Identity and Access Management (IAM), is a collective term that covers: User identity, rules and authentication management software and access management policies and protocols.
IAM is a necessary requirement in today's enterprise business especially when it's proven to provide answers to many security issues and ease multiple systems integration.
Basically, IAM is responsible for identities, authentication and authorization.
Let's breakdown IAM components:
- A data-store to save identities and access privilege.
- IAM software that manages the identities, control and monitors access privileges 2
- Managing and auditing authentication and authorization
The IAM framework ensures the right person is accessing the right resources with the right privileges to performing the right task at the right time. The resources could be a server, a web application, hardware, mobile app, or any other IT resources.
Benefits of using IAM system for the enterprise:
- Single access to all enterprise resources (SSO)
- Enhanced centralized privilege management: The right person in the right area.
- Enhanced centralized security
- A single data source for HR (Human Resources)
- Centralizing auditing and logging
- Easy to manage privileges for enterprise employees
- Easy to integrate with other enterprise software and mobile applications
- Avoid accounts overlapping for enterprise systems
- Audit, track, monitor and report users activities
- Better compliance
Why use open-source?
- Source code access
- Community supported
- Faster implementation
- Extensible and ready to scale
- Better IT team involvement for enterprise
- Avoid vendor lock-in
The reason behind writing this post is to provide open-source alternatives for commercial IAM solutions. But the main trigger was that as we are providing consultation for some enterprise clients about some open-source IAM, we decided to share some of our findings to empower and enrich the open-source community.
Open source Identity and Access Management System for the Enterprise
- Open Identity Platform
Open Identity Platform is a complete ecosystem of IAM solutions for the enterprise.
The project is composed of several sub-projects:
a. OpenAM: Open Access Management
b. OpenDJ: An LDAPv3 compliant directory based on Java technologies
c. OpenIG: Open Identity Gateway. A proxy server designed for session management
d. OpenIDM: It's a libre open identity and access management solution.
e. OpenICF; Open Identity Connector Framework: It's a connector framework solution that acts as a bridge between identity management and auditing/ security management.
All projects under the Open Identity Platform are released under an open-source license on GitHub.
Keycloak is an Identity and Access Management (IDM) Red Hat-sponsored solution. It's a feature-rich project which makes it enterprise-ready.
Keycloak supports SSO "Single-Sign-On", several protocols like OpenID Connect, OAuth 2.0, SAML 2.0, Social media login and supports LDAP and Active directory. It also supports custom password policies.
It's designed to be extensible to add new custom functionalities with the help of an experienced developer. Keycloak is packed with well-written documentation and a community that grows a day after day.
Keycloak is the best solution to manage identities, user privileges and policies for several web and mobile applications at the same time because it was designed to scale.
- Apache Syncope
Apache Syncope is a cross-platform solution for managing digital identities for enterprise. It's built on top of Java and as part of the Apache foundation, it's released under Apache 2.0 license.
Apache Syncope offers a complete control over identity management process which includes provisioning, auditing, reporting, administration, policy management, password management and password policy management. It comes with a rich REST API.
FusionAuth is a complete multi-platform IAM solution that provides authentication, authorization and user management packed with several auditing, reporting and provisioning tools.
It's an open-source project and available to download, install and use for free. It has a supportive community with steady growth in numbers of developers and enterprise users.
It can be installed on Linux, macOS, Windows, or by using docker.
FusionAuth offers commercial support plans with its enterprise edition which includes more enterprise features. FusionAuth company also provides cloud hosting plans under FusionAuth Cloud that start from $75/ month.
Note that FusionAuth is still getting new features day by day like threat detection.
- Aerobase IAM Server
Aerobase is an IAM solution that is basically forked from Keycloak and some other open-source projects but added more features to the game.
It forged as a new IAM framework to support micro-services and extend access control functionalities, privacy regulation.
Aerobase server features list includes Single-Sign-On (SSO), Social Login, two-factor authentication, LDAP and Active directory support, customizable user interface, identity/ access management and identity brokering.
It supports OpenID Connect, OAuth2.0 and SAML 2.
- midPoint Evolveum
midPoint Evolveum is a complete open-source ecosystem for identity and access management. It's by far the most GDPR-ready solution on this list.
Alongside its features that resemble most of the solutions on this list, it focuses on how the data is processed, auditing, and provide data rectification and erasure options out-of-the-box.
OpenIAM is an open-source enterprise IAM solution. It has a community edition and enterprise edition that comes with professional commercial support.
OpenIAM features powerful web access control for identities management, applications, SSO (Single Sign-On), Desktop SSO, API integration controls. two-factors/ multi-factor authentication and role-based access control management.
It offers extra features like SSH key management, session management, password vault and privileged account security.
It has custom extensions for healthcare, finance, education and insurance.
OpenIAM allows seamless integration with Microsoft Office 365, G Suite, ServiceNow and Salesforce.
Though it's a free project, it's not pen-source and it requires a registration to download the community edition.
Gluu is offering self-hosted IAM solutions that are built to scale. Their products are Gluu Server an IAM solution, Gluu Gateway (authentication and authorization solution for APIs and websites.), Gluu Casa, Super Gluu (An IAM system built for mobile apps) and oxd (client app to secure apps with OAuth and OpenID Connect).
Gluu is custom to be used for dozens of web and mobile applications because of its ability to scale and cluster.
oxTrust is a web application from Gluu for managing authentication, authorization and users.
Super Gluu 2FA is a mobile authentication system for mobile users with the Gluu server in the backend. It's available for Android and iOS devices.
ORY is a company with a specific focus on building open-source identity and authentication management systems. Their products are:
a. Explore ORY/ Kratos: User and identity management solution
b. Hydra: OAuth 2.0 and OpenID Certified® OpenID Connect server. Secure access to your applications and APIs.
c. Oathkeeper:Identity and Access Proxy (IAP).
d. Keto: Access control and permission management server.
ORY products are released as open-source solutions. They are easy to integrate and support many languages. It's written in Go language which ensures the best performance and easy integration with web and mobile apps.
With ORY there is pricing on the services or support plans. Ory offers an enterprise license which comes with support.
FusionIAM is our last pick here. It's a standard-compliant IAM system. It's also an open-source software that released under BSD license.
FusionIAM features several child projects with a primary focus on LDAP and Active Directory.
On deployment, FusionIAM features LDAP directory management, a web-based management interface, web services manager, authentication portal, access control management and synchronization connectors manager.
Here ends our list. We missed some IAM solutions in here because they don't fit our criteria. However, almost all of these free enterprise IAM solutions come with paid services like support, installation, implementation, cloud hosting and custom development.
If you are a decision-maker in an enterprise, we recommend to go slowly through each one that fit your requirement , install, try them few of them out and make some experiments with your team, and compare features and prices for each solution to find the best one for your enterprise.
Photo by fauxels from Pexels