Get the book about IAM today!

Learn how to use open source software to deploy an enterprise-grade identity system.

Get the book about IAM today!

Gluu Server

Central authentication & authorization
for web and mobile applications.

Open source IAM

Sync backend identities, leverage external IDPs, and achieve SSO, 2FA and more with the Gluu Server.

Read the Docs
Web Apps
Native Apps
External IDPs
(SAML, OpenID, Social)
Certified OpenID Provider (OP) for web & mobile SSO.
Authentication middleware for inbound identity.
SAML Identity Provider (IDP) for web SSO.
Directory service to store Gluu-related data.
UMA Authorization Server (AS) for web & API access management.
2FA Service
Active Directory or LDAP Server
IDM Platform

Feature-rich

Deliver a mission critical single sign-on (SSO) and two-factor authentication (2FA) service for applications and APIs.

  • Single Sign-On

    Offer secure single sign-on (SSO) across OpenID Connect, SAML and CAS web & mobile applications.

    Read more

  • Two-Factor Authentication

    Support a variety of 2FA mechanisms and business logic to enforce strong security everywhere.

    Read more

  • Access Management

    Secure APIs and centrally manage who can access which resources across your digital kingdom.

    Read more

  • Identity Management APIs

    Provision and de-provision users in the Gluu Server with standard identity management APIs.

    Read more

  • Directory Integration

    Bridge existing Active Directory and LDAP identity systems to give apps secure access to user data.

    Read more

  • Fast Deployment

    Linux packages for Ubuntu, CentOS, RHEL, and Debian make installing Gluu fast & easy on any cloud platform.

    Install Gluu

Built to scale

Cluster Gluu across data centers and geographic regions to achieve high performance & high availability (HA).

100% Open web standards

Avoid vendor lock-in and promote interoperability across systems.

 

Example Duo 2FA Script 


                            # Below are snippets from an authentication script used by the Gluu Server to enforce two-factor authentication (2FA) using Duo Security.

import duo_web
import json

        if (step == 1):
            print "Duo. Authenticate for step 1"

            credentials = identity.getCredentials()
            user_name = credentials.getUsername()
            user_password = credentials.getPassword()

            logged_in = False
            if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
                userService = CdiUtil.bean(UserService)
                logged_in = authenticationService.authenticate(user_name, user_password)

            if (not logged_in):
                return False

            user = authenticationService.getAuthenticatedUser()
            if (self.use_duo_group):
                print "Duo. Authenticate for step 1. Checking if user belong to Duo group"
                is_member_duo_group = self.isUserMemberOfGroup(user, self.audit_attribute, self.duo_group)
                if (is_member_duo_group):
                    print "Duo. Authenticate for step 1. User '" + user.getUserId() + "' member of Duo group"
                    duo_count_login_steps = 2
                else:
                    self.processAuditGroup(user)
                    duo_count_login_steps = 1

                identity.setWorkingParameter("duo_count_login_steps", duo_count_login_steps)

            return True
        elif (step == 2):
            print "Duo. Authenticate for step 2"
            user = authenticationService.getAuthenticatedUser()
            if user == None:
                print "Duo. Authenticate for step 2. Failed to determine user name"
                return False

            user_name = user.getUserId()

            sig_response_array = requestParameters.get("sig_response")
            if ArrayHelper.isEmpty(sig_response_array):
                print "Duo. Authenticate for step 2. sig_response is empty"
                return False

            duo_sig_response = sig_response_array[0]

        if (step == 1):
            print "Duo. Prepare for step 1"

            return True
        elif (step == 2):
            print "Duo. Prepare for step 2"

            user = authenticationService.getAuthenticatedUser()
            if (user == None):
                print "Duo. Prepare for step 2. Failed to determine user name"
                return False
            user_name = user.getUserId()

            duo_sig_request = duo_web.sign_request(self.ikey, self.skey, self.akey, user_name)
            print "Duo. Prepare for step 2. duo_sig_request: " + duo_sig_request
            
            identity.setWorkingParameter("duo_host", duo_host)
            identity.setWorkingParameter("duo_sig_request", duo_sig_request)

            return True
        else:
            return False

    def getExtraParametersForStep(self, configurationAttributes, step):
        return None

    def getCountAuthenticationSteps(self, configurationAttributes):
        identity = CdiUtil.bean(Identity)
        if (identity.isSetWorkingParameter("duo_count_login_steps")):
            return identity.getWorkingParameter("duo_count_login_steps")

        return 2

    def getPageForStep(self, configurationAttributes, step):
        if (step == 2):
            return "/auth/duo/duologin.xhtml"
        return ""

    def logout(self, configurationAttributes, requestParameters):
        return True

    def isUserMemberOfGroup(self, user, attribute, group):
        is_member = False
        member_of_list = user.getAttributeValues(attribute)
        if (member_of_list != None):
            for member_of in member_of_list:
                if StringHelper.equalsIgnoreCase(group, member_of) or member_of.endswith(group):
                    is_member = True
                    break

        return is_member

    def processAuditGroup(self, user):
        if (self.use_audit_group):
            is_member = self.isUserMemberOfGroup(user, self.audit_attribute, self.audit_group)
            if (is_member):
                print "Duo. Authenticate for processAuditGroup. User '" + user.getUserId() + "' member of audit group"
                print "Duo. Authenticate for processAuditGroup. Sending e-mail about user '" + user.getUserId() + "' login to", self.audit_email
                
                # Send e-mail to administrator
                user_id = user.getUserId()
                mailService = CdiUtil.bean(MailService)
                subject = "User log in: " + user_id
                body = "User log in: " + user_id
                mailService.sendMail(self.audit_email, subject, body)

Fully customizable

Script dynamic, run-time logic for many aspects of your IAM service, including authentication, authorization, user consent and more.

Let’s discuss your project

Schedule a call to share your requirements and learn how our products and services can help secure your organization.

Schedule a Call

Get News and Product Updates