Identity Management, also known as Identity and Access Management (IAM), must not only support the basic ability to authenticate and authorize user access to an organization’s resources, but must also evolve to scale to the exponential growth of identities associated with applications. In this blog, we will compare the capabilities of two open-source Identity providers (IdPs): WSO2 Identity Server and ForgeRock.
WSO2 Identity Server provides a single component to configure all the features whereas ForgeRock provides the similar features into three different products Access Management, Identity Management and Directory Service. For the sake of simplicity, we refer to these three individual ForgeRock products as one, also named just ‘ForgeRock’, in below comparison.
Feature overlap
As both products are geared toward the same goal there is of course a lot of overlap between them.
- Single Sign-On: This feature helps to sign in with a single ID to any of several related, yet independent, software systems. Both the products support SSO through SAML and OpenID.
- Multi Factor Authentication (MFA): MFA is an authentication method where a user is granted assess only after two or more authentication steps. Generally, basic username/password is the first step followed by one or more authentication steps. There are multiple MFA standards such as Certificate-based Authentication, SMS based authentication with Twilio, Google Authenticator (TOTP), RSA SecurID, FIDO U2F, Biometric Authentication, Mobile Push Based Authentication. They’re all supported by both products.
- Adaptive Authentication: During the login process based on the user attributes and various risk factors (such as a new device or a geo location) a user might be enforced to pass through additional authentication steps. WSO2 Identity Server implements supports script-based Adaptive Authentication and ForgeRock supports it through its Adaptive Risk module.
- Authorization: a XACML 3.0 capable engine is used by both the products to provide authorization to its end users. Both of the products support Role Based Access Control (RBAC) and Attribute-Based Access Control (ABAC). However, WSO2 IS strictly sticks to XML based policies whereas ForgeRock supports both XML and JSON based policies.
- User Management: Both products provide standard support for account lifecycle management beyond account setup and approval mechanisms. Some key feature supported by both are Self-registration, Password recovery, Username recovery, Password policies and Account email verification.
- User Managed Access (UMA): UMA allows users to manage how their own data is shared and used in standard way. The Latest version of UMA 2.0 is supported by both products.
- User-Stores: Both WSO2 Identity Server and ForgeRock supports JDBC and LDAP based user store types.
- Identity Federation: Both products support industry standard Federation to external IdP using SAML/OpenID connect with user attribute mapping.
- Identity Provisioning: Creating users on the fly during authentication is known as Identity Provisioning. ForgeRock and Identity Server both supports both inbound Identity Provisioning
- Multi-tenancy: Multi-tenancy is a reference to the mode of operation of software where multiple independent instances of one or multiple applications operate in a shared environment. The instances (tenants) are logically isolated, but physically integrated. Both products have strong and robust support for multi-tenancy.
- Deployment Model: Both products support On-Premise, Cloud and Hybrid architectures.
- Identity-Synchronization: The ForgeRock Identity-Synchronization module can synchronize identities between multiple sources such as Active Directory, (ForgeRock)DS, a CSV file, a JDBC database. WSO2 Identity Server has Identity-Synchronization through SCIM.
- Legal: Both products support industry standard regulatory frameworks such as GDPR, PSD2, HIPPA etc.
- Support: Both the products have a very good product-support response.
Feature differences
Both the products overlap in almost all the features listed here. However, there are differences, in some case small and in some cases fundamentally large. Below are the differences in features for both products.
- WorkFlow Engine: WSO2 Identity Server comes with an integrated BPEL based workflow engine whereas ForgeRock comes with embedded Activity engine that supports BPMN 2.0. However, we can always attach an external BPS to WSO2 Identity Server more complex workflows.
- Directory Service: It is a production ready LDAP server implementation by ForgeRock which is robust and highly scalable. WSO2 Identity Server comes with an embedded LDAP server which fits well for POC purposes but not advised by Yenlo to be used in production.
- Password-Synchronization: ForgeRock Identity-Synchronization module can synchronize passwords from multiple sources such as Active Directory, ForgeRockDS, a CSV file, a JDBC database. WSO2 Identity Server can only synchronize identities but not passwords.
- Identity-Synchronization Approach: ForgeRock supports two types of identity synchronization
- Reconciliation: It’s a heavy-weight process of bidirectional synchronization of identity objects between different data stores.
- LiveSync: LiveSync relies on a change log on the external resource to determine which objects have changed.WSO2 Identity Server only support on-demand Identity syncing through SCIM.
- Authentication Flow GUI: ForgeRock has a robust GUI supporting the design of an authentication flow. In WSO2 Identity Server knowledge of JavaScript is required to build an authentication flow, although support for this through a GUI is in the future roadmap.
- Supported Connectors: WSO2 Identity Server has more than 32 connectors for third party authentication systems and ForgeRock supports 18 connectors.
- Customizing GUI: Customizing GUI like login page for end-user in WSO2 Identity Server is more difficult compared to ForgeRock.
- Eco System: WSO2 has a stronger overall middleware ecosystem. WSO2 supports API Management which can be coupled with its Identity Server and is regarded as visionary in Gartner Magic Quadrant and named a leader by Forrester Wave. Although it’s out of scope of this current comparison, WSO2 API Manager is an open-source solution that supports API publishing, lifecycle management, application development, access control, rate limiting and analytics in one cleanly integrated system. ForgeRock have API Security Gateway which acts as a secure proxy.
Price strategy
Now that we’ve had a look at the product features, it’s time to walk through the pricing strategies of each of these products.
Non-commercially / Proof of Concept (PoC)
Both products are completely free to use in a non-commercial setting or for attempting a proof of concept scenario.
Self-hosted
Type | Costs – WSO2 | Costs – ForgeRock |
Non-commercial use – full product | Free – forever | Free – forever |
Commercial self-hosted | WSO2 Identity Server offers an annual subscription based on cores. | ForgeRock Identity Platform doesn’t reveal its enterprise pricing details. Contact the vendor for a custom price quote. |
Conclusion
As we can see, above products are very similar in their IdP functionalities and are enterprise grade IdPs. WSO2 Identity Server is also A Product Leader as indicated by KuppingerCole Leadership Compass for Access Management and Federation, 2019. Whereas ForgeRock is used in various high-performance enterprise grade IdP platforms.
To make a solid choice of an Identity & Access Management provider, download our Identity & Access Management Selection Guide.