Gluu Blog

Follow us:
Back to Blog

The Gluu Server vs. OpenAM (formerly OpenSSO)

Mike S. March 6, 2015

5_reasons

Lately we’ve been getting a lot of questions about the differences between ForgeRock’s OpenAM product and the Gluu Server. We’re good friends with the people at Forgerock (FR) and we know they’re going to be super successful. IAM is a big market and there’s room for many companies and products. Also, if your field is too small, you have no one to have a conference with!

In the interest of helping distinguish the differences between the Gluu Server and OpenAM, the following considerations should be taken into account.

Free Open Source

If you want to use free open source software (FOSS), then there is no question that you want the Gluu Server.

My best interpretation of FR’s policy on open source releases is that they have nightly builds, and they release build-able code from time to time. For example, although on ForgeRock’s OpenDJ install page you are guided to download 2.7.0, at the time of this writing, I don’t see a tag for it on their continuous integration server.

In addition, building from the open source is very difficult. If you use FR’s binaries (.rpm and .deb files), you must accept their license which states that if you put the bits into production you must pay the enterprise license fee. Of course open source doesn’t mean free… and FR is really neither: 1) its priced like enterprise software and 2) if you really want FOSS, I’d suggest doing your own due diligence. The Open Source Initiative guidelines is a good place to learn about what constitutes free open source, and may raise some questions about some of FR’s software releases.

The components of the Gluu Server are all free open source. That means there is never any fee to use the bits. Even if you use our .deb or .rpm binary installation packages. And the current code is always available on Github.

Open Standards

The other thing to consider is the use of open standards. If you are using open source technology, but you are locked into proprietary API’s, switching and integration costs are high. For this reason the Gluu Server uses only standard API’s, like SAML, OpenID Connect, UMA and SCIM. OpenAM also implements SAML, OpenID Connect and UMA, but of course you have to be careful to use just those components (and not for example, the old web agents).

Technical Considerations

Technically speaking, the Gluu Server is less complex and easier to manage and customize than OpenAM. OpenAM was designed in the early 2000’s, and its starting to show its age. This blog from Radovan Semancik–one of FR’s competitors for the OpenIDM product–is biased, but one has to wonder if there is some truth in it.

Based on my experience as a user of CA SiteMinder, IBM TAM, RSA Cleartrust, and Sun OpenSSO, the Gluu Server has a superior approach for user authentication. Through the use of custom interception scripts, the Gluu Server can easily handle any multi-step workflow you can imagine. The Gluu Server has deep support for SAML and OpenID Connect. And we can explain how it works to system administrators–not java gurus. In short, if you use the Gluu Server, your server admins will thank you for years to come.

Web & API Access Management

On authorization, the Gluu Server implements the OAuth2 UMA protocol for centralized access management. This makes it easier to use the Gluu Server as the PDP if you have custom applications or native applications (mobile / desktop). However, for Web Access Management (WAM), Gluu is still perfecting the Apache HTTPD and nginx filters. These may take another 60-90 days to make an initial release for UMA 1.0.

Even Forgerock realizes that UMA is the authz protocol of the future, which is clearly one of the reasons they hired Eve Maler. However, how long it takes them to upgrade OpenAM to really integrate UMA is up for debate. They have incorporated some UMA code, but without good conformance testing, its hard to say how much, or what parts of the specification they’ve implemented. In my opinion, Forgerock has been slow to innovate OpenAM, bogged down by an old 2000’s design, feature creep, and lots of legacy code to regression test. So it may take some time for the UMA-ization of OpenAM, and I think Gluu’s fresh start, where we assumed UMA from the ground up, is an advantage for the Gluu Server.

In Conclusion…

If you have a large organization, implementing a great Identity and Access Management platform is an expensive undertaking. There are many business, devops, and application integration questions you must consider. In the long term, the cost of operation, and the cost of incremental integrations have the biggest impact. In this regard, it’s our belief that Gluu’s business model–where we make sure there is free open source software that can be used in production–will drive down the long term cost of resources, and help us reduce Gluu’s total cost of ownership.

As an open source company, Gluu is also able to obtain funding from the government to introduce new features, for example, see details of our recent inclusion in an NSTIC grant. In addition, Gluu is able to crowd source the review of our code for security vulnerabilities and features.

We hope this helps you in your evaluation of access management tools. If you’re considering either ForgeRock or Gluu, odds are you’re on the right path. For a more comprehensive analysis of Gluu vs. a wider subset of identity and access management competitors, see the Gluu competition matrix, or schedule a meeting with us![:ja]5_reasons

Lately we’ve been getting a lot of questions about the differences between ForgeRock’s OpenAM product and the Gluu Server. We’re good friends with the people at Forgerock (FR) and we know they’re going to be super successful. IAM is a big market and there’s room for many companies and products. Also, if your field is too small, you have no one to have a conference with!

In the interest of helping distinguish the differences between the Gluu Server and OpenAM, the following considerations should be taken into account.

Free Open Source

If you want to use free open source software (FOSS), then there is no question that you want the Gluu Server.

My best interpretation of FR’s policy on open source releases is that they have nightly builds, and they release build-able code from time to time. For example, although on ForgeRock’s OpenDJ install page you are guided to download 2.7.0, at the time of this writing, I don’t see a tag for it on their continuous integration server.

In addition, building from the open source is very difficult. If you use FR’s binaries (.rpm and .deb files), you must accept their license which states that if you put the bits into production you must pay the enterprise license fee. Of course open source doesn’t mean free… and FR is really neither: 1) its priced like enterprise software and 2) if you really want FOSS, I’d suggest doing your own due diligence. The Open Source Initiative guidelines is a good place to learn about what constitutes free open source, and may raise some questions about some of FR’s software releases.

The components of the Gluu Server are all free open source. That means there is never any fee to use the bits. Even if you use our .deb or .rpm binary installation packages. And the current code is always available on Github.

Open Standards

The other thing to consider is the use of open standards. If you are using open source technology, but you are locked into proprietary API’s, switching and integration costs are high. For this reason the Gluu Server uses only standard API’s, like SAML, OpenID Connect, UMA and SCIM. OpenAM also implements SAML, OpenID Connect and UMA, but of course you have to be careful to use just those components (and not for example, the old web agents).

Technical Considerations

Technically speaking, the Gluu Server is less complex and easier to manage and customize than OpenAM. OpenAM was designed in the early 2000’s, and its starting to show its age. This blog from Radovan Semancik–one of FR’s competitors for the OpenIDM product–is biased, but one has to wonder if there is some truth in it.

Based on my experience as a user of CA SiteMinder, IBM TAM, RSA Cleartrust, and Sun OpenSSO, the Gluu Server has a superior approach for user authentication. Through the use of custom interception scripts, the Gluu Server can easily handle any multi-step workflow you can imagine. The Gluu Server has deep support for SAML and OpenID Connect. And we can explain how it works to system administrators–not java gurus. In short, if you use the Gluu Server, your server admins will thank you for years to come.

Web & API Access Management

On authorization, the Gluu Server implements the OAuth2 UMA protocol for centralized access management. This makes it easier to use the Gluu Server as the PDP if you have custom applications or native applications (mobile / desktop). However, for Web Access Management (WAM), Gluu is still perfecting the Apache HTTPD and nginx filters. These may take another 60-90 days to make an initial release for UMA 1.0.

Even Forgerock realizes that UMA is the authz protocol of the future, which is clearly one of the reasons they hired Eve Maler. However, how long it takes them to upgrade OpenAM to really integrate UMA is up for debate. They have incorporated some UMA code, but without good conformance testing, its hard to say how much, or what parts of the specification they’ve implemented. In my opinion, Forgerock has been slow to innovate OpenAM, bogged down by an old 2000’s design, feature creep, and lots of legacy code to regression test. So it may take some time for the UMA-ization of OpenAM, and I think Gluu’s fresh start, where we assumed UMA from the ground up, is an advantage for the Gluu Server.

In Conclusion…

If you have a large organization, implementing a great Identity and Access Management platform is an expensive undertaking. There are many business, devops, and application integration questions you must consider. In the long term, the cost of operation, and the cost of incremental integrations have the biggest impact. In this regard, it’s our belief that Gluu’s business model–where we make sure there is free open source software that can be used in production–will drive down the long term cost of resources, and help us reduce Gluu’s total cost of ownership.

As an open source company, Gluu is also able to obtain funding from the government to introduce new features, for example, see details of our recent inclusion in an NSTIC grant, and in general crowd source the review of our code for security vulnerabilities and features.

We hope this helps you in your evaluation of access management tools. If you’re considering either ForgeRock or Gluu, odds are you’re on the right path. For a more comprehensive analysis of Gluu vs. a wider subset of identity and access management competitors, see the Gluu competition matrix, or schedule a meeting with us![:es]5_reasons

Lately we’ve been getting a lot of questions about the differences between ForgeRock’s OpenAM product and the Gluu Server. We’re good friends with the people at Forgerock (FR) and we know they’re going to be super successful. IAM is a big market and there’s room for many companies and products. Also, if your field is too small, you have no one to have a conference with!

In the interest of helping distinguish the differences between the Gluu Server and OpenAM, the following considerations should be taken into account.

Free Open Source

If you want to use free open source software (FOSS), then there is no question that you want the Gluu Server.

My best interpretation of FR’s policy on open source releases is that they have nightly builds, and they release build-able code from time to time. For example, although on ForgeRock’s OpenDJ install page you are guided to download 2.7.0, at the time of this writing, I don’t see a tag for it on their continuous integration server.

In addition, building from the open source is very difficult. If you use FR’s binaries (.rpm and .deb files), you must accept their license which states that if you put the bits into production you must pay the enterprise license fee. Of course open source doesn’t mean free… and FR is really neither: 1) its priced like enterprise software and 2) if you really want FOSS, I’d suggest doing your own due diligence. The Open Source Initiative guidelines is a good place to learn about what constitutes free open source, and may raise some questions about some of FR’s software releases.

The components of the Gluu Server are all free open source. That means there is never any fee to use the bits. Even if you use our .deb or .rpm binary installation packages. And the current code is always available on Github.

Open Standards

The other thing to consider is the use of open standards. If you are using open source technology, but you are locked into proprietary API’s, switching and integration costs are high. For this reason the Gluu Server uses only standard API’s, like SAML, OpenID Connect, UMA and SCIM. OpenAM also implements SAML, OpenID Connect and UMA, but of course you have to be careful to use just those components (and not for example, the old web agents).

Technical Considerations

Technically speaking, the Gluu Server is less complex and easier to manage and customize than OpenAM. OpenAM was designed in the early 2000’s, and its starting to show its age. This blog from Radovan Semancik–one of FR’s competitors for the OpenIDM product–is biased, but one has to wonder if there is some truth in it.

Based on my experience as a user of CA SiteMinder, IBM TAM, RSA Cleartrust, and Sun OpenSSO, the Gluu Server has a superior approach for user authentication. Through the use of custom interception scripts, the Gluu Server can easily handle any multi-step workflow you can imagine. The Gluu Server has deep support for SAML and OpenID Connect. And we can explain how it works to system administrators–not java gurus. In short, if you use the Gluu Server, your server admins will thank you for years to come.

Web & API Access Management

On authorization, the Gluu Server implements the OAuth2 UMA protocol for centralized access management. This makes it easier to use the Gluu Server as the PDP if you have custom applications or native applications (mobile / desktop). However, for Web Access Management (WAM), Gluu is still perfecting the Apache HTTPD and nginx filters. These may take another 60-90 days to make an initial release for UMA 1.0.

Even Forgerock realizes that UMA is the authz protocol of the future, which is clearly one of the reasons they hired Eve Maler. However, how long it takes them to upgrade OpenAM to really integrate UMA is up for debate. They have incorporated some UMA code, but without good conformance testing, its hard to say how much, or what parts of the specification they’ve implemented. In my opinion, Forgerock has been slow to innovate OpenAM, bogged down by an old 2000’s design, feature creep, and lots of legacy code to regression test. So it may take some time for the UMA-ization of OpenAM, and I think Gluu’s fresh start, where we assumed UMA from the ground up, is an advantage for the Gluu Server.

In Conclusion…

If you have a large organization, implementing a great Identity and Access Management platform is an expensive undertaking. There are many business, devops, and application integration questions you must consider. In the long term, the cost of operation, and the cost of incremental integrations have the biggest impact. In this regard, it’s our belief that Gluu’s business model–where we make sure there is free open source software that can be used in production–will drive down the long term cost of resources, and help us reduce Gluu’s total cost of ownership.

As an open source company, Gluu is also able to obtain funding from the government to introduce new features, for example, see details of our recent inclusion in an NSTIC grant, and in general crowd source the review of our code for security vulnerabilities and features.

We hope this helps you in your evaluation of access management tools. If you’re considering either ForgeRock or Gluu, odds are you’re on the right path. For a more comprehensive analysis of Gluu vs. a wider subset of identity and access management competitors, see the Gluu competition matrix, or schedule a meeting with us!

Be sure to subscibe to
our RSS Feed

Mike Schwartz

Mike has been an entrepreneur and identity specialist for more than two decades. He is the technical and business visionary behind Gluu. Mike is an application security expert and has been a featured speaker at RSA Conference, Gartner Catalyst, Cloud Identity Summity (now "Identiverse") and many other security conferences around the world.