Back to Blog

List of major open source SAML implementations

We often get asked about other open source saml implementations. Here are some SAML IDPs and brokers (SPs) that you should know.
profile picture
Ned O'Leary
X GitHub
Cofounder and CEO, SSOReady

List of open source SAML implementations

Open source SAML identity providers

Shibboleth as a SAML IDP (link)

The Shibboleth Consortium makes a couple of different products. They’ve been around for more than 20 years.

Their identity provider product is most commonly used in higher education, e.g. at UChicago, Stanford, and Oxford. The product really does work – I’ve used it myself. It comes with compatibility for some less popular features, e.g. single sign-on via CAS. It has decent documentation. It works really nicely with Windows. Most importantly, though, Shibboleth’s probably not going anywhere.

At the same time, Shibboleth’s a little bit clunky both for end users and for deployment. There’s a bit of a weird maze of dependencies you’ll have to navigate at the start. I think this challenge shows in The Consortium’s relative lack of growth over the past few years.

If you’re a big organization looking for a proven solution for the long haul, Shibboleth might be a good option. It’s probably not a fit if you’re looking for something simple.

Authentik as a SAML IDP (link)

Authentik’s a pretty new player. The project has existed since 2018, and the company now behind Authentik has only been around since 2022.

Here’s what’s really great about Authentik: you can spin up an Authentik instance on localhost in 2-3 minutes. It really is easy to get started.

They’re also pretty transparent and seemingly committed to open source. Like us, they’ve put their product on an MIT license and have made the enterprise product source-available.

Authentik has all of the core features you’d normally want. You can get SAML, SCIM, and OAuth. You can get identity federation support. It also comes with some extras like authentication flows and policies. I’m not entirely sure whether they’ve built out every enterprise feature you could reasonably need. It’s not the most simple product in the world – it feels like it’s been built for relatively technical users – but it’s not too overwhelming either.

If you’re a developer, it’s probably a solid option!

Keycloak as a SAML IDP (link)

Keycloak’s an open source project from the Cloud Native Computing Foundation, which is a Linux Foundation project. It’s been around since 2014, and it’s become relatively well-known among developers.

Like Authentik, it’s pretty easy to get started with Keycloak via Docker. It’ll nudge you into a simple onboarding flow that makes you set up some users, and you’re done within a few minutes.

Keycloak comes with the features you’d expect. You can use Keycloak for single sign-on via either Open ID Connect (OIDC) or SAML. You can use it for identity federation. Keycloak comes with some nifty AD/LDAP support, meaning you can pull user data in from different directories that you might be using.

This is definitely a product for developers. Keycloak has its strengths, but it’s not the most intuitive product (not that many commercial IDPs are themselves especially intuitive). The project has decent documentation, although there’s some room for improvement. Whoever’s responsible for keeping Keycloak running probably needs a decent amount of technical skill (and time). It’s something to bear in mind if you’re planning on using this for a business.

Open source tools for SAML service provider implementation

Keycloak as a SAML SP (link)

You can actually use Keycloak to accept SAML logins! It’s pretty neat. Keycloak offers a lot of flexibility. You can even use Keycloak to show a login page in the user interface of your application.

Here again, though, I wouldn’t consider Keycloak especially approachable. There’s an awful lot that you’ll have to understand to use Keycloak as a SAML intermediary. We find that users generally want something a little simpler. Like Keycloak, Authentik can act as an identity broker, helping you offer SAML logins to your customers.

Zitadel as a SAML SP (link)

Zitadel’s a young company that offers managed authentication products. Like Keycloak, Zitadel can handle SAML logins.

I’m not especially familiar with their product, and I expect this post will outlive any commentary I provide. I do personally find their documentation somewhat incomplete, but this may jut reflect their product growth and may not be relevant in the future.

Apache Syncope as a SAML SP (link)

You could try out Syncope. It’s a bit of a holistic enterprise identity management product. It apparently does support SAML logins. I have not used this project myself, so I’ll reserve comments. I’ll just say that Syncope seems to do an awful lot of stuff. If you’re reading a blog post like this, it’s probably not a great fit for you. I don’t personally see significant advantages to using this product.v

SSOReady (link)

This is us! We think we make the easiest-to-use tools to help developers offer SAML SSO in their apps. It’s just two endpoints to start offering SAML logins. We put our software on an MIT license. Come try it out!

Open source SAML debugging tools