Comparison of some open-source SSO implementations

open-source-sso.md

⚠️ This is not maintained. Feel free to check comments and/or forks for more current options.

Background

This was created years ago; at the time I'd been a Shibboleth admin for nearly a decade but we needed something that could handle OIDC/OAuth and that explicitly supported OpenJDK. After a lot of investigation, I really liked Keycloak/Red Hat Single Sign-On. More details here: Gluu vs keycloack vs wso2 identity management

Comparison

(Items in bold indicate possible concerns)

	Keycloak	WSO2 Identity Server	Gluu	CAS	OpenAM	Shibboleth IdP
OpenID Connect/OAuth support	yes	yes	yes	yes	yes	yes
Multi-factor authentication	yes	yes	yes	yes	yes	yes
Admin UI	yes	yes	yes	yes	yes	no
OpenJDK support	yes	yes	partial²	yes	yes	partial
Identity brokering	yes	yes	yes
Middleware	Quarkus	WSO2 Carbon¹	Jetty, Apache HTTPD	any Java app server	any Java app server	Jetty, Tomcat
Open source	yes	⚠ nominally	yes	yes	yes	yes
Commercial support	yes	yes	yes	third-party	yes	third-party
Add federation metadata	no	yes				yes
Add metadata from URL	import only	yes				yes
Installation and configuration	easy			difficult		difficult

1. WSO2 Carbon appears to be based on Tomcat

2. Gluu 4.0 comes bundled with Amazon Corretto, one specific distribution of OpenJDK. This is likely because it is built on top of Shibboleth, which only supports specific distributions of OpenJDK.

https://logto.io/ OpenID Connect/OAuth support : yes Multi-factor authentication : yes Admin UI : yes OpenJDK support : not needed Identity brokering : yes Middleware : Express Open source : yes (MPL-2.0 license) Commercial support : yes Add federation metadata : yes Add metadata from URL : yes Installation and configuration : easy
@mabujaber thanks for the mention
@gao-sun @simeng-li @logto-io

Keycloak WSO2 Identity Server Gluu CAS OpenAM Shibboleth IdP ZITADEL Authentik Authelia lemonldap-ng logto
OpenID Connect/OAuth support yes yes yes yes yes yes yes yes yes yes yes
Multi-factor authentication yes yes yes yes yes yes yes yes yes yes yes
Admin UI yes yes yes yes yes no yes Yes yes yes
OpenJDK support yes yes partialý yes yes partial not needed not needed not needed
Identity brokering yes yes yes yes yes yes
Middleware Quarkus WSO2 Carbon? Jetty, Apache HTTPD any Java app server any Java app server Jetty, Tomcat CockroachDB Apache, Nginx, uwsgi, PSGI, FastCGI Express
Open source yes ? nominally yes yes yes yes yes (Apache 2.0) yes yes yes (GPL) yes (MPL-2.0 license)
Commercial support yes yes yes third-party yes third-party yes yes yes yes
Add federation metadata no yes yes no yes yes
Add metadata from URL import only yes yes yes yes yes
Installation and configuration easy difficult difficult easy/medium easy/medium easy
Authentik and Authelia should be verified and completed. Thanks to

• @mffap for zitadel
• @coudot for LemonLDAPNG
• @mabujaber for logto

Can you move Authentik to partially open-source, they have an enterprise repo that is not FOSS

Also Kanidm seems worth adding

Here's what i came up with:

	ZITADEL	Logto	Kanidm	Casdoor
Middleware	Postgres	Express	None	Postgres
Implementation language	Go	Typescript	Rust	Go

Just learned of INDIGO IAM - developed by INFN, Italy's nuclear physics institute: https://github.com/indigo-iam/iam

At first glance, it looks like another Java IAM solution but one targeted at the academic & research sector.