Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Comparison of open-source SSO implementations

(Items in bold indicate possible concerns)

Keycloak WSO2 Identity Server Gluu CAS OpenAM Shibboleth IdP LemonLDAP::NG
OpenID Connect/OAuth support yes yes yes yes yes third-party yes
Multi-factor authentication yes yes yes yes yes yes yes
Admin UI yes yes yes yes yes no yes
OpenJDK support yes yes no³ yes yes partial N/A (Perl)
Identity brokering yes yes yes yes
Middleware Wildfly, JBOSS WSO2 Carbon¹ Jetty, Apache HTTPD any Java app server any Java app server Jetty, Tomcat Apache HTTP, Nginx, etc
Open source yes yes² yes yes yes yes yes
Commercial support yes yes yes third-party yes third-party third-party
Add federation metadata no yes yes yes
Add metadata from URL no yes yes yes
Installation and configuration easy difficult difficult moderate
  1. WSO2 Carbon appears to be based on Tomcat

  2. The downloadable binaries on their site don't appear to include the latest security patches. While you could compile and package yourself from the source code, it's not clear if the latest security patches are open-sourced. (http://lists.jboss.org/pipermail/keycloak-user/2016-August/007281.html)

  3. "we don't QA OpenJDK. So if you make that switch, we can't support it."

@yanivmn

This comment has been minimized.

Copy link

@yanivmn yanivmn commented Jan 2, 2019

Aerobase IAM, an enterprise ready SSO.
@bmaupin can you update according to https://gist.github.com/yanivmn/16e5fdf75d2de28650b00a150209d734

@nikos

This comment has been minimized.

Copy link

@nikos nikos commented Jun 13, 2019

Added note about adding FusionAuth to the game.

@bmaupin

This comment has been minimized.

Copy link
Owner Author

@bmaupin bmaupin commented Jun 14, 2019

@yanivmn Aerobase IAM looks like it's simply built on top of Keycloak, so I'm not sure what value it adds compared to Keycloak. Also, it would've been nice if you had disclosed your affiliation with Aerobase. Cheers!

@bmaupin

This comment has been minimized.

Copy link
Owner Author

@bmaupin bmaupin commented Jun 14, 2019

Added updates based on comment from @ahochsteger

@bmaupin

This comment has been minimized.

Copy link
Owner Author

@bmaupin bmaupin commented Jun 14, 2019

@nikos Thanks for the suggestion, but unfortunately it appears that FusionAuth, while free, does not appear to be open-source. Thanks!

@rmros

This comment has been minimized.

Copy link

@rmros rmros commented Aug 10, 2019

Added note about adding FusionAuth to the game.

its not open source :)

@yanivmn

This comment has been minimized.

Copy link

@yanivmn yanivmn commented Aug 10, 2019

Hi @bmaupin,
Aerobase is a full enterprise ready product while keycloak is a development framework.
Some Differences:

  • Package installers for Major OS including Debian/RHEL/Windows.
  • Integrated WebServer including caching, load-balancing and SSL Offloading
  • OOTB Support for any Relational database (e.g, MSSQL, PosgtreSQL, MySQL ...)
  • Additional MFA alternatives including SMS/Push Notifications/Email
  • Commercial Support, there is no keycloak commercial support, only RHEL SSO.
  • B2B2C Virtual IDPs, Serve multiple IDPs using one cluster
  • Embedded OpenJDK
  • OS Management Services/Logrotate/Watchdogs
  • ...
@rmros

This comment has been minimized.

Copy link

@rmros rmros commented Aug 10, 2019

Hi @bmaupin,
Aerobase is a full enterprise ready product while keycloak is a development framework.
Some Differences:

  • Package installers for Major OS including Debian/RHEL/Windows.
  • Integrated WebServer including caching, load-balancing and SSL Offloading
  • OOTB Support for any Relational database (e.g, MSSQL, PosgtreSQL, MySQL ...)
  • Additional MFA alternatives including SMS/Push Notifications/Email
  • Commercial Support, there is no keycloak commercial support, only RHEL SSO.
  • B2B2C Virtual IDPs, Serve multiple IDPs using one cluster
  • Embedded OpenJDK
  • OS Management Services/Logrotate/Watchdogs
  • ...

where is main repository of Aerobase server?
its made via ruby?

@yanivmn

This comment has been minimized.

Copy link

@yanivmn yanivmn commented Aug 11, 2019

where is main repository of Aerobase server? http://github.com/aerobase/
its made via ruby? Yes

@nunojpg

This comment has been minimized.

Copy link

@nunojpg nunojpg commented Aug 27, 2019

Is there any option without Java, even with much less features? I mainly use auth0, but would like to offer a solution with for local authentication, supporting MFA and JWT, but within a budget of 100MB.

@ashledombos

This comment has been minimized.

Copy link

@ashledombos ashledombos commented Aug 27, 2019

May be interesting to add LemonLDAP::NG to this list :)

@bmaupin

This comment has been minimized.

Copy link
Owner Author

@bmaupin bmaupin commented Aug 27, 2019

@nunojpg That's a great question; I didn't intentionally set out to only add Java-based apps, but Java's so prevalent in the enterprise space it seems that's what happened.

100 MB is pretty tight. I found a couple options written in Go, which in theory could use less memory than something Java-based, but I have no experience with them:

https://gethydra.sh/
https://github.com/dexidp/dex

Good luck!

@nunojpg

This comment has been minimized.

Copy link

@nunojpg nunojpg commented Sep 7, 2019

LemonLDAP::NG looks to be a perfect match for me! Thanks!

@relsayed8205

This comment has been minimized.

Copy link

@relsayed8205 relsayed8205 commented Oct 18, 2019

Helpful comparison, thank you. I am interested on the comparing Keycloak with Apereo CAS. My applications are deployed on Tomcat and use spring-security for authentication. The documentation of spring-security directed me to the CAS server. However I noticed the diffculty in configuration and the unorganized documentation of CAS. I also used Keycloak in other projects and clearly it is easier to work with and has better documentation.

Is there a gain of using CAS with spring-security applications?
However I don't get the point of commercial support (Keycloak: yes, CAS: thirdparty), could anyone explain more?

Thanks a lot!

@bmaupin

This comment has been minimized.

Copy link
Owner Author

@bmaupin bmaupin commented Oct 18, 2019

@relsayed8205

Is there a gain of using CAS with spring-security applications?

I can't answer this (maybe somebody else can chime in), although it looks like Spring Security supports both OAuth and SAML, so from that perspective either Keycloak or CAS should work fine.

However I don't get the point of commercial support (Keycloak: yes, CAS: thirdparty), could anyone explain more?

I agree it's not very clear. When I first created this document it was just meant as a quick comparison between a few auth services I was comparing. It's gotten much more attention than I expected :)

Even though everything in this list is open-source, some companies require purchasing a commercial support contract for any applications they use. As an example, the organization that's responsible for the development of Shibboleth (Internet2) doesn't directly provide paid commercial support for Shibboleth, so if you want support you have to go through a third party. From my personal experience, I see this as a negative because I managed Shibboleth at my organization for a number of years and third-party support wasn't always able to answer our questions and there didn't seem to be the possibility of requesting new features through that support either. Quite often we ended up relying on community support (e.g. mailing lists), which was often helpful but not always reliable or timely.

Commercial support for Keycloak is in the form of their commercial product (Red Hat SSO). While it's a different product, support comes from the same company that is developing Keycloak, so I wouldn't consider that to be third-party.

CAS seems to be more similar to Shibboleth: https://apereo.github.io/cas/Support.html

If you don't need paid commercial support then you can pretty much ignore that row.

Hope that helps!

@bmaupin

This comment has been minimized.

Copy link
Owner Author

@bmaupin bmaupin commented Oct 18, 2019

@ashledombos

May be interesting to add LemonLDAP::NG to this list :)

I'd be happy to add it if you could help me fill out some of the rows. This list has grown a bit bigger than intended and I don't have the time to do the needed research.

Thanks!

@coudot

This comment has been minimized.

Copy link

@coudot coudot commented Dec 6, 2019

@ashledombos

May be interesting to add LemonLDAP::NG to this list :)

I'd be happy to add it if you could help me fill out some of the rows. This list has grown a bit bigger than intended and I don't have the time to do the needed research.

Some answers for LemonLDAP::NG:

  • OpenID Connect/OAuth support : yes
  • Multi-factor authentication: yes
  • Admin UI: yes
  • OpenJDK support: not needed
  • Identity brokering: yes
  • Middleware: Apache / Nginx / uwsgi...
  • Open source: yes (GPL)
  • Commercial support: yes, see https://lemonldap-ng.org/professionalservices
  • Add federation metadata: yes
  • Add metadata from URL: yes
  • Installation: easy
  • Configuration: medium
@EraYaN

This comment has been minimized.

Copy link

@EraYaN EraYaN commented Jan 6, 2020

There is also https://github.com/IdentityServer/IdentityServer4/ for ASP.NET Core which seems to be more or less a framework rather than an installable product. The documentation seems to hint at the following answers:

  • OpenID Connect/OAuth support : yes (extendable)
  • Multi-factor authentication: yes
  • Admin UI: yes (commercial)
  • OpenJDK support: not needed
  • Identity brokering: yes
  • Middleware: ASP.NET Core 3.0+
  • Open source: yes (Apache2)
  • Commercial support: yes, see https://www.identityserver.com/services/
  • Add federation metadata: yes
  • Add metadata from URL: yes
  • Installation: easy (nuget)
  • Configuration: medium/hard

Not sure about how to measure the difficulty of configuration though, it's all just C# code, not terribly hard but if you want something rather fancy it might be.

@bmaupin

This comment has been minimized.

Copy link
Owner Author

@bmaupin bmaupin commented Jan 6, 2020

@coudot Added, thanks!

@EraYaN This is really meant for products rather than frameworks, but thanks for the suggestion. It might actually be good to create a separate spreadsheet just for frameworks, since the products here are open source and many of the frameworks they're built on can be used to build other products as well.

@EraYaN

This comment has been minimized.

Copy link

@EraYaN EraYaN commented Jan 6, 2020

It's a framework as in most of the configuration is code, but all the UI and essentially all business logic in in the library. For "just" an OpenID connect server you can almost be there by just buying their Admin UI and building the example. Especially if you integrate with ASP.NET Identity.
It's not quite like an actual bare implementation library for OAuth2/OIDC (in the realm of OWIN middleware and DotNetOpenAuth). (At least in my experience)

@mabujaber

This comment has been minimized.

Copy link

@mabujaber mabujaber commented Mar 3, 2020

@nunojpg That's a great question; I didn't intentionally set out to only add Java-based apps, but Java's so prevalent in the enterprise space it seems that's what happened.

100 MB is pretty tight. I found a couple options written in Go, which in theory could use less memory than something Java-based, but I have no experience with them:

https://gethydra.sh/
https://github.com/dexidp/dex

Good luck!

@nunojpg That's a great question; I didn't intentionally set out to only add Java-based apps, but Java's so prevalent in the enterprise space it seems that's what happened.

100 MB is pretty tight. I found a couple options written in Go, which in theory could use less memory than something Java-based, but I have no experience with them:

https://gethydra.sh/
https://github.com/dexidp/dex

Good luck!

This based on .NET
https://identityserver.io/

@bmaupin

This comment has been minimized.

Copy link
Owner Author

@bmaupin bmaupin commented Mar 4, 2020

@mabujaber

This comment has been minimized.

Copy link

@mabujaber mabujaber commented Mar 4, 2020

@mabujaber

This based on .NET
https://identityserver.io/

That looks like the same framework already proposed by @EraYaN

you're right

@vanjaaaa

This comment has been minimized.

Copy link

@vanjaaaa vanjaaaa commented May 1, 2020

FusionAuth seems interesting to add, community version(has 'all common needed' features) is free and opensource
For my company I need to compare also several sso solutions (free and opensource only) , from this list: https://en.wikipedia.org/wiki/List_of_single_sign-on_implementations

At my excel I have separated columns free and opensource.
For better comparison and understanding of sso solutions I also added this columns which I can recommend
to anyone who work on similar :
-"authorization supported?" (for several only authentication is),
-installation? (easy medium difficult),
-integration? (with different FE BE technologie, also e/m/d),
-mobile apps? (android, ios) supported or not
-Liveness (num /frequency of releases , github issues resolvance etc) ,
-Modern/popular?
..
I need to go more in depth to several solutions next weeks, so
anyone who work on similar - do not hesitate to contact me to share information and knowledge:)

@coudot

This comment has been minimized.

Copy link

@coudot coudot commented May 3, 2020

FusionAuth seems interesting to add, community version(has 'all common needed' features) is free and opensource

Sadly, FusionAuth does not seems Open Source any more. See https://fusionauth.io/license

It should be removed from this list.

@inbarbarkai

This comment has been minimized.

Copy link

@inbarbarkai inbarbarkai commented Oct 14, 2020

@bmaupin IdentityServer4 is becoming legacy. Starting from November 2021, all development will be on a commercial version only.

@bmaupin

This comment has been minimized.

Copy link
Owner Author

@bmaupin bmaupin commented Oct 14, 2020

@bmaupin IdentityServer4 is becoming legacy. Starting from November 2021, all development will be on a commercial version only.

@inbarbarkai I left IdentityServer off the list since the open-source version is a framework rather than a full SSO product. If it's going closed-source that's one more reason not to include it. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.