Overview
Considering alternative methods for user management in NDS Labs. We've discussed simply using external Oauth providers With version 1.0, we manage account information in etcd and account creation is done through a simple form. Going forward, we need to support standard signup and approval workflows, as well as password recovery and change features. We've discuss leveraging Oauth and external IdPs (e.g., githubGithub) or hosting Shibboleth. This raises the question of whether we need to run our own IdP – or bothlocal IdP or can depend on these external services.
If we rely exclusively on external IdPs, we avoid needing to provide the standard registration/verification workflow as well as password recovery and management. We will still need to deal with authentication and authorization into our service. This likely means implementing an authorization and approval workflow after the user has "signed up" with the selected Oauth provider.
If we decide to host our own IdP, we'll need to select from available open source identity service providers (below). We will still need to deal with authentication and authorization into our service.
Requirements
- Ability to manage users and groups
- Login, forgot password, password reset
- Signup and approval workflow
- Oauth support
Candidate SSO Implementations
| Service | License | Platform | Notes |
|---|---|---|---|
| Central Authentication Service | Apache 2.0 | Java | |
| Gluu | Java, in theory | Installed on Centos7 | |
| IdentityServer | Apache | Microsoft | |
| Shibboleth | |||
| WSO2 |
...