IDM Europe 2018: WSO2 Identity Server vs. Keycloak (Dmitry Kann)
Summary
TLDRThe speaker from an American freelance full-stack developer company discusses identity servers, focusing on Keycloak and WSO2 Identity Server. They compare features like user management, single sign-on, identity federation, provisioning, and multi-step authentication. Keycloak is praised for its ease of use and cost-effectiveness, while WSO2 is recognized for its extensive functionality, suitable for complex application landscapes.
Takeaways
- π The speaker is an American freelance full-stack developer who operates a sole proprietorship company and has experience with identity solutions, particularly in the Netherlands.
- π The concept of an identity server is introduced as a centralized way to manage users, roles, and permissions across multiple applications within an organization.
- π The script explains the necessity for identity servers to implement various protocols and comply with regulations such as GDPR for data privacy and security.
- π οΈ Two open-source identity server solutions are highlighted: Keycloak and WSO2 Identity Server, both widely adopted for enterprise identity management.
- π Keycloak was first released in 2014, while WSO2 Identity Server has been around since 2008, indicating a longer track record for WSO2.
- π Both Keycloak and WSO2 Identity Server are distributed under the Apache License 2.0, allowing for commercial use and redistribution.
- π» Both solutions are written in Java and require middleware, with Keycloak using WildFly and WSO2 using WSO2 Carbon.
- π° Commercial support for Keycloak is available through Red Hat's product called RH-SSO, starting at $8,000 per year, while WSO2 offers support for its identity server at approximately β¬20,000 per year.
- π³ Keycloak can be easily tried out with a single Docker command, whereas WSO2 Identity Server requires downloading a binary package for installation.
- π The script compares functionalities of both identity servers, such as user management, single sign-on support, attribute mapping, identity federation, and multi-factor authentication.
- π The conclusion suggests that Keycloak is easier to configure with a more modern UI and cheaper commercial support, making it suitable for less complex application landscapes, whereas WSO2 offers more comprehensive functionality at a higher cost, suitable for diverse and complex environments.
Q & A
What is the speaker's profession and the nature of their current work?
-The speaker is an American freelance full-stack developer who runs a sole proprietorship company called 'solutions' and is currently working in the Netherlands at Paul Way.
What is the speaker's experience with the product of WSO2?
-The speaker has experience with WSO2 from a previous client, which was one of the Dutch ministries. The product was popular with the Dutch government.
What is the concept of an identity server according to the speaker?
-An identity server is a system that allows for the centralized management of users and roles within an organization, handling authentication and login requests, and ideally managing permissions and role changes as people move within the organization.
What are the two major single sign-on protocols mentioned in the script?
-The two major single sign-on protocols mentioned are SAML2 and OpenID Connect.
How does the speaker describe the compliance requirements for an identity server?
-The speaker mentions that an identity server must comply with regulations such as GDPR in Europe and other local legislations, manage user consent regarding terms and conditions, and be auditable due to its role in granting access to critical infrastructure.
What are the two open-source projects for identity management mentioned by the speaker?
-The two open-source projects mentioned are Keycloak and WSO2 Identity Server.
What are the basic differences between Keycloak and WSO2 Identity Server in terms of development and licensing?
-Keycloak is developed by JBoss, a division of Red Hat, and was first released in 2014. WSO2 Identity Server is developed by WSO2 and was first released in 2008. Both are distributed under the Apache License 2.0, which is permissive and allows for commercial use.
What is the difference in commercial support options for Keycloak and WSO2 Identity Server?
-Keycloak has a community version that does not get patches, with commercial support available for a paid Red Hat product called RH-SSO starting at $8,000 per year. WSO2 offers a product specifically for the identity server at about 20k euros per year, which includes updates and incident support, with the community version also not receiving patches.
How does the speaker compare the ease of installation and configuration between Keycloak and WSO2 Identity Server?
-The speaker states that Keycloak is easier to install and configure, requiring only a single Docker command for trial. In contrast, WSO2 Identity Server does not have public Docker registries but can be downloaded and installed from a binary package, which is not as straightforward.
What is the speaker's recommendation based on the complexity of the application landscape?
-The speaker recommends choosing WSO2 Identity Server for a diverse and complex application landscape due to its extensive functionality, while suggesting Keycloak for simpler scenarios due to its ease of use and lower cost of commercial support.
Outlines
π Introduction to Identity Management and Identity Server Concepts
The speaker, an American freelance full-stack developer, introduces the concept of identity management within organizations, explaining the complexities of managing users, roles, and permissions across multiple applications. They highlight the utility of an identity server in centralizing these management tasks and mention their experience with such a product in the Dutch government. The paragraph also outlines the technical protocols and compliance issues that an identity server must handle, such as single sign-on, multi-step authentication, GDPR, and user consent management. The speaker sets the stage for a comparison between two open-source identity management solutions: Keycloak and WSO2 Identity Server.
π Comparing Keycloak and WSO2: Basics and Support Options
This paragraph delves into the basic differences between Keycloak and WSO2 Identity Server, including their development backgrounds, release years, and licensing. Keycloak, developed by JBoss (a division of Red Hat), and WSO2 Identity Server, both offer community and commercial support options, with Keycloak requiring a paid subscription for support and WSO2 offering a more costly annual subscription that includes updates and incident support. The speaker also discusses the ease of trying out these solutions, with Keycloak being more accessible through a Docker command, while WSO2 requires downloading and installing a binary package.
π Detailed Feature Comparison: User Management, SSO, and More
The speaker provides a detailed comparison of Keycloak and WSO2 Identity Server features. They cover user and role management, user stores, single sign-on capabilities, attribute mapping, identity federation, and user provisioning. Both solutions support essential identity management features, but WSO2 offers more flexibility in certain areas, such as configuring external identity providers and user provisioning. The paragraph also touches on multi-tenancy support, one-time passwords, and multi-step authentication, noting that while both support time-based passwords, WSO2 provides additional options like sending passwords via SMS or email and has more complex but flexible multi-step authentication flows.
π Conclusion: Choosing Between Keycloak and WSO2
In the conclusion, the speaker summarizes the comparison and offers guidance on choosing between Keycloak and WSO2 Identity Server. They suggest that Keycloak is easier to configure with a more user-friendly interface and is cheaper in terms of commercial support, making it suitable for less complex application landscapes. On the other hand, WSO2 is recommended for more diverse and complex environments due to its extensive functionality, despite its higher cost and complexity. The speaker thanks the audience for their attention, wrapping up the presentation.
Mindmap
Keywords
π‘Freelance Developer
π‘Identity Server
π‘Role Management
π‘Single Sign-On (SSO)
π‘OpenID Connect
π‘GDPR
π‘Keycloak
π‘WSO2
π‘User Store
π‘Multi-Tenancy
π‘Multi-Step Authentication
Highlights
Introduction of the speaker's background as an American freelance full-stack developer.
Experience with a product popular with the Dutch government using identity management.
Explanation of the concept of an identity server and its importance in managing users and roles centrally.
Identity server's role in handling authentication and login requests.
Technical requirements for identity servers, including implementing various protocols.
Compliance with regulations like GDPR and local legislation for identity management.
Importance of auditability in identity management for security and infrastructure access.
Overview of two open-source identity management solutions: Keycloak and WSO2.
Comparison of Keycloak and WSO2 in terms of development, licensing, and support.
Ease of setup for Keycloak using a single Docker command.
WSO2's more complex installation process and lack of public Docker registries.
Comparison of user and role management capabilities in Keycloak and WSO2.
Discussion on user stores and persistence options in both identity servers.
Single sign-on support and terminology differences between Keycloak and WSO2.
Attribute mapping for diverse applications in identity management.
Identity Federation and support for external identity providers in both solutions.
Identity provisioning options and support for inbound and outbound provisioning in WSO2.
Multi-tenancy support and its role in implementing cost-effective identity server setups.
One-time password support and security enhancements in both identity servers.
Multi-step authentication flexibility and complexity in WSO2 compared to Keycloak.
Summary and recommendation on choosing between Keycloak for simpler needs and WSO2 for complex application landscapes.
Transcripts
ladies and gentlemen American freelance
full-stack developer into solutions is
basically my sole proprietorship company
and currently working at Netherlands
Paul way which is natural ways I have
quite some experience with the product
of W as Oh - from my previous client
which was one of Dutch ministries and
this product is popular with Dutch
government so yeah let's first start
with the concept of an identity so a
girl who is here familiar with this term
okay so not much yeah
for the rest I would explain it in a
very deep in the Annika way it's
imaginary of a bunch of users in the
organization and you have multitude of
applications most of which you didn't
develop and you need to link ones to the
others and well you can imagine that it
involves a lot of things like role
management permission management people
moving in and out of your organisation
people move into different department
which also imposes their permissions and
you want ideally to manage this all
centrally so this is exactly when an
identity server comes in handy
well that's exactly the thing that
allows you to manage the list of people
users and roles in a centralized way it
also takes over authentication requests
and login request so providing some kind
of user interface for logging in and for
other things which we all see you later
and well I can assure that it entails a
lot of things so you can expect that
such a component would need to implement
a bunch of protocols on a technical side
all the things on the left you have two
major single sign-on protocols like some
o2 and open ID connect you have things
like one-time passwords multi step
authentication you need to integrate
probably with other identity providers
but at the same time you also need to
comply with the things on the right
so the infamous GPS gdpr which came into
effect recently in Europe in other
territories you need to comply with
local legislation as well you need to
manage user concerns to things like
terms and conditions and this whole
thing needs to be auditable as well
because what we are giving people access
to some critical parts of your
infrastructure and that's not all
because he also needs to implement some
useful functionality for users like
resetting forgotten passwords periodic
password change account administration
so on
so yeah if you think of it as an
enormous task but there's good news you
have two options for just reusing which
again you can choose from just pick it
up and two open source projects which
key clock and W so two identity server
widely adopted Enterprise great Identity
Management solutions so let's have a
closer look at them let's start off with
some basic information about these two
products
key clocks currently being developed by
JBoss which is a division of Red Hat and
W so2
a dentist or is being developed by well
W so to both our American corporations
key clock is first release of 2014 which
is bit younger than W so - from 2008
that's at least the information I
managed we both are redistributed under
the terms of apache license 2.0 which
has pitted unrestrictive and allows for
commercial use both are written in java
and both run on some middleware which is
wild fly in case of key clock or that
was to carbon case of the aryan - server
if you plan to use software for a
business you will definitely consider
the commercial support option and well
the thing is a geek lock is as a
community version of a paid Red Hat
product called our age SSO and you can
only get commercial support for that one
the prices start at eight thousand
dollars per year and the community
version never gets patched
unfortunately for wso - you can buy
product just for the identity server but
it is a bit more costly about 20k per
year euros which I give updates and
incident support otherwise the community
version doesn't get patches either and
if you're interested in trying these
things out it's extremely easy in terms
of if you want to try key clock out you
just need a single docker command which
is from the screen for w so -
unfortunately you don't find public
docker registries but you can download
the binary package and install it which
is not that difficult either so the rest
of my presentation will be comparing
functionality one by one on the
topics displayed here that's the one
that I picked that yeah just just the
very basics of it and let's start these
users and drones it's a fundamental
concept to identify and obviously it's
well supported by both of them key clock
also has the notion of groups which
allow you to assign attributes to
multiple users next one up is user
stores a user store is a component that
allows you to persist users and roles
and both servers out-of-the-box
configured to use the embedded h2
database but they both discourage you
from using that in production key cloak
offers only one persistence option and a
single data source wso to allows you to
configure as many data sources as you
like and you can mix and match basically
various units such as LDAP or even
another identity server for persistence
mmm single sign-on that's one of the
main reasons probably you want an
identity server because it allows user
to authenticate only once and get access
to multiple applications relying on it's
over both SSL protocols are well
supported by these two products however
does some terminology difference key
cloak cause they're lying
applications clients and wso to cause
them service providers that's
essentially the same thing attribute
mapping that is something that you would
need if you have diverse applications
because different applications call the
same things differently like last name
surname so for that purpose you might
want to map some user attributes
two different entities and it's all
supported by both of them identity
Federation is a slightly more complex
topic
it means relying on another identity
provider for for example another
identity server for authenticating
your users so we are all familiar with
things like social logging via Facebook
or Twitter that's exactly and they had
into Federation both service do support
external Venki providers including
social ones but wso - allows you to
configure them in a slightly more
flexible way per application identity
provisioning next one up in simple terms
that into provision means creating users
on the fly as they are authenticated and
it comes in two flavors it's either in
both outbound inbound meaning you create
users locally after they're
authenticated externally outbound
meaning you create users elsewhere after
they're authenticated locally
Kiko only supports the first flavor and
double so two supports both variants of
user provisioning you can configure this
per application and it also has support
for the scheme protocol which is a
system for cross domain identity
management multi-tenancy multi-tenancy
is a bit controversial way of creating
virtual identity servers within a single
server instance while the main reason
why you would want to have such setup is
cheaper implementation both servers do
support this mechanism although key
cloak cost Amri arms and
there was a to call some tenants he clog
also allows you to bit more easily
manage your different tenants because
with wz2 you need to log in a standard
element every time you need to make
changes to that talents next one up is
one-time passwords it's a well-known
security enhancement that you can
implement and it's often a part of a
multi step authentication flow which I
will show in the next slide both servers
support time based passwords
however w2 does not support counter
based passwords both support Google
Authenticator which is basically a
standard time based password
implementation and the w2 also allows
you to send the generated passwords via
SMS or email and the next building block
the last building block basically that's
multi step authentication multi step
authentication is used for two purposes
it's either enhancing security just like
the one-time passwords as I just
mentioned or you can impose specific
actions on the user such as password
update after the after the user logs in
so the multi notation of key clock is a
bit limited the only security
enforcement here is one-time password
and the rest is just a set of some
predefined actions that you can mandate
the user to execute and the flows in W
so to are extremely flexible so you can
basically cook up any imaginable
sequence of steps but it comes at the
price of some complexity
so yeah let's summarize what we've seen
so far my conclusion says that key clock
is a bit easier to configure it's a bit
more user friendly and has more modern
UI it's also cheaper in terms of
commercial support wso 2 is much more
involved in terms of installation and
configuration requires much more
knowledge to be able to do things
properly it's quite pricey and well I
believe it can offer just about anything
in terms of functionality so if your
application landscape is very diverse in
complex I would choose the wso 2 product
and otherwise I was just go with key
clog yeah so that's about it thank you
for attention
you
Browse More Related Video
Secure Your Microservices with Keycloak | OAuth2 & JWT | Spring Cloud Gateway
CompTIA Security+ SY0-701 Course - 4.6 Implement and Maintain Identity & Access Management - PART A
SAML vs. OpenID (OIDC): What's the Difference?
Next.js Protected Routes: Require User Profiles with Kinde (EASY!)
My Complete Tech Stack For Full-Stack development - 2024
Analisis Prinsip Design & User Experience Adobe Premiere Pro Vs Canva
5.0 / 5 (0 votes)