Comparison of some open-source SSO implementations

FusionAuth seems interesting to add, community version(has 'all common needed' features) is free and opensource
For my company I need to compare also several sso solutions (free and opensource only) , from this list: https://en.wikipedia.org/wiki/List_of_single_sign-on_implementations

At my excel I have separated columns free and opensource.
For better comparison and understanding of sso solutions I also added this columns which I can recommend
to anyone who work on similar :
-"authorization supported?" (for several only authentication is),
-installation? (easy medium difficult),
-integration? (with different FE BE technologie, also e/m/d),
-mobile apps? (android, ios) supported or not
-Liveness (num /frequency of releases , github issues resolvance etc) ,
-Modern/popular?
..
I need to go more in depth to several solutions next weeks, so
anyone who work on similar - do not hesitate to contact me to share information and knowledge:)

FusionAuth seems interesting to add, community version(has 'all common needed' features) is free and opensource

Sadly, FusionAuth does not seems Open Source any more. See https://fusionauth.io/license

It should be removed from this list.

@bmaupin IdentityServer4 is becoming legacy. Starting from November 2021, all development will be on a commercial version only.

Author

@bmaupin IdentityServer4 is becoming legacy. Starting from November 2021, all development will be on a commercial version only.

@inbarbarkai I left IdentityServer off the list since the open-source version is a framework rather than a full SSO product. If it's going closed-source that's one more reason not to include it. Thanks!

There is also https://www.fusiondirectory.org/en/ which is open source (https://repos.fusiondirectory.org/sources/)

@bmaupin IdentityServer4 is becoming legacy. Starting from November 2021, all development will be on a commercial version only.

@inbarbarkai Also it seems like they are releasing the new version under the RPL (Reciprocal Public License)

There is also https://www.fusiondirectory.org/en/ which is open source (https://repos.fusiondirectory.org/sources/)

This is not Single Sign On but Identity Management. Anyway this is a great product that is inside FusionIAM (https://fusioniam.org/) in which we find the SSO solution LemonLDAP::NG (https://lemonldap-ng.org)

Which of these products handle multi tenancy the best? I read some issues about keycloak is getting slower +100 tenant(realm in its context). Is there anyone experiencing such ?

Have you heard about ADAS SSO? It is opensource and PHP based: http://www.adas-sso.com/en/sso/sso.php

Have you heard about ADAS SSO? It is opensource and PHP based: http://www.adas-sso.com/en/sso/sso.php

Was not able to find the source code, do you know where it is published?

It is opensource although source is not openly published. You must ask for the sofware in this page: http://www.adas-sso.com/en/extra/download.php

Well, a very bad practice. Not sure this software should be listed here.

Well, a very bad practice. Not sure this software should be listed here.

I agree with you about it is a bad and nonsensical practice.

But I do not see why it must not be included. Loads of people confuses opensource licensed with "downloadable for free on a web page". Adas-SSO is Apache 2 licensed, so it is is opensource.

Adding it to this list It's up to the owner I supposse.

Author

Hmm, an interesting conundrum! adAS does seem to be Apache-licensed, and filling out the form (even with fake data) starts the download immediately. I think it's pretty lame they put the download behind a form, but I'd be okay adding it to the list unless someone can point to documentation that might somehow disqualify this from being open-source (e.g. something from the OSI or FSF). I wasn't able to find anything myself.

I don't know enough about the product to be able to add it to the list but if someone could help me fill out the rows I don't mind adding it.

@bmaupin thanks for the comparison. Would it be possible to add ZITADEL to the list?

• OpenID Connect/OAuth support : yes
• Multi-factor authentication: yes (FIDO2 Passwordless, U2F, SMS)
• Admin UI: yes
• OpenJDK support: not needed
• Identity brokering: yes
• Middleware: K8s, CockroachDB
• Open source: yes (Apache 2.0)
• Commercial support: yes
• Add federation metadata: no
• Add metadata from URL: yes (OIDC)
• Installation: easy (Container)
• Configuration: medium

Please let me know in case you may have any questions. Thanks.

This needs a row that tells us how configurable it is as a 12-factor app primarily if it can be mostly done using environment variables or command line parameters without storing any state in the container that is running it.

Author

@mffap, interesting, thanks! Can it be run on-premise? The documentation is a bit vague and seems to suffer from buzzwords.

Stay tuned, we will soon publish a guide how you can deploy a hyperconverged system with our automation tooling called ORBOS.

https://github.com/caos/zitadel#run-your-own-iam

“hyperconverged”

The word you've entered isn't in the dictionary.

https://www.merriam-webster.com/dictionary/hyperconverged

Author

This needs a row that tells us how configurable it is as a 12-factor app primarily if it can be mostly done using environment variables or command line parameters without storing any state in the container that is running it.

@trajano Is your goal to determine which of these applications can be easily run in a container? I do think that would be helpful. If nothing else I could add a column for which of them have available container images, which should be a good indication of how easy it would be to run them in a container. For example, KeyCloak provides a container image right on its download page. I'll try to fill it out as best as I can, but help is always welcome.

Thanks @bmaupin actually almost all of these can run in a container, but something like Keycloak cannot be configured easily without the UI. Whereas (I am hoping) CAS would be even if the installation and configuration is more difficult because it's infrastructure as code.

Can it be run on-premise? The documentation is a bit vague and seems to suffer from buzzwords.

Fair enough . Yes ZITADEL runs on any CNCF conform Kubernetes, on-prem or with a cloud provider of your liking.

With our partner-product ORBOS, we build Kubernetes with all the automation and standard tools for Day 2 Ops. Helpful for on-prem scenarios on bare-metal or VM. But you could use other similar OSS tools.

Because all the infrastructure-as-code, storage (eg, Cockroach DB) and monitoring etc. is shipped in one bundle, we like to call this hyperconverged infrastructure, as we abstract away the underlying infrastructure.

Author

@trajano Good point! What would be a good way to word this? Maybe "completely configurable through text files"?

I know Shibboleth IdP can be, whereas I don't believe KeyCloak can, as you mentioned. I have little experience with the others, although I believe CAS can as well.

How about UAA from Cloud Foundry?
I think it could be a competitive option.

At TeDomum.net, we are developing Hiboo, might be interesting.
It's made in Python.

https://forge.tedomum.net/acides/hiboo/hiboo

@trajano Good point! What would be a good way to word this? Maybe "completely configurable through text files"?

• Configurable through environment variables
• Configurable through text files [nothing that you can use Docker to create an image with the text files embedded or using config/secret mounts]

According to Gluu's Docs, the requirement of Oracle JDK has been replaced with Amazon Corretto (a variant of OpenJDK). Besides, Shibboleth Docs mentions that IdP 4 fully supports Corretto 11 for Linux and OpenJDK 11 for RHEL/CentOS. So I guess footnote 3 should be updated to reflect the change.

Hi
Keycloak is transitioning to Quarkus, they have deprecated the Wildfly version and will be removed on June.

@nunojpg That's a great question; I didn't intentionally set out to only add Java-based apps, but Java's so prevalent in the enterprise space it seems that's what happened.

100 MB is pretty tight. I found a couple options written in Go, which in theory could use less memory than something Java-based, but I have no experience with them:

https://gethydra.sh/ https://github.com/dexidp/dex

Good luck!

Hey, I see you mentioning Ory, which is a software solution I am currently looking into, how come it did not make it to the list?

For anyone who's considering WSO2 Identity Server, be advised that you'll either need to pay for their service subscription or invest a significant amount of effort and time to get a production ready deployment.

The community edition of WSO2 IS is released in major versions only (e.g. 5.10.0, 5.11.0, etc). For whatever security vulnerabilities or bugs found between major versions, community users won't receive any update and are on their own. On the other hand, users of paid subscription of their WSO2 Update Manager (WUM) services are provided with closed sourced software patches. You may find in their documentations that certain features are available since 5.11.0.XX (e.g. https://is.docs.wso2.com/en/5.11.0/learn/configuring-uniqueness-of-claims/). It means that you can get that easily as a paid user, but not as a community user.

For security vulnerabilities, you'll have to watch the reports and evaluate if it's relevant to your deployment. Sometimes the mitigations are just configurations or one-off commands (e.g. https://docs.wso2.com/pages/viewpage.action?pageId=180948677). But some are lists of pull requests (e.g. https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1459). Given the complexity of the software, you'll need a significant amount of time to learn how to build from source, apply relevant pull requests, installing the patch, and all that to manage these.

For software bugs, you'll have to either wait for the next major version, or figure out relevant commits/pull requests and find a way to apply it yourself. Besides, bug fixes available for paid users are not always available in the public github repositories. You may notice some issues marked resolved but find no relevant code commits yet.

TLDR: WSO2 IS community edition is not suitable for production use unless you invest enough.

How about adding Authelia in the list also?