0

For a 1 day project (call it a hackathon) we will be looking into replacing a custom built authentication and authorization system with one that we can buy. After all, there are people who are better at this stuff than we are.

  • Non-cloud, hard requirement is on-premise installation possible
  • Can authenticate against Active Directory using LDAP
  • Can authenticate using SAML against ADFS
  • Management of users, roles etc without a directory is an option (most likely option to actually use during the hackathon)
  • Use open standards, SAML, OpenID, OAuth2

There are so many SAML-based products, but many are cloud-only, which unfortunately for us is not an option (reason: our products run on closed enterprise networks), so services like Okta are unfortunately not an option :(

The following list is quite complete, but doesn't give me any indication on how hard it is to install + get up and running in a few hours:

https://en.wikipedia.org/wiki/SAML-based_products_and_services

Any suggestions for products to try?

My eye caught these ones: miniOrange, Ping Identity, 10duke

[addition] I am using a Java stack for web apps.

Bossk
  • 707
  • 8
  • 24

3 Answers3

1

How to build and run Shibboleth SAML IdP and SP using Docker container at GitHub repository provides the instruction on building a SAML-based Authentication/Authorization Provider using Shibboleth SAML IdP and OpenLDAP.

  • Shibboleth SAML IdP is responsible for identity federation.

  • OpenLDAP is responsible for identity authentication.

I have validated SAML Single Sign-On (SSO) provided by Docker-running Shibboleth SAML IdP (Identity Provider) and OpenLDAP for the following enterprise applications. In other words, I leveraged Docker-running Shibboleth SAML IdP and OpenLDAP to log in to the following enterprise applications successfully. 

Microsoft Office 365
Google G Suite
Salesforce
Dropbox
Box
Amazon AWS
OpenStack
Citrix NetScaler
VMware vCloud Director
Oracle NetSuite

Another StackOverflow question Setting up a new Shibboleth IdP to work with an existing SAML SP discusses the SAML configuration between IdP and SP.

winstonhong
  • 1,214
  • 8
  • 8
0

OpenLDAP is not OpenID Connect or OAuth 2.0

Have a look at identityserver4.

It's OpenID Connect / OAuth2 by design and it does have a plug-in SAML stack.

Or if you have a Windows server, use ADFS.

rbrayb
  • 46,440
  • 34
  • 114
  • 174
0

FOSS - Shibboleth or KeyCloak

The definition of 'closed' (network) might be interesting to examine. No access to outside at all, not on any port, noway/nohow? In that case, yes, you want an on-prem service. If there's gated access to outside, it's likely that many hosted identity services could work.

identigral
  • 3,920
  • 16
  • 31