Keycloak vs Gluu Server — IAM tools Comparison

In this blog post I will do the comparison of two Identity and Access Management applications i.e. Keycloak (by Red Hat) vs Gluu Server (by Gluu org).

Before going into comparison, lets start with introduction of IAM software to get basic understanding of what IAM means , when they are needed and then we will go into similarities and differences in above mentioned IAM applications.

What is IAM?

Identity access management (IAM) or simply put, identity management, is a category of software tools that allows businesses of all sized to generally manage the identities and access rights of all their employees. There are many different tools that fall under the umbrella of identity management software, or identity access management. Some popular IAM tools in market are Keycloak, Okta, Gluu Server, Microsoft Azure Active Directory, IBM IAM etc .

As mentioned, though IAM is more of an umbrella term that covers a slew of different identity management software tools. The best IAM providers include authentication, authorization, and file storage methods such as:

• Single sign-on. This refers to centralizing the process of signing on to all apps related to businesses. With SSO, IT admins for a business can regulate their company users’ access to any company-related apps, set permissions, and easily provision and deprovision employees.
• Multi-factor authentication. MFA provides a crucial second layer of security past normal passwords, which can easily be shared or compromised. MFA consists of either one-time codes generated by apps on your phone, or physical keys like Yubikeys that you plug into your machine, and grant you access when you attempt a login.
• Data storage on-site or in the cloud. Another important tool for identity management. Most small and medium sized companies don’t have the capacity to have a server rack on site, so outsourcing that task to an identity access management provider helps both for security and for operational costs.
• Role based access. A relative to single sign-on functionality, these tools allow administrators to set permissions for access on the identity management software based on the level and degree of access that a particular employee has. The better the software, the more granular the permissions can be set.

Now lets move to discussion for which this article is dedicated

Keycloak v/s Gluu Server

1. Introduction
   Keycloak is open source application developed and improved over the years under the umbrella of Red Hat. Keycloak was designed from the ground up as a single product.
   On other hand Gluu is also an open source application. Basically Gluu is different from Keycloak, in gluu they’ve taken a number of other open-source products, added some of their own pieces, and packaged it all together.
2. Operating System Support
   Keycloak works on all type of operating System i.e. Windows, Ubuntu, Docker, Kubernetes, OpenShift, other linux distributions.
   Whereas Gluu work on ubuntu, Docker, Kubernetes, some other linux distributions but not Microsoft Windows OS.
   So the availability of Keycloak to work on Windows OS makes Keycloak preferable choice in comparison to Gluu.
3. Installation
   To get started with Keycloak just download the zip file from here , unzip it and run standalone.sh(on Linux OS) or standalone.bat(on Windows OS) file, you can see keycloak running terminal and in your browser go to http://localhost:8080 to explore keyclaok.
   On other hand Gluu installation need nice amount of effort and more resources in terms of system configuration and dedicated domain.
   Gluu only works with dedicated domain. Gluu installation takes time and its a complex process. Refer to https://gluu.org/docs/gluu-server/4.2/installation-guide/ for more details.
   Containerized deployment of Gluu server is also complex and not so clean as compare to Keyclaok application Containerization.
4. Database Support
   Keycloak has inbuild H2 database for persistant storage and it also supports installation with external relational databases like Postgres, MariaDB, Oracle DB etc.
   Whereas Gluu does not support relational databases currently but as per docs gluu is going to support relational databases as well in upcoming versions. Gluu has inbuilt opendj LDAP database and it only support installation with CouchbaseDB as external database.
5. Auth Methods, 2FA
   Both Keycloak and Gluu supports all popular Authentication methods like SAML, OIDC, OAuth2. Gluu also supports CAS authentication.
   Coming to Second factor authentication(2FA) support. Both the application has 2FA support and works with popular 2FA authenticator apps like Google Authenticator, Microsoft Authenticator or FreeOTP.
   In Gluu U2F security keys and certificates, can be extended to support any authentication mechanism using custom authentication interception scripts. Gluu also has support for SMS based OTP authencation using Fido, Twillio.
6. User Management
   Both application has Web Interface, API Support for user management activities and admin controls.
7. Realms
   A realm manages a set of users, clients,credentials, roles, and groups. All the users , clients and other data in a realm environment is isolated i.e. one realm cannot read or access data of any other realm.
   Keycloak has support for realms, means we can create multiple realms in keycloak and each realm has manages data of its own environment only.
   So using realm feature we can use same keyclaok instance to isolate data of different applications or clients.
   Whereas Gluu does not support realms , so if data isolation in needed in gluu one has to install a seperate gluu instance which is quite a complex and time consuming task. Also its not scalable if one has large number of clients and applications that needs data isolation.
8. Themes
   There is always a need of customized login page theme for each applications and clients.
   In Keycloak we can create customized themes at realm level and also for each openid client level in a realm.
   Whereas in Gluu Server we can only customize pages for whole applications. Multiple theme support is absent in Gluu.
   This feature of supporting customized themes at such different levels makes keycloak a better choice if user experience and ui is a concern.
9. Admin Console
   Keycloak admin console user interface is way better than Gluu admin console.
   Keycloak console is fast, responsive and easy to use as compared to Gluu console.
10. Community Support
    As we know both the applications are open source so there is always a nice support we can expect from open source commnity.
    Keycloak is part of Red Hat, which is being acquired by IBM. This has created quite a bit of uncertainty around the future of product. But the adoption of Keycloak is more, so one can easily find answer to any query.
    On other hand Gluu is not as much adopted like keycloak and for any query only source of information is gluu docs and gluu support portal.

Conclusion

Both the applications have some similarities, their own pros and cons.
If you ask me which one I will choose to develop my application authentication module then I will go for Keycloak. Reason for choosing Keycloak is easy to install, realm support, multiple themes support, better community support, relational database support etc.

In the end it totally depends on your requirement.

I hope this article will help to get a some understanding of IAM apps and compare between two popular IAM solution available in market.