Update 2022-01-31: We have updated this post to include feedback that was emailed to us. This post should serve only for people who would like to understand the decision we made in 2019, not as a guide to people who want to make this decision now.

A login process is considered annoying by users and managing different passwords is complicated for some. Furthermore, application administrators do not want to have to make users for all their colleagues, friends, etc. with every application that is installed.

This is why OpenAppStack wants to provide a “Single Sign On” solution. A central part where users can be managed and that can provide login information for all the applications that are part of OpenAppStack.

Several open source solutions exist for Single Sign On. Therefore, we set out to make a comparison based on our wants and needs.

Our hard requirements:

• Auth methods: OpenID Connect (OIDC) and SAML (needed for i.e. Nextcloud)
• Some kind of second factor auth (OTP, U2F)
• Web interface or API for user management
• Possible automated client registration

Wanted features, but no blockers:

• U2F second factor auth
• Existing helm chart / Easy kubernetes deployment
• Little overhead (Resource usage, few/single persistant volumes etc.)

This tables shows those solutions that made it to the second round, with our hard requirements on top:

	Keycloak	Gluu1	PrivacyIDEA
Auth Methods	SAML, OIDC, OAuth2	SAML, OIDC, OAuth2, CAS	SAML (with simpleSAMLphp i.e.)
Second factor auth	Google Authenticator or FreeOTP, U2F pushed to some future release	U2F security keys and certificates, can be extended to support any authentication mechanism using custom authentication interception scripts1	OTP tokens (HMAC, HOTP, TOTP, OCRA, mOTP), Yubikey (HOTP, TOTP, AES), FIDO U2F (Yubikey, Plug-Up), Google Authenticator, FreeOTP, Token2 or TiQR, SMS, Email and more
User management	Web interface, API	Web interface, API	Web UI not intuitive or user friendly (second factors can be added without verifying they work and you’re expected to use them next time you log in), API
Automated client registration	Yes	Yes1	?
Existing helmchart / Easy k8s deployment	Yes	No, but there’s the Gluu Server Docker Edition (DE) Beta Yes 1	No
Architecture / Complexity	Has some client libraries/middleware but not as complete as Gluu’s. Implementing SSO seems to be based on standard OAuth2 in PHP and Python	Has a client library/middleware to implement authentication in many languages without the traditional redirecting that happens with SAML and OAuth. A huge plus, the downside is that it’s neither open source nor free to use. Modular architecture, which has it’s downsides when running on kubernetes since it requests multiple persistant storage volumes.1	Monolithic application. “Can act as a SAML Identity Provider in conjunction with SimpleSAMLphp”
Backend	LDAP (others possible)	LDAP (others possible1)	LDAP (others possible)
CLI	kcadm.sh, Bash	–	privacyadm, Python
Mobile app	–	Super Gluu, open source that can be customised with our logo etc. which can be used as a second factor.	–
Language	Java	Java	Python
Development activity	Active Developement, 3200+ GH stars, recent activity, daily pull requests that also get accepted, can’t find a roadmap. Uses Jira for issues.	Active development, Roadmap, Gluu server docker edition: 100- GH stars	500+ stars on GH, active development

Alternatives that need more investigation

• CloudFoundry UAA, SAML, OAuth2, UAA docs. Couldn’t find whether it supports U2f or OTP.
• Tremolo Security’s OpenUnison
• OpenAM The relationship between OpenIdentityPlatform/OpenAM and Forgerock Access Management is unclear to us – maybe the first one is the open source variant of the latter ? For the licensing of the latter, see this Gluu post that compares gluu with OpenAM
• Apero CAS
• Airobase IAM
• WSO2 Identity Server

Out of the game:

• S.S. Octopus. Blocker: “depends on Google as its authoritative OAuth2 provider”
• CoreOS dex. Blocker: lacks two factor auth completely
• Authelia, “Authelia is an open-source server providing a login portal and treating authentication requests in cooperation with NGINX”. Is “Kubernetes Ready”, uses U2F and OTP. Blocker: No OpenID, no SAML
• Cierge, only OIDC
• Autistici ID project, “A simple stack of services providing identity and authentication.”, blocker: Early stage, no/very little FOSS community behind it
• Riseup Nest, “a user management system that support email, recovery codes, invite codes, U2F authentication, single sign on, and user data that is personally encrypted. It designed to be the central integration point for independent service providers”. Blocker: “Source code is forthcoming, once a security audit is finished”
• Shibboleth IDP, Blocker: No admin UI, shibboleth is integrated into gluu

Further reading

• https://en.wikipedia.org/wiki/List_of_single_sign-on_implementations
• https://en.wikipedia.org/wiki/Identity_provider
• https://www.gluu.org/blog/gluu-versus-keycloak/
• https://stackoverflow.com/questions/46184787/gluu-vs-keycloack-vs-wso2-identity-management
• Another SSO comparison table

Findings

Keycloak came closest to our needs and we decided to integrate and evaluate KeyCloak in practice for now.