uaa-keycloak-comparison.adoc

UAA vs Keycloak comparison

Table of Contents

• 1. Introduction
  • 1.1. Single-Sing On
  • 1.2. Standard Protocols
  • 1.3. Centralized Management
  • 1.4. Adapters
  • 1.5. LDAP and Active Directory
  • 1.6. Social Login
  • 1.7. Identity Brokering
  • 1.8. High Performance
  • 1.9. Clustering
  • 1.10. Themes
  • 1.11. Extensible
  • 1.12. Password Policies
• 2. Comparison table
• 3. References

This document tries to offer a comparison table between features that are available in CF UAA (version 4.28.0) and/or Keycloak (4.8.3.Final).

1. Introduction

When considering an SSO platform, we should analyze the following aspects/ requirements:

• Single-Sing On

• Standard Protocols

• Centralized Management

• Adapters

• LDAP and Active Directory

• Social Login

• Identity Brokering

• High Performance

• Clustering

• Themes

• Extensible

• Password Policies

1.1. Single-Sing On

Support for login once to multiple applications.

The platform also should support for Single-Sign Out, which means that it should have options to force the log out of a single user (or all users) of the system.

1.2. Standard Protocols

Use of standard protocols like OpenID Connect, OAuth 2.0 and SAML 2.0.

1.3. Centralized Management

Availability and features for admins and users.

The platform should offer features like:

• Determine how many active sessions our system currently has.

• Options to force the logout of a single user (or all users) of the system.

• Centralized password policy

• One time password (OTP) policies

• Authorization policies per resource or per scope

• Timed access policy (users or group of users can login only between certain time slots)

• JavaScript-Based policy

• Rule-Based policy

1.4. Adapters

Extensibility points to add secure applications and services easily.

The SSO platform should offer adapters (libraries that makes it very easy to secure applications and service) for the application platforms we use: Spring Boot and JavaScript.

1.5. LDAP and Active Directory

Facility to do integration with existing user directories.

The platform should support Kerberos logins and federate LDAP or Active Directory in just one configuration page.

1.6. Social Login

The platform should enable us to login using social networks like Google, Facebook, Twitter, GitHub, etc.

1.7. Identity Brokering

OpenID Connect and SAML 2.0 IdPs.

1.8. High Performance

Lightweight, fast and scalable.

1.9. Clustering

For scalability and availability.

1.10. Themes

Customize look and feel.

1.11. Extensible

Customize through code.

The platform should be extensible enabling we to write our own authenticator or federator. We should have options to integrate our own code that authenticate a user with SSL client certificate. Also, maybe we should integrate a user database from a legacy system and use it as an identity source.

1.12. Password Policies

Customize password policies.

2. Comparison table

Feature	Keycloak support, references and/or samples	UAA support, references and/or samples
Single Sign-On.	Yes. Refs: [KcDS]	Yes. Refs: [UaaDF]
Single Sign-Out.	Yes. Logout All Limitations: Any SSO cookies set will be invalid and clients that request authentication in active browser sessions will now have to re-login. Only certain clients are notified of this logout event, specifically clients that are using the Keycloak OIDC client adapter. Other client types (i.e. SAML) will not receive a backchannel logout request.	Yes. Through OpenID Connect Session Management. Refs.: [UaaVA], [UaaGB]. Limitation: Single Logout only for Single Page Apps using implict flow.
OpenID Connect support.	Yes. Refs: [KcVC]	Yes. Refs: [UaaVA], 1
SAML support.	Yes. Refs: [KcDI]	Yes. Refs: [UaaVA]
Identity Brokering - Authenticate with external OpenID Connect or SAML Identity Providers.	Yes. Refs: [KcDR]	Yes.
Social Login - Enable login with Google, GitHub, Facebook, Twitter, and other social networks.	Yes. Refs: [KcGC], [KcDH], [KcGD]	No.
User Federation - Sync users from LDAP and Active Directory servers.	Yes. Refs: [KcDQ]	Yes.
Kerberos bridge - Automatically authenticate users that are logged-in to a Kerberos server.	Yes. Refs: 1	No.
Admin UI for central management of users, roles, role mappings, clients and configuration.	Yes. Refs: [KcDA]	No.
Event notification	Yes.	No.
Account Management UI that allows users to centrally manage their account.	Yes. Refs: [KcDF]	Yes (but with many restrictions)
Theme support - Customize all user facing pages to integrate with your applications and branding.	Yes. Refs: [KcGB], [KcDE]	Yes (with UAA fork)
Two-factor Authentication - Support for TOTP/HOTP via Google Authenticator or FreeOTP.	Yes. Refs: [KcDO]	Yes. Has Google Authenticator Support. Refs: [UaaVA]
Login flows - optional user self-registration, recover password, verify email, require password update, etc.	Yes. Refs: 1, 2	Yes. Only Initiate IDP Login Flow.
Session management - Admins and users themselves can view and manage user sessions.	Yes. Refs: [KcDM]	No.
Opaque Tokens support.	Yes. Refs: 1	Yes. Refs: 1, 2
Token exchange support.	Yes. Refs: 1	Yes. Refs: 1
Token mappers - Map user attributes, roles, etc. how you want into tokens and statements.	Yes. Refs: [KcDN]	No.
Access system based on a subset of assigned user roles	Yes.	Yes.
Role-based access control (RBAC) support	Yes.	Yes. Refs: UAA for Kubernetes
Not-before revocation policies per realm, application and user.	Yes. Policies define the conditions that must be satisfied before granting access to an object. Keyckloak defines many Managing Policies. We can also Manage Permissions. A permission associates the object being protected and the policies that must be evaluated to decide whether access should be granted	No.
CORS support - Client adapters have built-in support for CORS.	Yes. Refs: [KcDK]	No.
Service Provider Interfaces (SPI) - A number of SPIs to enable customizing various aspects of the server. Authentication flows, user federation providers, protocol mappers.	Yes. Refs: [KcDJ]	No.
Client adapters for JavaScript applications, WildFly, JBoss EAP, Fuse, Tomcat, Jetty, Spring, etc.	Yes. Refs: [KcDK]	Yes. UAA has Client-Side Tools and Liraries for Ruby, Java and JavaScript.
Supports any platform/language that has an OpenID Connect Resource Provider library or SAML 2.0 Service Provider library.	Yes. Refs: [KcDL]
Cloud Foundry support	Yes.	Yes.
Kubernetes support	Yes. Refs: [KcVE]	Yes. Refs: [UaaVA], 1
Istio support	Yes. Refs: http://blog.keycloak.org/2018/02/keycloak-and-istio.html	Yes. Refs: [UaaVA]

3. References

• CF UAA:

  • GitHub:

    • [UaaGA] https://github.com/cloudfoundry/uaa

    • [UaaGB] https://github.com/cloudfoundry/uaa-singular

  • Documents:

    • [UaaDA] High Level Features of the UAA

    • [UaaDB] UAA API Reference

    • [UaaDC] UAA Blog Posts

    • [UaaDD] Securing RESTful Web Services with OAuth2

    • [UaaDE] User Account and Authentication (UAA) Server

    • [UaaDF] Enabling the SSO Feature

  • Videos:

    • [UaaVA] Apr 27, 2018: Cloud Foundry UAA Overview and Roadmap - Sree Tummidi, Pivotal

    • [UaaVB] Jun 23, 2017: UAA Feature Updates and 2017 Roadmap

    • [UaaVC] Single Sign-On Service 1.4 Demo for Pivotal Cloud Foundry

    • [UaaVD] Jun 17, 2018: Cloud Foundry UAA as an Identity Gateway

• Keycloak:

  • GitHub:

    • [KcGA] https://github.com/keycloak

    • [KcGB] https://github.com/keycloak/keycloak/tree/master/examples/themes

    • [KcGC] https://github.com/keycloak/keycloak/tree/master/examples/broker/facebook-authentication

    • [KcGD] https://github.com/keycloak/keycloak/tree/master/examples/broker/google-authentication

  • Documents:

    • [KcDA] Admin Console

    • [KcDB] Keycloak features

    • [KcDC] Single Sign-On Made Easy with Keycloak / Red Hat SSO

    • [KcDD] OpenID Connect Identity Brokering with Red Hat Single Sign-On

    • [KcDE] Create a custom theme for Keycloak

    • [KcDF] User Management

    • [KcDG] Configuring NGINX for OAuth/OpenID Connect SSO with Keycloak/Red Hat SSO

    • [KcDH] Social Identity Providers

    • [KcDI] SAML

    • [KcDJ] Service Provider Interfaces (SPI)

    • [KcDK] What are Client Adapters?

    • [KcDL] OpenID Connect

    • [KcDM] User Session Management

    • [KcDN] OIDC Token and SAML Assertion Mappings

    • [KcDO] Identity Management and Two-Factor Authentication Using One-Time Passwords

    • [KcDP] Securing apps and services with Keycloak (Watch DevNation Live video)

    • [KcDQ] LDAP and Active Directory

    • [KcDR] Identity Brokering

    • [KcDS] SSO Protocols

  • Videos:

    • [KcVA] [DevNation Live] Secure Spring Boot Microservices with Keycloak

    • [KcVB] Federation with Keycloak and FreeIPA

    • [KcVC] Setup Keycloak as an Identity Provider & OpenID Connect Token Issuer

    • [KcVD] Securing apps and services with Keycloak authentication

    • [KcVE] Keycloak on Kubernetes

• OAuth 2.0:

  • Documents:

    • OAuth 2.0

• OpenID:

  • Documents:

    • OpenID Connect

• ADFS:

  • Documents:

    • ADFS

    • What is ADFS?

• SAML:

  • Videos:

    • SAML 101

    • SAML Overview

• Cloud Foundry

  • Documents:

    • https://www.cloudfoundry.org/

• Kubernetes

  • Documents:

    • https://kubernetes.io/

• Istio

  • Documents:

    • https://istio.io/

    • https://www.infoq.com/istio