An Identity and Access Management (IAM) tool centralizes the authentication process for applications and IT services. In this article, although there are paid-for IAM solutions such as Okta, Ilex, JumpCloud or OpenIAM, we will focus on comparing open-source tools.
The purpose of an IAM tool is to ensure that the right people in a company have their appropriate access to resources. It mainly enables the implementation of Single Sign On (SSO), identity federation and strong authentication.
Why use an Identity Provider (IdP)?
One of the main uses of an IAM solution consists in acting as an Identity Provider (IdP), an entity which creates, maintains and manages the user’s digital identities as well as their authentication factors. For the latter, the IdP normally relies on an authentication server, which stores in a database the information for confirming the identity of users when they log in. Normally, the authentication process uses the names and passwords of the users.
Use of an identity provider meets a number of objectives:
- Centralised security management: most of the functionalities for permissions and authentication are in the identity provider, which becomes a single portal for user resources and for managing their accounts and access controls.
- Decoupling: authentication, logging, issuing tokens, collection and validation of IDs are provided separately from the application code. This means that development of the application can focus on its functional aspects, since the IdP takes charge of permissions and authentication.
- Single Sign-On (SSO): the user can access several computer applications through a one-step authentication, thus avoiding password “fatigue”.
Comparative study of Identity Providers (IdP)
We have carried out a comparative study of several open-source tools, to help you choose a solution, covering Keycloak, FusionAuth, Gluu, Shibboleth, PrivacyIDEA and Aerobase, according to the criteria listed below:
Following our comparative study, most solutions studied were in fact IAMs as such, apart from:
- PrivacyIDEA: this is an authentication server which can be coupled with Keycloak to have several authentication factors;
- Shibboleth: this is simply an identity provider (IdP), not an IAM service for identity federation.
Keycloak and Gluu are considered to be the two solutions which best meet our criteria.
1. Our team’s first choice: Keycloak
Keycloak took the lead in our study.
Keycloak’s main functionalities:
- Single sign-in:
- The user can access several services with a single sign-in.
- Kerberos Bridge: a user signed in on a workstation with Kerberos (LDAP or Active Directory), can also be signed in with Keycloak.
- Identity federation: Keycloak has class-compliant connection to existing LDAP or Active Directory servers. The solution takes over users registered in storage locations such as relational databases.
- Authorisation service: Keycloak offers fine-grained control of permissions.
- Support for standard protocols: Keycloak has class-compliant support for OpenID Connect, OAuth 2.0 and SAML.
Other reasons for our choice:
- The support community and customer support are effective, dynamic and responsive. Keycloak’s developers are very active on forums.
- System requirements modest: 512 Mb of RAM and 1 Gb of disk space.
- On-Premise software with simple architecture and components.
- Clear documentation, which helps understanding and control of the solution.
- Customisable solution.
- Available plug-ins: France Connect, PrivacyIDEA (mobile confirmation on the application when the PC opens, so no need for second identification).
Keycloak is also easier to use, and above all more intuitive than its competitor Gluu, especially when it comes to finding the necessary information and settings.
2. In second place of our comparative study: Gluu
Gluu includes basic functionalities like SSO and strong authentication. It is greedier than Keycloak however, requiring up to 8 Gb of RAM and 40 Gb of disk space.
Besides, Gluu was conceived as an earlier version of Docker, a free software package for running applications in software containers.
Gluu consists of a main component which has to be supplemented by others, such as the Lightweight Directory Access Protocol (LDAP). It takes longer to learn, because the components needed have to be identified according to the context. This architecture is also the reason why the solution needs more disk space and RAM.
The interface is less user-friendly than that of Keycloak, which does help in using it, especially when looking for the right settings.
Gluu is a recent solution, so it has less documentation available, particularly about the Open ID Connect specifications. The support community is also less responsive than that of Keycloak.
3. Special mention: FusionAuth
As the last of our top 3, we chose FusionAuth for its SSO and strong authentication functionalities, as well as its customisable theme. It has useful filtering, as it allows the user to be included in groups with different levels of access.
Although the open-source version is fairly rich, it is necessary to adopt the “Entreprise” or “Premium” versions to get more functionalities. FusionAuth is fairly limited in terms of authentication methods, over and above a password, particularly its unencrypted OTP code sent by SMS, and thus easy to steal.
In all cases, the choice of an IAM solution will of course depend on your in-house needs. Although there are paid-for solutions, the free, open-source Keycloak does cover all the criteria we selected for our study.