Centralized Authentication Server OpenAM vs FreeRadius

Question

The basic requirement is to centralize the authentication and authorization of multiple SaaS applications to ease development (each SaaS application using minimal code to authenticate against a single source) and when necessary provide SSO. The authentication mechanism must handle the following options available to the user:

1. Use Third Party Authentication -- Google
2. Use our centralized authentication
3. Use the corporate provided authentication (ADFS)

In my research, I have found many, many ways this can be done and have found OpenAM to be the most complete solution, but then I came across FreeRadius which could also be used.

My Questions are:

1. There seems to be a plug-in for each tool where one can use the other together (OpenAM - authenticate against radius server), but is there any use case where FreeRadius would be preferred as the SOLE authentication server over OpenAM.

2. Does OpenAM require that a web agent installed for the server - if all I am doing is serving a Restful Interface (developed in Node.js) - is it possible to authenticate users without installing a web agent (there is no web agent for Node.js).

3. Can I pass user credentials from Browser -> Server (node.js) -> OpenAM thereby not giving the user the OpenAM login screen. The OpenAM token will be passed from OpenAM -> Server -> Browser (setting the cookies's origin as the SaaS's application. That is each SaaS application server will serve as a "proxy" for user management (authenticate, authorize, and manage[create|update|delete] users)

Thank you

Answer 1

I am looking into the solution for a similar requirement myself, but I am looking to integrate 2FA as well. I have seen so many different solutions, but haven't pinned down the best one yet. Here is what I have come up with so far:

1. RCDev OpenID seems to be pretty comprehensive, and it is free for cases with less than 40 users.
2. Green Rocket's GreenRADIUS is expensive, but they have plugins for every scenario and it can work.
3. Red Hat's KeyCloak could be used in combination with TACACS+ or FreeRADIUS to accomplish this

Answer 2

I'm early to the Open Identity Stack game but I am deploying an OpenAM (and OpenIDM + OpenDJ) based solution to handle exactly the solutions you mention.

direct answers:

1. As far as handing sole authentication over to FreeRadius I don't see why you would want to but anything is possible. Given your mention of the multiple directories (identity sources - google, ADFS, and your centralized authentication) I would think hooking up OpenAM to provide the RADIUS authentication (i.e. OpenAM RADIUS hook, not FreeRadius) would make sense.
2. No, a web agent doesn't have to be applied but it may make sense. There are some node.js pieces to help (https://github.com/alesium/node-openam). You just need to talk from your server to the OpenAM side (REST) and that should be good.
3. You can do that or you can just skin the OpenAM login screen to look like your own. I'd suggest the latter as you're then relying on OpenAM for the login screen security. If you're doing a pure proxy then you take that burden on. Your call as a design decision obviously.

good luck!

Answer 3

you're comparing a RADIUS sever with a Web SSO solution ... I'm not sure if this makes sense.

It seems FreeRadius does not have that many 'auth backends' (like Oauth to leverage Google Auth)