Open Source Identity Management Systems
Introduction
The era when commercial closed source IDM products ruled the market is nearly over. The beginning of an end of this era was when Oracle demolished Sun IDM. Sun IDM was a popular product and this decision had a hard impact on a lot of Sun customers. The customers are starting to realize that no vendor is stable enough to guarantee protection of their investment in IDM solution. This is partly caused by the fact that most IDM deployments are significantly customized and that there is no easy migration path from one product to the other. "Migration" of IDM deployment in fact means re-implementation from the ground up. Open source solutions provide better protection of investment - ability to stay with the same product even if "vendor" is dead. That was clearly demonstrated when ForgeRock took over OpenSSO product that Oracle abandoned. That was the first major case of this phenomenon but it is unlikely that it was the last one.
When a tree falls in the forest new trees rapidly grow to take its place. We can clearly see this in the field of identity management. New projects grow up to fill in the gap in the market. Among these there are few promising open source projects. However, it may be difficult for an IDM expert to see inside these projects. As our expertise is both in the field of IDM and software architecture we can see inside and we attempt to understand. Therefore we have compiled this list of open source IDM projects with a short summary of the features as we understand them in a hope that it will help other to navigate the currents of this emerging IDM subfield.
The evaluation is based on technical and especially architectural properties of the systems. Business properties (such as availability and pricing of support) are not considered. However, we haven't analyzed the source code in depth, we have only had a "quick look" at the code and evaluated mostly system architecture and design. Therefore the evaluation does not reflect the amount of bugs, visibility (logging, diagnostic output) or similar characteristics.
All the open source IDM systems are relatively new. While it is interesting to see what the system can do right now it is even more interesting to see what is the perspective in few years when they mature. As we are looking for a long-term solution both for our business (IDM deployments) and for our customers, we have focused our evaluation to the properties that can hint how the system will evolve. Therefore we focus on system architecture, constraints and also development speed.
The opinions are our own. Although we have tried to maintain a neutral point of view, we cannot guarantee that we have succeed. Some projects are more transparent than others therefore we may have misunderstood some concepts. Also, we are describing the projects from the point of view with respect to IDM deployment projects that we have done in the past. Therefore the suitability of described technologies for other project may vary. We also were (and are) involved in some of the described project, which may have case a bias in the evaluation (see "About nLight" below).
The products are listed in alphabetical order. Only open source provisioning systems are listed. Other types of IDM systems my be added in the future. Any questions and comments are more than welcome (contact page).
MidPoint
| Homepage: | midpoint.evolveum.com |
|---|---|
| Ohloh: | midPoint |
| License: | CDDL version 1.0 |
| Backing: | Evolveum |
| Core technologies: | Java (Spring), XML, XPath |
| Connector framework: | OpenICF (Sun Identity Connector Framework fork) |
| Identity repository: | Flexible, currently embedded XML database |
| Last updated: | January 2012 |
MidPoint is a pragmatic provisioning system. It is based on principles used by most closed-source IDM systems extended to meet current requirements. It has a extensible Java-based provisioning engine working on top of database repository and a connector framework. The goal of midPoint is to make IDM deployments efficient by implementing common-case scenarios directly in the product. Therefore a deployment engineer can only configure and customize them and does not need to invest time in writing a code. MidPoint is based on older, proven technologies for reliability, new technologies are gradually introduced to the project as needed. Extensible by expressions (currently XPath2, similar principle to Sun/Waveset IDM) or writing custom Java code. Support for workflows using Activiti BPM is under development. MidPoint user interface is usable but it is just the very basic minimum (planned to be improved soon). Most of the configuration is now done by importing XML files. MidPoint code is partially based on OpenIDMv1 code dating back to early 2010. MidPoint development is rapid (over 2000 commits in 9 months), architectural documentation is available, basic design principles are backed by an UML model.
Our conclusion: MidPoint is our IDM product of choice. The quality and efficiency of IDM deployments is crucial for our style of work, therefore we need product that supports that. MidPoint team is making the right design decisions to make that possible. Also the use of OpenICF framework brings some hope of connector interoperability.
Full disclosure: nLight is taking part in midPoint development. See "About nLight" below.
OpenIAM Identity Manager
| Homepage: | www.openiam.org |
|---|---|
| Ohloh: | openiam-idm |
| License: | The Apache Software License, Version 2.0 (according to pom.xml in the source code) |
| Backing: | OpenIAM |
| Core technologies: | Java, SOA |
| Connector framework: | SPML (most likely) |
| Identity repository: | unknown |
| Last updated: | October 2011 |
OpenIAM seems to be one of oldest open source provisioning systems. It seems to be based on SOA architecture, but the technical details are not clear. The documentation is a complex labyrinth and it is almost impossible to find the source code. According to the available documentation the connectors are SPML-based which we consider to be a major disadvantage. Extensibility properties are unknown. The development speed seems to be slow, approx. 300 subversion commits in 3 years.
Our conclusion: We see OpenIAM as not really a transparent project. We found it difficult to familiarize with the way how OpenIAM works and is developed. Also, the architecture internally based on SOA may be a major disadvantage. Similar approach was attempted in OpenIDMv1 but it was proved to be unpractical - which led to OpenIDMv2 and midPoint development branches, neither of which is using SOA internally. SOA, SPML and other architectural characteristics of OpenIAM together with slow development speed render OpenIAM a risky choice.
OpenIDM
| Homepage: | openidm.forgerock.org |
|---|---|
| Ohloh: | openidm |
| License: | CDDL |
| Backing: | ForgeRock |
| Core technologies: | Java (OSGi), JSON, JavaScript |
| Connector framework: | OpenICF (Sun Identity Connector Framework fork) |
| Identity repository: | Flexible, currently relational database and (experimental) document database |
| Last updated: | December 2011 |
OpenIDM is a part of ForgeRock's I3 suite. The version 2 of OpenIDM is a very flexible provisioning framework. It is basically a set of components that can be put together using a JavaScript code. It is heavily based on JSON, providing RESTful interfaces. Currently OpenIDM does not have any user interface. There is still no off-the-shelf support for RBAC or any other advanced access control model. Extreme extensibility is achieved by writing a custom JavaScript code - which is necessary for almost any OpenIDM deployment. Support for workflows using Activiti BPM is under development. The source code of OpenIDMv2 is very fresh (originated in mid 2011) and the project is build almost entirely on new technologies, which can be both an advantage and a risk. The development speed seems to be moderate (approx. 700 commits in 9 months).
Our conclusion: OpenIDM may be well suitable for embedding into a larger IDM solutions. As it has no user interface its usability as a stand-alone system is severely limited. Also the extreme flexibility of OpenIDM may be an obstacle to a deployment. As OpenIDM is basically an JavaScript-based programming language with IDM extensions the deployer needs to do most of the work. Many common features required in IDM deloyments must be developed in JavaScript for each and every deployment. Therefore the efficiency of OpenIDM deployment is yet to be seen.
Full disclosure: nLight has taken part in OpenIDM development. See "About nLight" below.
Syncope
| Homepage: | www.syncope-idm.org |
|---|---|
| Ohloh: | syncope |
| License: | Apache License, Version 2.0 |
| Backing: | Tirasa |
| Core technologies: | Java (JEE) |
| Connector framework: | ConnId (Sun Identity Connector Framework fork) |
| Identity repository: | Relational database only (JPA) |
| Last updated: | January 2012 |
Syncope is a provisioning system base on relational database repository. It has a separate (web) console and "core" provisioning engine. Syncope seems to be more like a framework that needs to be extended with Java code for a slightly complex deployment. The data model and actually the whole system seems to be tailored to be used as a database application. The data model seems to be mostly fixed (defined by JPA binding), but there are some possibilities to extend it using a run-time schema definition. Some extensibility is also achieved by using JEXL expressions. Default workflow engine is powered by Activiti BPM. It looks like the data model does not account for ability to locally copy account information to the IDM repository and therefore provide ability for off-line operations and efficient reports (which was one of the Achilles' heels of Sun/Waveset IDM). Also in other aspects the Syncope seems quite similar to Sun/Waveset IDM. According to source code repository Syncope development started in mid-2010. The development speed seems to be moderate to slow (approx. 600 commits per year).
Our conclusion: Our experience shows that run-time extensibility of the system greatly improves deployment efficiency and maintainability of the system. Although we cannot deny that Syncope seems impressive, we are quite afraid about the inherent limitations that are "under the hood". Also the decision to fork Sun ICF just for the Syncope seems not to be the best. We rather prefer "multi-vendor" approach of OpenICF project. Yet, currently Syncope seems to be probably the most usable open source system available, however only the future will tell if it can stand in the competition of more flexible architectures.
Side by Side
Ohloh has nice page comparing midPoint, OpenIDM and Syncope side by side.About nLight
nLight is a small consulting company focused on identity management and software architecture. nLight is a an IDM specialist from its very inception. nLight employees participated in many successful IDM deployments, some of them dating back to 1990s. nLight provided consultations and IDM trainings throughout the Europe, mostly specialized on Sun IDM deployments as we have considered that to be the only usable IDM product on the market. After the Sun IDM product was demolished and after bad experience with both Oracle and Novell products we were persuaded that the open source is the only approach that can work. Therefore nLight have been cooperating with ForgeRock on OpenIDMv1 development since almost the very beginning of OpenIDM project. When the direction of OpenIDM rapidly changed in mid-2011 the relevant part of OpenIDMv1 code was donated to a new company, Evolveum. Evolveum is now leading the development of midPoint IDM system based on the original OpenIDMv1 principles as designed by nLight engineers.