Open Source Identity Management Solutions Written in Java

Share the article!

Continuing on the series of “open source” stuff written in Java, here now is a review of “open source” solutions for Identity Management.
Identity management encompasses directory services, authentication and authorization services, certificate authorities, administration consoles, single sign-on and provisioning services.

  • Sun Interoperability Prototype for Liberty – Interoperability Prototype for Liberty is the first open-source implementation of the Liberty Alliance Version 1.0 specification based on Java technology. IPL consists of sample Java source code libraries, implementing the Liberty version 1.0 specification, and is not designed for commercial deployment. IPL is licensed as open source under the Sun Microsystems Open Source License.
  • SourceID – Open Source Federated Identity Management – Liberty Alliance, SAML, and WS-Federation. Royalty free commercial use if used on fewer than 100 computers per company.
  • Shibboleth – Shibboleth is developing architectures, policy structures, practical technologies, and an open source implementation to support inter-institutional sharing of web resources subject to access controls. Key concepts within Shibboleth include: Federated Administration, Access Control Based On Attributes, Active Management of Privacy and used OpenSAML.
  • OpenSAML – OpenSAML is a set of open source Java and C++ libraries that are fully consistent with the SAML 1.0 and 1.1 CR specifications.
  • Yale CAS – The Central Authentication Server (CAS) is designed as a standalone web application. It is currently implemented as several Java servlets and runs through a HTTPS server.
  • Atlassian Seraph – Seraph is a very simple, pluggable J2EE web application security framework.
  • OpenSPML – The toolkit offers an easy-to-use interface for configuring, issuing and interpreting standards-compliant provisioning requests across diverse identity infrastructures.
  • Novell Nsure UDDI Server – Nsure is a UDDI 2.0 registry built on Directory Services technology. It offers a secure access to the registry contents (authentication and authorization), unified account management, and distribution of the registry by leveraging Directory Services. It works with any LDAP(V3) based directory backend.
  • OpenPrivacy – A reference implementation of the Reputation Management Framework (RMF). OpenPrivacy’s core project is designed to ease the process of creating community with reputation enhanced pseudonymous entities. The RMF is primarily a set of four interfaces: Nym Manager, Communications Manager, Storage Manager and Reputation Calculation Engine (RCE).
  • NSF Middleware Initiative – NMI-EDIT: Identity and Access Management for Collaborative Applications.
  • jSai – jSai (pronounced “Jay-Say”) is iPOV’s home grown Servlet Authentication Implementation. jSai is implemented completely using J2SE + Servlet technology; no J2EE “Application Server” needed. jSai supports basic JDBC and XML backed user stores, as well as an LDAP user store. jSai provides developers with the application level security they want and need for small and medium size web applications; avoiding the complex setup in other security implementations that are aimed at large “enterprise” applications.
  • Acegi Security – Acegi Security is a powerful, flexible security solution for enterprise software, with a particular emphasis on applications that use Spring. Using Acegi Security provides your applications with comprehensive authentication, authorization, instance-based access control, channel security and human user detection capabilities.
  • Gabriel – Gabriel is a security framework for Java. By using access control lists and permissions, Gabriel enables components to check access to actions. On top of that Gabriel protects methods like EJB does but without the overhead. It distinguishes itself from other frameworks by the ease of use with a small API and by mapping method access to permissions instead of persons. This way the same permissions can be used to protect method access and to check which GUI elements to show based on user permissions.
  • JOSSO – JOSSO, or Java Open Single Sign-On, is an open source J2EE-based SSO infrastructure aimed to provide a solution for centralized platform neutral user authentication. The Pluggable framework allows to implement and combine multiple authentication schemes with credential stores.
  • Kasai – The goal of Kasai is to provide a simple-to-use-yet-powerful security environment for multi-user applications. Unlike JAAS, Kasai provides a much higher security abstraction. Additionally, Kasai includes a very powerful and performing auditing system that records all users activity on a relational database.
  • JPAM – JPAM is a Java-PAM bridge. PAM, or Pluggable Authentication Modules, is a standard security architecture used on Unix, Linux and Mac OS X systems. JPAM permits the use of PAM authentication facilities by Java applications running on those platforms.
  • CAS Generic Handler – CAS Generic Handler is a plugin giving CAS (Central Authentication Service) the ability to authenticate users with different methods (LDAP, database, files, NIS, …).
  • SunXACML – This project provides complete support for all the mandatory features of XACML as well as a number of optional features. Specifically, there is full support for parsing both policy and request/response documents, determining applicability of policies, and evaluating requests against policies. All of the standard attribute types, functions, and combining algorithms are supported, and there are APIs for adding new functionality as needed. There are also APIs for writing new retrieval mechanisms used for finding things like policies and attributes.
  • Shaj – Shaj (Simple Host Authentication for Java) is a simple library that allows your Java app to verify users with the underlying operating system. Shaj also allows you to check group membership. Shaj is not a competitor for full featured authentication API’s but rather a complimentary way to piggyback on system accounts on any platforms. Shaj is used in FishEye for local account authentication, hence it is in use on most flavours of Windows and *NIX.
  • Open Web SSO – The Open Web SSO project provides core identity services to facilitate the implementation of transparent single sign on as an infrastructure security component. The goal of Open Web SSO project is to provide an extensible implementation of identity services infrastructure that will facilitate single sign on for web applications hosted on web and application serversThis project is based on the code base of Sun Java(tm) System Access Manager product.
  • Higgins – This project is developing an extensible, platform-independent, identity protocol-independent, software framework to support existing and new applications that give users more convenience, privacy and control over their identity information. In addition Higgins aims on providing a social relationship data integration framework that enables these relationships to be persistent and reusable across application boundaries. It organizes relationships into a set of distinct social contexts within which a person expresses different personas and roles.
  • Bandit – Bandit is a set of loosely-coupled components that provide consistent identity services for Authentication, Authorization, and Auditing.
    Bandit implements open standard protocols and specifications such that identity services can be constructed, accessed, and integrated from multiple identity sources. Bandit components support many authentication methods and provide user-centric credential management. On this base of a common identity model, Bandit is building additional services needed for Role Based Access Control (RBAC) and for the emission of records to verify compliance with higher level policies.
  • JBoss Federated SSO – Features end-to-end secure cross domain/cross organization Single Sign On/Single Sign Out based on standards like SAML. Includes a pluggable Identity Connector Framework to connect to custom Identity Storage systems like (JDBC databases etc) which also includes a standard LDAP based connector. Supports both standard JAAS based authentication mechanism as well as custom authentication mechanisms such as Struts actions, Servlet Filters,JSF Actions and Servlets. Seamless Integration with JBoss Portal and the JBoss SEAM Framework.
  • Liberty Open Source Toolkit – These toolkits implement the Liberty Alliance ID-WSF 1.0 and 2.0 protocols. The original code was developed by Conor Cahill while he was at AOL. AOL agreed to release the code under a BSD License. The server toolkit is a Java implementation of only ID-WSF 2.0 written on top of Apache Axis Version 1.3 (which, of course, runs on top of Apache Tomcat). The service instances use JDBC to access the data store and include scripts to setup the datastore in PostgreSQL, although the scripts can be modified to work with other datastores.
  • JFacets – JFacets is a lightweight framework that integrates the concept of a user profile, and allows easy and consistent developement of profile-based software, by implementing a kind of profile-based Inversion of Control.
    The system allows to encapsulate virtually any users/roles mechanism, and to assign code (facets) to them at design-time.
  • OSUser – OSUser is a module of the OpenSymphony framework designed to provide a simple to use API for user-management. This API supports Credentials, Access Control, Profiles and User Manageent. It is used as the default user and group management for the Confluence Wiki product.
  • Open Provisioning Toolkit – tOpen Provisioning ToolKit (OpenPTK) provides a bridge between Identity Solutions and specialized user interfaces or access points. OpenPTK exposes API’s, Web Services, HTML Taglibs, JSR-168 Portlets with user self-service and administration examples. The architecture supports several pluggable back-end services including Sun’s Identity Manager, Sun’s Access Manager and LDAPv3.
  • OpenID4J – A library that allows you to OpenID-enable your Java web application.
  • JOID – JOID is an OpenID 1.x/2.0 Java library that lets you implement providers as well as relying parties. Rumored to be used in production at Verisign.

I may have missed some, so please let me know what I should add to the list. Finally, here’s a massive list of literature on Identity Management created by Andre Durand.


Share the article!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>