It’s just plain hard to get true, real-time visibility into a running auth flow.

Parts of the process can be completely hidden from us; if the complete authorization process requires a redirect from a remote OAuth production server, then every debugging effort must go through the production server.

It’s practically unfeasible to debug this locally. There’s no way to reproduce the exact state and no way to inspect what is actually happening under the hood. Not ideal.

Knowing these types of challenges, we built Lightrun - a real-time production debugging tool - to allow you to understand complicated flows with code-level information. Add logs, take snapshots (virtual breakpoints), and instrument metrics without a remote debugger, without stopping the running service, and, most importantly - in real-time and without side effects.

Learn more with this 5-minute tutorial focused on debugging these kinds of scenarios using Lightrun:

>> Debugging Authentication and Authorization Using Lightrun

1. Overview

Organization users with multiple applications often need to authenticate across multiple systems. As a result, the users must remember multiple accounts and passwords. Single Sign-On (SSO) technology is a solution to this problem. SSO provides a single login credential for a set of systems.

In this tutorial, we'll briefly explain what SSO is, and then we'll look at seven different SSO solutions for Java applications.

2. Single Sign-On

Implementing an SSO solution can be performed using either of the two protocols:

  • SAML 2.0
  • OpenID Connect

SAML 2.0 (Security Assertion Markup Language) simplifies user authentication. It allows users only to register and authenticate at the identity provider to access multiple services. It is based on XML. The OpenID Connect (OIDC) is the successor to SAML 2.0. Also, it is an extension to OAuth 2.0 protocol used for authentication. The OIDC is simpler to configure than SAML 2.0.

3. Keycloak

Keycloak is an open-source identity and access management (IAM) system. It provides features such as SSO, User Federation, Fine-Grained Authorization, Social Login, Two-Factor Authentication (2FA), and more. In addition, it supports OpenID Connect, OAuth 2.0, and SAML. It has good integration with third-party tools. For instance, it integrates really well with the Spring Boot application. The latest release can be found here. In addition, it provides a friendly admin console for administrators and developers to configure and manage Keycloak. The source code is available on GitHub.

4. WSO2 Identity Server

WSO2 Identity Server is an open-source IAM system developed by WSO2. It offers SSO, 2FA, Identity Federation, Social Login, and more. It also supports almost all popular identity standards. Moreover, it comes up with an admin console and exposes APIs for integration with other applications. However, it is mainly written in Java, and the source code is available on GitHub.

5. Gluu

Gluu is an open-source and cloud-native IAM solution with a variety of features for access management. It provides Strong Authentication, Mobile Authentication, 2FA, and Identity Brokering. Moreover, it also supports open web standards such as OpenID Connect, SAML 2.0, FIDO, and User-Managed Access. It is written in Python language. Also, the scripts to automate deployment and configuration of the Gluu Server is available on GitHub.

6. Apereo CAS

Apereo CAS is an open-source enterprise-grade SSO system. Also, it is part of the Central Authentication Service (CAS) project. Similar to previous solutions, it supports several protocols like SAML, OAuth 2.0, OpenID Connect, and more. Also, it can integrate with uPortal, BlueSocket, TikiWiki, Mule, Liferay, Moodle, and others. It is built on top of Spring Boot and Spring Cloud. The source code is available on GitHub.

7. Spring Security OAuth2

We can use Spring Security OAuth project to implement the SSO solutions. It supports OAuth providers and OAuth consumers. In addition, we can implement 2FA functionality with a Soft Token and Spring Security.

8. OpenAM

OpenAM is an open-access management solution that includes Authentication, Authorization, SSO, and Identity Provider. It supports Cross-Domain Single Sign On (CDSSO), SAML 2.0, OAuth 2.0, and OpenID Connect. The latest release and source code can be found here.

9. Authelia

Authelia is an open-source authentication and authorization server that provides SSO and 2FA. It provides several hardware-based 2FA leveraging FIDO2 Webauthn compatible security keys. Moreover, it supports Time-based one-time passwords generated by apps like Google Authenticator. The Authelia server is written in the Go language, and its all source code is available on GitHub.

10. Conclusion

Many organizations use the SSO today. In this article, we took a very high-level look at the SSO solutions in the Java ecosystem. Some of the solutions provide a complete IAM, and the others just the SSO server and authentication methods.

Security bottom

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security 5:

>> CHECK OUT THE COURSE
Security footer banner
Comments are closed on this article!