26 Oct 2014

The Open (Source) Identity Stack

Written by ilgrosso


At Tirasa we have been working on Identity and Access Management for many years now: as consultancy agency for 3rd party proprietary products (especially in the past) and, much more during the last three years, as community builders and contributors for Apache Syncope and ConnId.

We have been building our experience in this IAM world by working for customers different by size, expertise, complexity, involvement and nationality, and this led us to select a restrict toolset of components that are suited to work well together when you need to conceive, design, build and maintain someone's identity infrastructure.


What is required for a IAM component to fit into this identity stack? It needs to be:

  • Implementing open standard
    Interoperability is by far the most important requirement.
  • Designed for integration
    Building a IAM solution when some of the building blocks need heavy tweaks to change its default behavior is simply not feasible.
  • Open Source
    No source availability means harder troubleshooting and less security; enterprise / premium versions (nearly) lead to vendor lock-in, as for proprietary software.
  • Well-established
    It needs to have been around for some time, otherwise it would be hard to collect any support via your preferred search engine.
  • Supported
    IAM is for complex enterprise environments, so professional support and maintenance are required.
  • Alive
    How much old is latest release available? How much traffic on the project mailing list(s)? Are there signs of a community?


Let's borrow some very good definitions from midPoint's wiki; IAM components can be either:

  1. Identity Store: where user accounts and groups are effectively stored (LDAP, Active Directory, relational database, ...)
  2. Provisioning Engine: keeps account data synchronized across identity stores and a wide range of data formats, models, meanings and purposes
  3. Access Manager: enforces security constraints when users access specific systems or functionalities (Single SignOn, federation, authorization, ...) 

The stack(s)

You might have heard of the "Open Identity Stack": here's some real Open Source alternatives.

Alongside with main choice, for each category one or more alternatives are provided that, while still satisfying the requirements above, have proven to be less suitable - with the noticeable exception of Apache Syncope, of course: why should one look for alternatives? (DISCLAIMER: my company provides enterprise support for Apache Syncope).

Access Manager: CAS

The de-facto standard for Open Source access management, with wide usage all over the world.

Keywords: Authentication, Authorization, Federation, Entitlements, SSO, OAuth 2.0, SAML 2.0

Alternatives: Apache CXF Fediz, Gluu server

Provisioning Engine: Apache Syncope

Community-driven identity manager at The Apache Software Foundation.

Keywords: Workflow, Password Management, Roles, Synchronization, Connectors, Audit, Report

Alternative: Evolveum midPoint

Identity Store: 389

Latest evolution of one of the most deployed, fast and reliable LDAP services.

Keywords: LDAP, Replica

Alternatives: Apache DS, OpenLDAP


« Return