Skip to end of metadata
Go to start of metadata


This page is a draft (proposal) of the final ecosystem concept. It is being discussed on the identity ecosystem mailing list (

Technology Stacks

Jack of all trades, master of none.

Identity and Access Management is a very broad field that spans diverse requirements, environments and technologies. From the Internet to the enterprise, from mainframe to a mobile device, from long-term employees to ephemeral semi-anonymous identities. It is almost impossible for a single technology to address all the identity-related challenges. Even the big technology stacks fail miserably in this field. Many "big" solutions deliver a sub-ideal solutions and provide it a very high price. One-size-fits-all approach does not work.

Vendor lock-in is also a severe problem. Technology stacks are only rarely open to efficient integration with alternative products. Replacement of a single problematic component of technology stack is also usually non-practical. A single rotten apple often spoils entire batch.


We can't solve problems by using the same kind of thinking we used when we created them.

– Albert Einstein

We have chosen a very different approach. Instead of building a huge monolithic technology stack we have opted for a more dynamic solution. We are part of ecosystem - a group of loosely coupled solutions that are tuned to work together well. The components of the ecosystem are maintained by the independent organizations and authors. Each contributor is an expert in its own field and the solution combined from the ecosystems components provides features and qualities that are difficult to compete with.

Identity ecosystem diagram

Please note that this picture does not provide a complete view of the ecosystem components. It is for illustration purposes only. Some components may be missing and some details may be simplified for clarity. Please see List of Identity Ecosystem Members for more details.

The ecosystem is not a stack. It is much more than a stack. There are several components to choose from for each particular deployment. This is required as one size does not fit all. There is an overlap of component features in the ecosystem. This overlap is there by design. Individual components are designed to be efficient in a slightly different environments and situations. The engineer that designs a solution using the ecosystem can choose and match the components to create an efficient solution. The engineers are choosing the right tools to do the job from their "toolbox" of ecosystem components. Those engineers are usually in system integration companies that have the experience to integrate and tune a specific solution for a specific need. This provides a guarantee that the resulting solution is well fit for the purpose. The solution consists of components that are created by the experts in each particular field and can therefore provide the best possible mechanisms for each component. And as the solution only contains components that are required to do the job it is also cost-efficient.

Open Source and Freedom of Choice

... as we enjoy great advantages from the inventions of others, we should be glad of an opportunity to serve others by any invention of ours; and this we should do freely and generously.

– Benjamin Franklin

The ecosystem is focused mostly on open source software as we believe that there are strong arguments in the favour of this approach. Open source gives the visibility. The software is open to many eyes and therefore many ideas for improvements. The quality of the product can be closely inspected and it cannot be easily manipulated by marketing campaigns. Open source provides the freedom to quickly fix a problem instead of waiting for weeks for a response from third-level support team. Open source allows to adapt and customize the software to address real needs. We cannot imagine how we have managed to live in a world without open source software before.

The ecosystem also goes a step beyond. The ecosystem is not closed. Any other component can be "connected" to the ecosystem. There is no exclusivity in the ecosystem. The ecosystem can support even products that are directly competing. It is up to the system integrators to choose what is suitable and appropriate for a specific solution.

There is no vendor lock-in in the ecosystem. If one component is found to be problematic it can be replaced with another component without the need to rework the whole solution from the ground up. Open source character is a great tool to avoid vendor lock-in even for critical solution components. If a maintainer of a component does not do its job properly another team can take over by creating a "fork". This creates an alternative version of the component. The ability to "fork" also provides good guarantee of continuity. If the original component maintainer is not able to maintain the component again then anybody can "fork" it and continue the development. Both these cases already happened in the open source world. However this kind of assurance is not realistically possible with closed technology stacks.

Integration and Support

In theory, there is no difference between theory and practice, but in practice there is a great deal of difference.

One thing is to get a handful of best-of-the-breed components. But it is a very different thing to make them work together. We know that all too well. Therefore the components of the ecosystems are pre-integrated. The components were tested to work together in typical scenarios. Therefore we know that they can work together well. However we are more than aware of the fact that the reality always has surprises and that not all the scenarios can be tested. Therefore each project that takes part in the ecosystem has agreed to provide full assistance in addressing integration issues with any other component. An engineer can choose individual components and create a fully supported solution even for situations that are quite distant from typical scenarios.

System integrators play a crucial role in the ecosystem. System integrators deliver a specific solution built from the components. Although the components are pre-integrated it is typical that many of them needs to be configured or customized. System integrators make sure this works out well using their skills, experience and support from the component authors. Open source character of the products provides a great advantage in this task. System integrators do not depend on the original authors to make adjustments, temporary fixes or customizations. This makes the whole deployment process faster, cost-efficient and less frustrating.

Other companies may use the products to provide services. For example a cloud-based identity management solution may be built from the ecosystem components. The components may be used inside a larger service for which the identity management is only a small but important part. Yet another companies may offer integrated and pre-installed solutions ("identity in a box"), pre-configured virtual machine images, pre-customized solutions, etc. The possibilities are countless. Open source character of the components is also a crucial advantage here. The open source licences do not prohibit adaptation or modification of the components.

The ecosystem has the potential to be much better than technology stacks when it comes to the quality of the final result. The technology stacks are often composed of bits and pieces that were gained by mergers and acquisitions. Such components are rarely technologically coherent and needs to be re-engineered considerably to work together well. Painting them with one company color change very little when it comes to the technology. It is even very difficult to find out what individual components of such stack are, how they work and how much they are really integrated. On the other hand the ecosystem has visibility. Each individual component can be closely inspected before it is decided to use it in the solution. The integration scenarios and limitations are clearly documented. The critical parts of the solution can be prototyped and tested, components can be replaced as needed and the solution may address real needs.

Business and Funding

There's no such thing as a free lunch.

Identity ecosystem is similar to natural ecosystems. The one who provides value thrives. It is the interest of all participants to make sure that components that provide value are well funded. This makes an assurance of continues and sustainable development. All the money goes to system integrators and service providers. The system integrators and service providers spend part of the money on support services, trainings and consultations from component authors. Therefore the money goes to the people that actually do the work and it is distributed in free-market fashion based on component usage.

Current State and Plan for Action

The Rome was not built in a day.

The ecosystem is both a vision and a reality.

The products are there. There is also a lot of solutions where these products have been already integrated. The technology works surprisingly well. Every open source engineers knows this very well.

The set of ecosystem members is increasing. The ecosystem is growing.

If you are part of a team or company that is  willing to take part in the ecosystem do not hesitate to contact us. This is open for anyone. We are looking for:

  • Projects creating and maintaining open source identity and access management software
  • System integrators that are willing to create IAM solutions using open source software
  • Service providers that are building identity-based services using open source software

See Also


  • No labels