0

I'm looking for a list of products (open-source preferred) that implement all modern authentication protocols (SAML 2.0, OpenID Connect, Pre-authentication mandatory) and handle everything related to these. Once a user is resolved, they are sent into a configured endpoint that consumes the final user (our application in that case).

The provided product should handle everything and be configurable, through a GUI preferably, and just provide a payload with a username and a list of groups/attributes.

The goal is simple, the product should be an industry standard solution that lets us never have to deal with any of these protocols and just provide us a payload with a username and a set of attributes (e.g. groups).

PentaKon
  • 4,139
  • 5
  • 43
  • 80
  • First of all, I'm not sure what you mean by "Pre-authentication mandatory" - that's not a "standard" or a "protocol" like SAML and OIDC... Maybe it's some term for a "best practice" in your industry, but it's not an identity term. Second of all, there are a load of products that do OIDC and SAML, all of which have a mechanism to make the attributes you need available... But SOMEONE will have to deal with the configuration of those protocols in any product... Which is what you don't want... Sounds like you want to hire someone to take care of your federations. – Andrew K. Jun 22 '23 at 19:50
  • We provide an on-premises product that needs to somehow allow login with the customer's SAML identity provider. I'm looking for a third party product that the customer's identity expert will configure and that product will just give me credentials regardless of the protocol used. PreAuthentication is the method used by products like SiteMinder or PingAccess which is a proxy that adds authentication headers to all requests. It's implemented in spring security – PentaKon Jun 23 '23 at 15:34
  • I'm not familiar with any specific identity platform that provides an integration method like what you're talking about. The closest would be a PaaS-type tool that you got from something like Salesforce. You need an administrative user store (where your store your customer admins so they can log in with a non-SSO set of credentials to CrUD the integration), a skinnable interface for your customer admins to manage those integrations, etc. Generally, *you* build your interface using your identity platform's APIs. – Andrew K. Jun 26 '23 at 13:57
  • I see it's also called Header-based authentication. Azure supports it, it seems: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/auth-header-based Ping Identity also provides such an offering named PingAccess which it seems uses Oracle's SiteMinder under the hood. Maybe it's deprecated but enterprise customers still use it. – PentaKon Jun 27 '23 at 14:16
  • My apologies. What I was saying in the last comment was directed to your "platform management" functionality requirement - that is, a system for an external administrator to manage the connection between themselves and your Service Provider. Yes, PingAccess supports header-passing (and it's not based on "Oracle Siteminder), as does Oracle Access Manager, and Broadcom Siteminder. None of them have an external management interface for supporting their identity federation interconnections. – Andrew K. Jun 28 '23 at 15:15
  • Point being, I don't know of a single identity service that has an interface OOTB for your customer admins to manage their federations. The services (commercial like Okta, Ping, Oracle Identity Federation, Siteminder; open source like KeyCloak) all require you to build that management interface using the service APIs/SDKs. – Andrew K. Jun 28 '23 at 15:17
  • Seems like a weird gap in the market. I'm looking for a very simple thing, a product that implements the Service Provider side of all these protocols and resolves them into a single Subject-Principal format. It's so simple I'd expect this to be open source freeware even! – PentaKon Jun 29 '23 at 08:46
  • Well... Identity federation protocols aren't exactly "so simple". Layer in the complexity of providing a management interface that requires very tight access control to ensure people can't modify tier-0 infrastructure (like authentication and authorization systems) that doesn't belong to them... And it's especially not simple. To be snarky, if it's so simple - build it with your current tooling. ;-) – Andrew K. Jun 30 '23 at 16:05

0 Answers0