Indentity and Profile Managers criterias

• Free libre open source
• Mature, stable, security oriented actively developed and well supported by a good community
• Lightweight
• All-in-one app, simple to use and to administer
• MFA auth (password + OTP code for exemple)
• Passkey auth (fido2/WebAuthn compatible)
• Login web page
• User self registration web interface
  • can be enabled/disabled by admin
  • bot protection
• User profile self modification web interface
  • can change display name
  • can change email (with email verification)
  • can change auth credentials (password, secondary factors, passkeys)
  • immutable user id
• User portal
• Secure password recovery
• Admin web interface
  • Manage users and groups/roles
  • Manage client applications
  • Manage who can access to what
  • Manage oidc providers
• Packaged for NixOS with full declarative configuration
  • Declarative configuration of admin user
  • Declarative configuration of email server
  • Declarative configuration of user self registration enable/disable
  • Declarative provision of OIDC clients
  • Declarative provision of users and groups/roles
  • Declarative configuration of user self modification
• OIDC provider
• OIDC client (to accept users from other OIDC providers)
• Compatible with legacy apps that only support LDAP and not OIDC
• Supported by traefik plugin for
  • securing a web site that does not have any auth/privilege mechanism
  • securing a web app that is not compatible with OIDC or LDAP but that can use headers to get user/auth info

Indentity and Profile Managers tests

• pocket-id
  • ✅ packaged in nixpkgs
    • ⚠️ But not everything can be declaratively configured.
      • ⚠️ Oidc clients must be manually created and then client id and secret must be copied to client app or traefik plugin config
      • ⚠️ Setting to send email have to be manually configured by admin. But it may be possible to set this via env vars : https://pocket-id.org/docs/configuration/environment-variables#overriding-the-ui-configuration
      • ⚠️ User self registration has to be manually enabled by admin. But it may be possible to set this via env vars : https://pocket-id.org/docs/configuration/environment-variables#overriding-the-ui-configuration
      • ⚠️ User self modification of profile has to be manually enabled by admin. But it may be possible to set this via env vars : https://pocket-id.org/docs/configuration/environment-variables#overriding-the-ui-configuration
  • ✅ tested support by traefik plugin to secure apps that do not have any authentication mecanism.
    • ⚠️ but need to test again with better plugin config
  • ✅ tested support by traefik plugin to secure apps that can authenticate using X-Oidc-* headers.
    • ⚠️ but need to test again with better plugin config)
  • ✅ Self registration of users (has to be enabled by admin), or creation of users by admin through web app
  • ✅ account/profile page for users to configure their password/otp/passkey/email?
    • ⚠️ if enabling self-eccount editing (which is desirable), user can also change their username, which could be a problem for applications if there is no other user claim that is unique and immutable. There is only an all of nothing admin setting for this.
  • ✅ lightweight, does the job, very simple,
    • ⚠️ but maybe too simple as only passkey auth is supported (auth by password + OTP is not possible)
  • ⚠️ Legacy apps that only support ldap auth (ex jellyfin) can be integrated though an external LDAP. But in that case users can only be managed from the external LDAP. Meaning admins will have to interact with 2 systems One for the users and one for OIDC.
• keycloak
  • ✅ packaged in nixpkgs
    • ⚠️ But not everything can be declaratively configured.
      • ⚠️ Actually needs quite a lot of manual configuration by an admin for most uses cases (Oidc client, roles, passey enabling, including roles in id token, ...)
  • ✅ tested support by traefik plugin to secure apps that do not have any authentication mecanism.
  • ✅ tested support by traefik plugin to secure apps that can authenticate users using X-Oidc-* headers. (need to test again)
  • ⚠️ kind of bloatware (java) but does the job
  • ✅ Self registration of users (has to be enabled by admin), or creation of users by admin through web app
  • ✅ account/profile page for users to configure their password/otp/passkey/email
    • ✅ username seems to be immutable, which is good.
  • ❓ can legacy apps that only support ldap auth (ex jellyfin) be integrated?
    • ❓ Mays need to manage users externally with an ldap system for that
• Kanidm
• ✅ packaged in nixpkgs
  • ⚠️ Looks like it is posible to provision most things declaratively though services.kanidm.provision. However this requires a kanidm version build with non offical patches. See https://thinglab.org/2025/02/keycloak_to_kanidm/#patches
• ✅ Read only LDAPS gateway for Legacy Systems
• ⚠️ Adding passkeys disables password sign-in : Mentioned on https://thinglab.org/2025/02/keycloak_to_kanidm/#kanidm-praise
• ❓User creation by admin only from command line? (but could be declaratively provisioned also, so maybe not a blocker)
• ❓Need to test "User Self Service via the WebUI" feature to check if it fullfils :
  • ❓ user registration form ?
  • ❓ account/profile page for users to configure their password/otp/passkey/email?
• Zitadel
• Rauthy?
• LemonLDAP?
• Authelia?
  • ✖ No user registration form yet. cf. https://github.com/authelia/authelia/discussions/5116
  • ⚠️ Account/profile page for users to configure their password/otp/passkey/email but not fully featured yet : https://www.authelia.com/roadmap/active/dashboard-control-panel-for-users/
  • ✅ Good potential for fully declarative configuration
  • ✅ Can be linked with lldap for apps that only support ldap auth
  • ✖ No web page to manage users yet. It's in their roadmap : https://www.authelia.com/roadmap/active/dashboard-control-panel-and-cli-for-admins/
  • ⚠️ Developped by only 2/3 persons, during their spare time.
• Casdoor?
  • ✖ Will not test
    • ✖ not packaged in nixpkgs
    • ✖ Dubious stability and security : https://lacontrevoie.fr/en/blog/2024/comparatif-de-onze-solutions-de-sso-libres/#casdoor
• Ory
  • ✖ Will not test
    • ✖ not packaged in nixpkgs
    • ✖ labyrinthine system : https://lacontrevoie.fr/en/blog/2024/comparatif-de-onze-solutions-de-sso-libres/#ory
• Authentik?
  • ✖ Will not test
    • ✖ bloatware : https://lacontrevoie.fr/en/blog/2024/comparatif-de-onze-solutions-de-sso-libres/#authentik
    • ⚠️ partially packaged in nixpkgs (packages seem to exist in nixpkgs but services are only available in https://github.com/nix-community/authentik-nix)