Update 2022-01-31: We have updated this post to include feedback that was emailed to us. This post should serve only for people who would like to understand the decision we made in 2019, not as a guide to people who want to make this decision now.

A login process is considered annoying by users and managing different passwords is complicated for some. Furthermore, application administrators do not want to have to make users for all their colleagues, friends, etc. with every application that is installed.

This is why OpenAppStack wants to provide a “Single Sign On” solution. A central part where users can be managed and that can provide login information for all the applications that are part of OpenAppStack.

Several open source solutions exist for Single Sign On. Therefore, we set out to make a comparison based on our wants and needs.

Our hard requirements:

  • Auth methods: OpenID Connect (OIDC) and SAML (needed for i.e. Nextcloud)
  • Some kind of second factor auth (OTP, U2F)
  • Web interface or API for user management
  • Possible automated client registration

Wanted features, but no blockers:

  • U2F second factor auth
  • Existing helm chart / Easy kubernetes deployment
  • Little overhead (Resource usage, few/single persistant volumes etc.)

This tables shows those solutions that made it to the second round, with our hard requirements on top:

  Keycloak Gluu1 PrivacyIDEA
Auth Methods SAML, OIDC, OAuth2 SAML, OIDC, OAuth2, CAS SAML (with simpleSAMLphp i.e.)
Second factor auth Google Authenticator or FreeOTP, U2F pushed to some future release U2F security keys and certificates, can be extended to support any authentication mechanism using custom authentication interception scripts1 OTP tokens (HMAC, HOTP, TOTP, OCRA, mOTP), Yubikey (HOTP, TOTP, AES), FIDO U2F (Yubikey, Plug-Up), Google Authenticator, FreeOTP, Token2 or TiQR, SMS, Email and more
User management Web interface, API Web interface, API Web UI not intuitive or user friendly (second factors can be added without verifying they work and you’re expected to use them next time you log in), API
Automated client registration Yes Yes1 ?
Existing helmchart / Easy k8s deployment Yes No, but there’s the Gluu Server Docker Edition (DE) Beta Yes 1 No
Architecture / Complexity Has some client libraries/middleware but not as complete as Gluu’s. Implementing SSO seems to be based on standard OAuth2 in PHP and Python Has a client library/middleware to implement authentication in many languages without the traditional redirecting that happens with SAML and OAuth. A huge plus, the downside is that it’s neither open source nor free to use. Modular architecture, which has it’s downsides when running on kubernetes since it requests multiple persistant storage volumes.1 Monolithic application. “Can act as a SAML Identity Provider in conjunction with SimpleSAMLphp”
Backend LDAP (others possible) LDAP (others possible1) LDAP (others possible)
CLI kcadm.sh, Bash privacyadm, Python
Mobile app Super Gluu, open source that can be customised with our logo etc. which can be used as a second factor.
Language Java Java Python
Development activity Active Developement, 3200+ GH stars, recent activity, daily pull requests that also get accepted, can’t find a roadmap. Uses Jira for issues. Active development, Roadmap, Gluu server docker edition: 100- GH stars 500+ stars on GH, active development

Alternatives that need more investigation

Out of the game:

  • S.S. Octopus. Blocker: “depends on Google as its authoritative OAuth2 provider”
  • CoreOS dex. Blocker: lacks two factor auth completely
  • Authelia, “Authelia is an open-source server providing a login portal and treating authentication requests in cooperation with NGINX”. Is “Kubernetes Ready”, uses U2F and OTP. Blocker: No OpenID, no SAML
  • Cierge, only OIDC
  • Autistici ID project, “A simple stack of services providing identity and authentication.”, blocker: Early stage, no/very little FOSS community behind it
  • Riseup Nest, “a user management system that support email, recovery codes, invite codes, U2F authentication, single sign on, and user data that is personally encrypted. It designed to be the central integration point for independent service providers”. Blocker: “Source code is forthcoming, once a security audit is finished”
  • Shibboleth IDP, Blocker: No admin UI, shibboleth is integrated into gluu

Further reading

  • https://en.wikipedia.org/wiki/List_of_single_sign-on_implementations
  • https://en.wikipedia.org/wiki/Identity_provider
  • https://www.gluu.org/blog/gluu-versus-keycloak/
  • https://stackoverflow.com/questions/46184787/gluu-vs-keycloack-vs-wso2-identity-management
  • Another SSO comparison table

Findings

Keycloak came closest to our needs and we decided to integrate and evaluate KeyCloak in practice for now.

  1. Update: The Gluu team has reached out to us on 2020-10-03 and 2022-01-28. They mentioned that our analysis was not accurate. Here are some responses they sent us about this post to both update and rectify our findings.

    Second factor auth: Out of the box, Gluu supports many 2FA options, which you can see on GitHub. Most polular options include: FIDO2, OTP, Certificate, SMS, Super Gluu, but also commercial integrations with Duo, Stytch, InWebo, PrivacyIdea, and PingID

    Regarding architecture complexity, oxd client is now 100% free and Apache 2.0 license. However… most customers will use the open standards – OpenID Connect, SAML, FIDO – and whatever client libraries they like. There is no requirement to use oxd–it’s simply an option for companies that want a standard middleware. If you ever implemented private key authentication or signed encrypted request objects (for example in a bank ecosystem), having a middleware service that does this for you is a nice option. Every application programming platform today has a library for OpenID Connect, so there is really no difference between how we support third party apps with everyone else. Any hello world OpenID Connect application will work with Gluu.

    Backends: LDAP, Couchbase, Amazon Aurora, Google Spanner, and MySQL is beta.

    Development: Project moved to the Linux Foundation Janssen Project; upstream bits are now at https://github.com/orgs/JanssenProject

     2 3 4 5 6