A login process is considered annoying by users and managing different passwords is complicated for some. Furthermore, application administrators do not want to have to make users for all their colleagues, friends, etc. with every application that is installed.
This is why OpenAppStack wants to provide a “Single Sign On” solution. A central part where users can be managed and that can provide login information for all the applications that are part of OpenAppStack.
Several open source solutions exist for Single Sign On. Therefore, we set out to make a comparison based on our wants and needs.
Our hard requirements:
- Auth methods: OpenID Connect (OIDC) and SAML (needed for i.e. Nextcloud)
- Some kind of second factor auth (OTP, U2F)
- Web interface or API for user management
- Possible automated client registration
Wanted features, but no blockers:
- U2F second factor auth
- Existing helm chart / Easy kubernetes deployment
- Little overhead (Resource usage, few/single persistant volumes etc.)
This tables shows those solutions that made it to the second round, with our hard requirements on top:
|Auth Methods||SAML, OIDC, OAuth2||SAML, OIDC, OAuth2, CAS||SAML (with simpleSAMLphp i.e.)|
|Second factor auth||Google Authenticator or FreeOTP, U2F pushed to some future release||U2F security keys and certificates, can be extended to support any authentication mechanism using custom authentication interception scripts||OTP tokens (HMAC, HOTP, TOTP, OCRA, mOTP), Yubikey (HOTP, TOTP, AES), FIDO U2F (Yubikey, Plug-Up), Google Authenticator, FreeOTP, Token2 or TiQR, SMS, Email and more|
|User management||Web interface, API||Web interface, API||Web UI not intuitive or user friendly (second factors can be added without verifying they work and you’re expected to use them next time you log in), API|
|Automated client registration||Yes||?||?|
|Existing helmchart / Easy k8s deployment||Yes||No, but there’s the Gluu Server Docker Edition (DE) Beta||No|
|Architecture / Complexity||Has some client libraries/middleware but not as complete as Gluu’s. Implementing SSO seems to be based on standard OAuth2 in PHP and Python||Has a client library/middleware to implement authentication in many languages without the traditional redirecting that happens with SAML and OAuth. A huge plus, the downside is that it’s neither open source nor free to use. Modular architecture, which has it’s downsides when running on kubernetes since it requests multiple persistant storage volumes.||Monolithic application. “Can act as a SAML Identity Provider in conjunction with SimpleSAMLphp”|
|Backend||LDAP (others possible)||LDAP (others possible)||LDAP (others possible)|
|CLI||kcadm.sh, Bash||-||privacyadm, Python|
|Mobile app||-||Super Gluu, open source that can be customised with our logo etc. which can be used as a second factor.||-|
|Development activity||Active Developement, 3200+ GH stars, recent activity, daily pull requests that also get accepted, can’t find a roadmap. Uses Jira for issues.||Active development, Roadmap, Gluu server docker edition: 100- GH stars||500+ stars on GH, active development|
Alternatives that need more investigation
- CloudFoundry UAA, SAML, OAuth2, UAA docs. Couldn’t find whether it supports U2f or OTP.
- Tremolo Security’s OpenUnison
- OpenAM The relationship between OpenIdentityPlatform/OpenAM and Forgerock Access Management is unclear to us - maybe the first one is the open source variant of the latter ? For the licensing of the latter, see this Gluu post that compares gluu with OpenAM
- Apero CAS
- Airobase IAM
- WSO2 Identity Server
Out of the game:
- S.S. Octopus. Blocker: “depends on Google as its authoritative OAuth2 provider”
- CoreOS dex. Blocker: lacks two factor auth completely
- Authelia, “Authelia is an open-source server providing a login portal and treating authentication requests in cooperation with NGINX”. Is “Kubernetes Ready”, uses U2F and OTP. Blocker: No OpenID, no SAML
- Cierge, only OIDC
- Autistici ID project, “A simple stack of services providing identity and authentication.”, blocker: Early stage, no/very little FOSS community behind it
- Riseup Nest, “a user management system that support email, recovery codes, invite codes, U2F authentication, single sign on, and user data that is personally encrypted. It designed to be the central integration point for independent service providers”. Blocker: “Source code is forthcoming, once a security audit is finished”
- Shibboleth IDP, Blocker: No admin UI, shibboleth is integrated into gluu
- Another SSO compatism table
Keycloak came closest to our needs and we decided to integrate and evaluate KeyCloak in practice for now.