Skip to content

Instantly share code, notes, and snippets.

@bmaupin

bmaupin/open-source-sso.md

Last active April 11, 2024 09:36
Show Gist options
  • Save bmaupin/6878fae9abcb63ef43f8ac9b9de8fafd to your computer and use it in GitHub Desktop.
Save bmaupin/6878fae9abcb63ef43f8ac9b9de8fafd to your computer and use it in GitHub Desktop.
Download ZIP
Comparison of some open-source SSO implementations
Raw
open-source-sso.md

ⓘ This list is not meant to be exhaustive and is not guaranteed to be maintained. See the comments for updates and alternative options.

(Items in bold indicate possible concerns)

Keycloak WSO2 Identity Server Gluu CAS OpenAM Shibboleth IdP
OpenID Connect/OAuth support yes yes yes yes yes yes
Multi-factor authentication yes yes yes yes yes yes
Admin UI yes yes yes yes yes no
OpenJDK support yes yes partial² yes yes partial
Identity brokering yes yes yes
Middleware Quarkus WSO2 Carbon¹ Jetty, Apache HTTPD any Java app server any Java app server Jetty, Tomcat
Open source yes nominally yes yes yes yes
Commercial support yes yes yes third-party yes third-party
Add federation metadata no yes yes
Add metadata from URL import only yes yes
Installation and configuration easy difficult difficult

  1. WSO2 Carbon appears to be based on Tomcat

  2. Gluu 4.0 comes bundled with Amazon Corretto, one specific distribution of OpenJDK. This is likely because it is built on top of Shibboleth, which only supports specific distributions of OpenJDK.

@trajano
Copy link

trajano commented Sep 24, 2021

@trajano Good point! What would be a good way to word this? Maybe "completely configurable through text files"?

  • Configurable through environment variables
  • Configurable through text files [nothing that you can use Docker to create an image with the text files embedded or using config/secret mounts]

@hooverdc
Copy link

Shibboleth has first party support for OIDC now!

https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376878976/OIDC+OP

@lacek
Copy link

lacek commented Mar 28, 2022

According to Gluu's Docs, the requirement of Oracle JDK has been replaced with Amazon Corretto (a variant of OpenJDK). Besides, Shibboleth Docs mentions that IdP 4 fully supports Corretto 11 for Linux and OpenJDK 11 for RHEL/CentOS. So I guess footnote 3 should be updated to reflect the change.

@fmendez89
Copy link

Hi
Keycloak is transitioning to Quarkus, they have deprecated the Wildfly version and will be removed on June.

@philipgierszal
Copy link

@nunojpg That's a great question; I didn't intentionally set out to only add Java-based apps, but Java's so prevalent in the enterprise space it seems that's what happened.

100 MB is pretty tight. I found a couple options written in Go, which in theory could use less memory than something Java-based, but I have no experience with them:

https://gethydra.sh/ https://github.com/dexidp/dex

Good luck!

Hey, I see you mentioning Ory, which is a software solution I am currently looking into, how come it did not make it to the list?

@lacek
Copy link

lacek commented Jul 10, 2022
edited

For anyone who's considering WSO2 Identity Server, be advised that you'll either need to pay for their service subscription or invest a significant amount of effort and time to get a production ready deployment.

The community edition of WSO2 IS is released in major versions only (e.g. 5.10.0, 5.11.0, etc). For whatever security vulnerabilities or bugs found between major versions, community users won't receive any update and are on their own. On the other hand, users of paid subscription of their WSO2 Update Manager (WUM) services are provided with closed sourced software patches. You may find in their documentations that certain features are available since 5.11.0.XX (e.g. https://is.docs.wso2.com/en/5.11.0/learn/configuring-uniqueness-of-claims/). It means that you can get that easily as a paid user, but not as a community user.

For security vulnerabilities, you'll have to watch the reports and evaluate if it's relevant to your deployment. Sometimes the mitigations are just configurations or one-off commands (e.g. https://docs.wso2.com/pages/viewpage.action?pageId=180948677). But some are lists of pull requests (e.g. https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1459). Given the complexity of the software, you'll need a significant amount of time to learn how to build from source, apply relevant pull requests, installing the patch, and all that to manage these.

For software bugs, you'll have to either wait for the next major version, or figure out relevant commits/pull requests and find a way to apply it yourself. Besides, bug fixes available for paid users are not always available in the public github repositories. You may notice some issues marked resolved but find no relevant code commits yet.

TLDR: WSO2 IS community edition is not suitable for production use unless you invest enough.

@d3btech
Copy link

d3btech commented Nov 7, 2022

How about adding Authelia in the list also?

@raph
Copy link

raph commented Sep 12, 2023

Authentik, Authelia and Zitadel should be added

@d3btech
Copy link

d3btech commented Sep 12, 2023

Ory Hydra is a promising project. Anyone here used Spring Authentication Server, need some expert reviews on the product.

@adriy-be
Copy link

adriy-be commented Feb 20, 2024
edited

Keycloak WSO2 Identity Server Gluu CAS OpenAM Shibboleth IdP ZITADEL Authentik Authelia lemonldap-ng logto
OpenID Connect/OAuth support yes yes yes yes yes yes yes yes yes yes yes
Multi-factor authentication yes yes yes yes yes yes yes yes yes yes yes
Admin UI yes yes yes yes yes no yes Yes yes yes
OpenJDK support yes yes partialý yes yes partial not needed not needed not needed
Identity brokering yes yes yes yes yes yes
Middleware Quarkus WSO2 Carbon? Jetty, Apache HTTPD any Java app server any Java app server Jetty, Tomcat CockroachDB Apache, Nginx, uwsgi, PSGI, FastCGI Express
Open source yes ? nominally yes yes yes yes yes (Apache 2.0) yes yes yes (GPL) yes (MPL-2.0 license)
Commercial support yes yes yes third-party yes third-party yes yes yes yes
Add federation metadata no yes yes no yes yes
Add metadata from URL import only yes yes yes yes yes
Installation and configuration easy difficult difficult easy/medium easy/medium easy

Authentik and Authelia should be verified and completed.
Thanks to

@coudot
Copy link

coudot commented Feb 20, 2024

Hello,

it seems that @LemonLDAPNG is missing, I add the data here and let you decide if you want to include it in the table:

  • OpenID Connect/OAuth support : yes
  • Multi-factor authentication : yes
  • Admin UI : yes
  • OpenJDK support : not needed
  • Identity brokering : yes
  • Middleware : Apache, Nginx, uwsgi, PSGI, FastCGI
  • Open source : yes (GPL)
  • Commercial support : yes (@Worteks)
  • Add federation metadata : yes
  • Add metadata from URL : yes
  • Installation and configuration : easy/medium

@mabujaber
Copy link

https://logto.io/
OpenID Connect/OAuth support : yes
Multi-factor authentication : yes
Admin UI : yes
OpenJDK support : not needed
Identity brokering : yes
Middleware : Express
Open source : yes (MPL-2.0 license)
Commercial support : yes
Add federation metadata : yes
Add metadata from URL : yes
Installation and configuration : easy

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment