Update 2022-01-31: We have updated this post to include feedback that was emailed to us. This post should serve only for people who would like to understand the decision we made in 2019, not as a guide to people who want to make this decision now.
A login process is considered annoying by users and managing different passwords is complicated for some. Furthermore, application administrators do not want to have to make users for all their colleagues, friends, etc. with every application that is installed.
This is why OpenAppStack wants to provide a “Single Sign On” solution. A central part where users can be managed and that can provide login information for all the applications that are part of OpenAppStack.
Several open source solutions exist for Single Sign On. Therefore, we set out to make a comparison based on our wants and needs.
Our hard requirements:
- Auth methods: OpenID Connect (OIDC) and SAML (needed for i.e. Nextcloud)
- Some kind of second factor auth (OTP, U2F)
- Web interface or API for user management
- Possible automated client registration
Wanted features, but no blockers:
- U2F second factor auth
- Existing helm chart / Easy kubernetes deployment
- Little overhead (Resource usage, few/single persistant volumes etc.)
This tables shows those solutions that made it to the second round, with our hard requirements on top:
|Auth Methods||SAML, OIDC, OAuth2||SAML, OIDC, OAuth2, CAS||SAML (with simpleSAMLphp i.e.)|
|Second factor auth||Google Authenticator or FreeOTP, U2F pushed to some future release||U2F security keys and certificates, can be extended to support any authentication mechanism using custom authentication interception scripts1||OTP tokens (HMAC, HOTP, TOTP, OCRA, mOTP), Yubikey (HOTP, TOTP, AES), FIDO U2F (Yubikey, Plug-Up), Google Authenticator, FreeOTP, Token2 or TiQR, SMS, Email and more|
|User management||Web interface, API||Web interface, API||Web UI not intuitive or user friendly (second factors can be added without verifying they work and you’re expected to use them next time you log in), API|
|Automated client registration||Yes||Yes1||?|
|Existing helmchart / Easy k8s deployment||Yes||No|
|Architecture / Complexity||Has some client libraries/middleware but not as complete as Gluu’s. Implementing SSO seems to be based on standard OAuth2 in PHP and Python||Has a client library/middleware to implement authentication in many languages without the traditional redirecting that happens with SAML and OAuth. A huge plus,
||Monolithic application. “Can act as a SAML Identity Provider in conjunction with SimpleSAMLphp”|
|Backend||LDAP (others possible)||LDAP (others possible1)||LDAP (others possible)|
|CLI||kcadm.sh, Bash||–||privacyadm, Python|
|Mobile app||–||Super Gluu, open source that can be customised with our logo etc. which can be used as a second factor.||–|
|Development activity||Active Developement, 3200+ GH stars, recent activity, daily pull requests that also get accepted, can’t find a roadmap. Uses Jira for issues.||Active development, Roadmap, Gluu server docker edition: 100- GH stars||500+ stars on GH, active development|
Alternatives that need more investigation
- CloudFoundry UAA, SAML, OAuth2, UAA docs. Couldn’t find whether it supports U2f or OTP.
- Tremolo Security’s OpenUnison
- OpenAM The relationship between OpenIdentityPlatform/OpenAM and Forgerock Access Management is unclear to us – maybe the first one is the open source variant of the latter ? For the licensing of the latter, see this Gluu post that compares gluu with OpenAM
- Apero CAS
- Airobase IAM
- WSO2 Identity Server
Out of the game:
- S.S. Octopus. Blocker: “depends on Google as its authoritative OAuth2 provider”
- CoreOS dex. Blocker: lacks two factor auth completely
- Authelia, “Authelia is an open-source server providing a login portal and treating authentication requests in cooperation with NGINX”. Is “Kubernetes Ready”, uses U2F and OTP. Blocker: No OpenID, no SAML
- Cierge, only OIDC
- Autistici ID project, “A simple stack of services providing identity and authentication.”, blocker: Early stage, no/very little FOSS community behind it
- Riseup Nest, “a user management system that support email, recovery codes, invite codes, U2F authentication, single sign on, and user data that is personally encrypted. It designed to be the central integration point for independent service providers”. Blocker: “Source code is forthcoming, once a security audit is finished”
- Shibboleth IDP, Blocker: No admin UI, shibboleth is integrated into gluu
- Another SSO comparison table
Keycloak came closest to our needs and we decided to integrate and evaluate KeyCloak in practice for now.
- Update: The Gluu team has reached out to us on 2020-10-03 and 2022-01-28. They mentioned that our analysis was not accurate. Here are some responses they sent us about this post to both update and rectify our findings.
Second factor auth: Out of the box, Gluu supports many 2FA options, which you can see on GitHub. Most polular options include: FIDO2, OTP, Certificate, SMS, Super Gluu, but also commercial integrations with Duo, Stytch, InWebo, PrivacyIdea, and PingID
Regarding architecture complexity, oxd client is now 100% free and Apache 2.0 license. However… most customers will use the open standards – OpenID Connect, SAML, FIDO – and whatever client libraries they like. There is no requirement to use oxd–it’s simply an option for companies that want a standard middleware. If you ever implemented private key authentication or signed encrypted request objects (for example in a bank ecosystem), having a middleware service that does this for you is a nice option. Every application programming platform today has a library for OpenID Connect, so there is really no difference between how we support third party apps with everyone else. Any hello world OpenID Connect application will work with Gluu.
Backends: LDAP, Couchbase, Amazon Aurora, Google Spanner, and MySQL is beta.
Development: Project moved to the Linux Foundation Janssen Project; upstream bits are now at https://github.com/orgs/JanssenProject