A login process is considered annoying by users and managing different passwords is complicated for some. Furthermore, application administrators do not want to have to make users for all their colleagues, friends, etc. with every application that is installed.

This is why OpenAppStack wants to provide a “Single Sign On” solution. A central part where users can be managed and that can provide login information for all the applications that are part of OpenAppStack.

Several open source solutions exist for Single Sign On. Therefore, we set out to make a comparison based on our wants and needs.

Our hard requirements:

  • Auth methods: OpenID Connect (OIDC) and SAML (needed for i.e. Nextcloud)
  • Some kind of second factor auth (OTP, U2F)
  • Web interface or API for user management
  • Possible automated client registration

Wanted features, but no blockers:

  • U2F second factor auth
  • Existing helm chart / Easy kubernetes deployment
  • Little overhead (Resource usage, few/single persistant volumes etc.)

This tables shows those solutions that made it to the second round, with our hard requirements on top:

  Keycloak Gluu PrivacyIDEA
Auth Methods SAML, OIDC, OAuth2 SAML, OIDC, OAuth2, CAS SAML (with simpleSAMLphp i.e.)
Second factor auth Google Authenticator or FreeOTP, U2F pushed to some future release U2F security keys and certificates, can be extended to support any authentication mechanism using custom authentication interception scripts OTP tokens (HMAC, HOTP, TOTP, OCRA, mOTP), Yubikey (HOTP, TOTP, AES), FIDO U2F (Yubikey, Plug-Up), Google Authenticator, FreeOTP, Token2 or TiQR, SMS, Email and more
User management Web interface, API Web interface, API Web UI not intuitive or user friendly (second factors can be added without verifying they work and you’re expected to use them next time you log in), API
Automated client registration Yes ? ?
Existing helmchart / Easy k8s deployment Yes No, but there’s the Gluu Server Docker Edition (DE) Beta No
Architecture / Complexity Has some client libraries/middleware but not as complete as Gluu’s. Implementing SSO seems to be based on standard OAuth2 in PHP and Python Has a client library/middleware to implement authentication in many languages without the traditional redirecting that happens with SAML and OAuth. A huge plus, the downside is that it’s neither open source nor free to use. Modular architecture, which has it’s downsides when running on kubernetes since it requests multiple persistant storage volumes. Monolithic application. “Can act as a SAML Identity Provider in conjunction with SimpleSAMLphp”
Backend LDAP (others possible) LDAP (others possible) LDAP (others possible)
CLI kcadm.sh, Bash - privacyadm, Python
Mobile app - Super Gluu, open source that can be customised with our logo etc. which can be used as a second factor. -
Language Java Java Python
Development activity Active Developement, 3200+ GH stars, recent activity, daily pull requests that also get accepted, can’t find a roadmap. Uses Jira for issues. Active development, Roadmap, Gluu server docker edition: 100- GH stars 500+ stars on GH, active development

Alternatives that need more investigation

Out of the game:

  • S.S. Octopus. Blocker: “depends on Google as its authoritative OAuth2 provider”
  • CoreOS dex. Blocker: lacks two factor auth completely
  • Authelia, “Authelia is an open-source server providing a login portal and treating authentication requests in cooperation with NGINX”. Is “Kubernetes Ready”, uses U2F and OTP. Blocker: No OpenID, no SAML
  • Cierge, only OIDC
  • Autistici ID project, “A simple stack of services providing identity and authentication.”, blocker: Early stage, no/very little FOSS community behind it
  • Riseup Nest, “a user management system that support email, recovery codes, invite codes, U2F authentication, single sign on, and user data that is personally encrypted. It designed to be the central integration point for independent service providers”. Blocker: “Source code is forthcoming, once a security audit is finished”
  • Shibboleth IDP, Blocker: No admin UI, shibboleth is integrated into gluu

Further reading

  • https://en.wikipedia.org/wiki/List_of_single_sign-on_implementations
  • https://en.wikipedia.org/wiki/Identity_provider
  • https://www.gluu.org/blog/gluu-versus-keycloak/
  • https://stackoverflow.com/questions/46184787/gluu-vs-keycloack-vs-wso2-identity-management
  • Another SSO compatism table

Findings

Keycloak came closest to our needs and we decided to integrate and evaluate KeyCloak in practice for now.