdparty), could anyone explain more?

Thanks a lot!

@bmaupin

This comment has been minimized.

Copy link
Owner Author

bmaupin commented Oct 18, 2019

@relsayed8205

Is there a gain of using CAS with spring-security applications?

I can't answer this (maybe somebody else can chime in), although it looks like Spring Security supports both OAuth and SAML, so from that perspective either Keycloak or CAS should work fine.

However I don't get the point of commercial support (Keycloak: yes, CAS: thirdparty), could anyone explain more?

I agree it's not very clear. When I first created this document it was just meant as a quick comparison between a few auth services I was comparing. It's gotten much more attention than I expected :)

Even though everything in this list is open-source, some companies require purchasing a commercial support contract for any applications they use. As an example, the organization that's responsible for the development of Shibboleth (Internet2) doesn't directly provide paid commercial support for Shibboleth, so if you want support you have to go through a third party. From my personal experience, I see this as a negative because I managed Shibboleth at my organization for a number of years and third-party support wasn't always able to answer our questions and there didn't seem to be the possibility of requesting new features through that support either. Quite often we ended up relying on community support (e.g. mailing lists), which was often helpful but not always reliable or timely.

Commercial support for Keycloak is in the form of their commercial product (Red Hat SSO). While it's a different product, support comes from the same company that is developing Keycloak, so I wouldn't consider that to be third-party.

CAS seems to be more similar to Shibboleth: https://apereo.github.io/cas/Support.html

If you don't need paid commercial support then you can pretty much ignore that row.

Hope that helps!

@bmaupin

This comment has been minimized.

Copy link
Owner Author

bmaupin commented Oct 18, 2019

@ashledombos

May be interesting to add LemonLDAP::NG to this list :)

I'd be happy to add it if you could help me fill out some of the rows. This list has grown a bit bigger than intended and I don't have the time to do the needed research.

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.