Preamble:
Our Engineering Team leverages lot of Open Source Technologies when building production grade platform stack for internal use or for our partners. Before an Open Source Software makes it to the technology stack we do our due diligence by undertaking a trade study to determine the best fit, feature rich, ease of maintenance, community involvement, and user base among multiple similar projects.
In an era where web/tv/mobile applications dominate our daily lives, the need for a secure online access has become a biggest security concern that can no longer be ignored. Single Sign-On (SSO) technologies along with MFA (Multi-Factor Authentication) have emerged as secure solutions for simplifying the user experience and enhancing security. In this blog we will showcase some of the comparative study we undertake as a team in exploring the intricacies, functionalities, benefits, transformative impact, ease of use and maintenance when analyzing selected the best suited open source single sign-on technology. These following Open Source Projects have successfully made it to our shortlist for analysis:
- KeyCloak: a Cloud Native Computing Foundation incubation project (at the time of writing)
- Apereo CAS: from the Apereo Foundation
- Authelia: not a company, no affiliation to any type of incorporated entity
- Authentik: backed by Authentik Security Inc
- Zitadel: backed by Zitadel
Comparative Study:
KeyCloak vs. Apereo CAS vs. Authentik vs. Authelia vs. Zitadel
| Keycloak | Apereo CAS | Authentik | Authelia | Zitadel | |
| Open source | ✔ | ✔ | ✔ | ✔ | ✔ |
| Backed by | Cloud Native Computing Foundation | Apereo Foundation | Authentik Security Inc | No affiliation to any type of incorporated entity | Zitadel |
| Commercial support | third-party | third-party | Authentik Security Inc | third-party | Zitadel |
| License Type | Apache v2 | Apache v2 | Multi-layer licensing | Apache v2 | Apache v2 |
| Supported Standard Protocols | |||||
| Kerberos | ✔ | - | - | - | - |
| Radius | - | ✔ | ✔ | - | - |
| OpenID Connect | ✔ | ✔ | ✔ | ✔ | ✔ |
| OAuth 2.0 | ✔ | ✔ | ✔ | partial | ✔ |
| SAML 2.0 | ✔ | ✔ | ✔ | - | ✔ |
| Json Web Token (JWT) | ✔ | ✔ | ✔ | ✔ | ✔ |
| System for Cross-domain Identity Management (SCIM) | ✔ | ✔ | - | - | - |
| OpenID Connect Client Initiated Backchannel Authentication (CIBA) | ✔ | - | partial | - | - |
| OAuth 2.0 Pushed Authorization Requests (PAR) | ✔ | ✔ | - | ✔ | - |
| OAuth 2.0 Demonstrating Proof-of-Possession (dpop) | ✔ | ✔ | - | - | - |
| W3C Web Authentication (WebAuthn) | ✔ | ✔ | ✔ | ✔ | ✔ |
| Identity Brokering and Social Login | |||||
| Social Login | Supports login with Google, GitHub, Facebook, Twitter, and other social networks | Supports login with Google, GitHub, Facebook, Twitter, and other social networks | Supports login with Google, GitHub, Facebook, Twitter, and other social networks | Supports login with Google, GitHub, Facebook, Twitter, and other social networks | Supports login with Google, GitHub, Facebook, Twitter, and other social networks |
| Identity Brokering | OpenID Connect or SAML 2.0 IdPs | OpenID Connect or SAML 2.0 IdPs | OpenID Connect or SAML 2.0 IdPs | OpenID Connect | OpenID Connect or SAML 2.0 IdPs |
| User Federation | Built-in support to connect to existing LDAP or Active Directory servers. Supports also custom identity provider based on a relational database. | Built-in support to connect to existing LDAP or Active Directory servers. Supports WS-Federation built on top of Apache Fedix | Built-in support to connect to existing LDAP or Active Directory servers | - | Built-in support to connect to existing LDAP or Active Directory servers, and more |
| Authentication and Authorization | |||||
| Multi-factor authentication (MFA) | Supports OTP, TOTP, and HOTP via Google Authenticator, FreeOTP, Authy | Supports OTP, TOTP, and HOTP via Duo Security, YubiKey, RSA, Google Authenticator, WebAuthn, Authy and more | Supports SMS 2FA, OTP, TOTP, and WebAuthn | Supports OTP, TOTP, Mobile Push Notifications, and WebAuthn | Supports SMS 2FA, OTP, TOTP, Universal Second Factor (U2F), Email 2FA |
| Passkeys/Passwordless support | ✔ | ✔ | ✔ | - | ✔ |
| Built-in CORS support | ✔ | ✔ | partial | ✔ | ✔ |
| Session management | ✔ | ✔ | ✔ | ✔ | ✔ |
| Password policy enforcement | ✔ | ✔ | ✔ | ✔ | partial |
| Deployment and Scalability | |||||
| Middleware | Quarkus | Apache Tomcat, Jetty, Undertow | Python framework | Go Framework | Go Framework |
| Clustering for Scalability and High Availability | supported | supported | - | - | supported with CockroachDB cluster |
| Multi-site deployment | supported | - | - | - | supported |
| Multitenancy | supported through concept of Realms | - | - | - | ✔ |
| High Availability active-passive deployment | supported | supported | - | - | - |
| High Availability active-active deployment | supported with Kubernetes Operator | supported with multiple nodes or single node with multiple server processes | - | - | supported with CockroachDB cluster |
| Container image | Available on Quay.io | Available on Dockerhub | Dockerfile | Available on Dockerhub | Available on ghcr.io |
| Kubernetes Deployment | supported | supported | supported | supported | supported |
| Kubernetes Operator | Available at OperatorHub | - | - | - | - |
| Ansible Collection | Available on Github | - | - | - | - |
| Operating System support | Linux and Windows | Linux and Windows | Linux and Windows | Linux and Windows | Linux and Windows |
| User Interface | |||||
| Web UI | ✔ | ✔ | ✔ | ✔ | ✔ |
| Admin Management Interface | ✔ | ✔ | ✔ | partial | ✔ |
| User Account Management Interface | ✔ | ✔ | ✔ | - | ✔ |
| RESTful API Access | ✔ | ✔ | ✔ | ✔ | ✔ |
| Command Line Interface Access | ✔ | ✔ | - | ✔ | - |
| Customizable Theme | ✔ | ✔ | ✔ | partial | ✔ |
| Compliance | |||||
| SOC 2 Type II | - | - | - | - | - |
| ISO/IEC 27001 standard for information security management systems | - | - | - | - | ✔ |
| GDPR | partial | - | ✔ | - | ✔ |
| FIPS 140-2 Compliant | ✔ | - | - | - | ✔ |
| FAPI 2 (Financial API 2.0 Standard) | ✔ | - | - | - | - |
| Metrics, Auditing, Reporting | supported | supported | supported | supported | supported |
| Extensible | |||||
| Third Party Extension | List of available extensions | - | - | - | - |
Disclaimer:
The information for this comparison was first retrieved on November 27, 2023. The article was last updated on December 5, 2023.
Found this useful:
Follow our page on LinkedIn