This was created years ago; at the time I'd been a Shibboleth admin for nearly a decade but we needed something that could handle OIDC/OAuth and that explicitly supported OpenJDK. After a lot of investigation, I really liked Keycloak/Red Hat Single Sign-On. More details here: Gluu vs keycloack vs wso2 identity management
(Items in bold indicate possible concerns)
| Keycloak | WSO2 Identity Server | Gluu | CAS | OpenAM | Shibboleth IdP | |
|---|---|---|---|---|---|---|
| OpenID Connect/OAuth support | yes | yes | yes | yes | yes | yes |
| Multi-factor authentication | yes | yes | yes | yes | yes | yes |
| Admin UI | yes | yes | yes | yes | yes | no |
| OpenJDK support | yes | yes | partial² | yes | yes | partial |
| Identity brokering | yes | yes | yes | |||
| Middleware | Quarkus | WSO2 Carbon¹ | Jetty, Apache HTTPD | any Java app server | any Java app server | Jetty, Tomcat |
| Open source | yes | ⚠ nominally | yes | yes | yes | yes |
| Commercial support | yes | yes | yes | third-party | yes | third-party |
| Add federation metadata | no | yes | yes | |||
| Add metadata from URL | import only | yes | yes | |||
| Installation and configuration | easy | difficult | difficult |
-
WSO2 Carbon appears to be based on Tomcat
-
Gluu 4.0 comes bundled with Amazon Corretto, one specific distribution of OpenJDK. This is likely because it is built on top of Shibboleth, which only supports specific distributions of OpenJDK.