Open Source SSO Solutions
By Said El Hachemy
September 24, 2021
User authentication is one of the services that every website or online business should offer. Regardless of the implementation, the authentication must be safe and secure. Users could be authenticated by using credentials such as email, password or phone number. Yet, this diversity of credentials could result in inconvenience and is susceptible to malicious entities. While some closed-source authentication methods are easier to use than others and offer better security and privacy, other solutions offer the same quality of service but are also open-source to the public, and are available for implementation and improvement. Among the different types of authentication that have many advantages is Single Sign-On (SSO).
SSO, like any other authentication method, is used to verify the legitimacy of users. What sets SSO apart from other types of authentication, is that users only have to use a single credential or set of credentials to access multiple applications. To make better use of SSO’s advantages, the credential doesn’t have to be something complicated like a password or a username. It could simply be an email or a phone number.
The working behind SSO is based on the tokens and certificates exchanged between the involved parties. These features are what makes SSO fast, userfriendly, convenient and efficient. They are also the reason why many authentication platforms have implemented their SSO such as Auth0, humanID and others.
Although SSOs are known to be very efficient and robust authentication solutions, they come at higher costs compared to usual methods such as email or Fcebook login, especially when these solutions are closed-source. These are some of the reasons for the invention of solutions that are free to implement, available with no restriction, and have a big community behind them, which are called open-source solutions.
Open Source vs Closed Source
Open source is a term referring to a product that is available for inspection and modification by all users to better suit an application’s needs. These products are accessible to the public user with no restrictions and are created without intentions of making profit. On the other hand, the counterpart of open-source services are closed-source or proprietary services. Closed-source services can only be modified by their creators and cannot be accessed without a certain license agreement. Although open-source products also have their licenses, they are a lot less demanding than the legal terms of closed source products. Hence, closed source services could oblige users to offer part of their privacy and freedom when using the product.
Open-Source SSO Solutions
There are many SSO solutions such as Authelia, WSO2, FusionAuth and Auth0. Some are offering free and paid versions, while others guarantee the quality of services they offer. But, not all of them are trustworthy since they might share user data with third parties or other services for profit. Open-source solutions cannot usually make profit off of their service, making them more trustworthy and secure. Here are some of the known open source solutions:
- Gluu: Offers multiple services aside from SSO such as two-factor authentication, API access management using access tokens, user management, mobile and web authentication. Aside from the paid option, Gluu offers a free option for users, which allows access to the forum for support from fellow users. The standard protocols on which Gluu is based are OpenID Connect, OAuth 2.0, FIDO, SAML 2.0, LDAP and others.
- IdentityServer: Uses OpenID Connect and OAuth 2.0, and supports multiple development frameworks such as .NET and .NET Core. IdentityServer can be used on both mobile and web applications. As IdentityServer is developed using free open source software, its source code is also available on GitHub for inspection and further improvements by any contributor.
- Keycloak: Is a lightweight and scalable solution that offers SSO to multiple applications at once. Keycloak is based on OpenID Connect, OAuth 2.0 and SAML 2.0, but also offers user management using LDAP and Active Directory. This solution is easier to use as there is no need to change your application’s code in the case of adding a new social network login. For the full list of features and documentation, Keycloak is available on GitHub.
- humanID: Is an anonymous, bot-resistant authentication solution. humanID offers user privacy and security of data as it uses hashing to encrypt credentials. The technology is user-friendly and quick as it uses the phone number instead of passwords and captchas. There are many platforms and frameworks on which humanID could be deployed including Android, Web, IOS, Flutter, Golang, and React. The documentation for developing on every one of these platforms is available on GitHub or humanID’s page for developers. humanID is a non-profit organization as it believes that the trust of users is of utmost importance, which is why user data is always secure, anonymous, and never shared with third parties.
As more and more businesses add new services to their websites, users are bound to create new accounts to access and utilize these services. Authenticating the massive number of users efficiently for every service is going to be challenging even for big companies. This calls for faster, secure, and efficient ways of user authentication. Since SSO offers these features and more, what remains is the vision to keep the user privacy intact either from hackers and malicious entities, or from sharing user data with third parties. As mentioned before, humanID is one of the platforms that has this vision, and aims to support user privacy above all else for a better user experience on the internet.