Hello there,
In the past few days, I have been going through this task, and here are my findings:
OpenMRS has approximately 12,000 user accounts, but the majority of them are inactive. We expect a maximum of 4,000 active users at peak usage, so the IDP should be able to support this number of users. Moreover, the pricing should be manageable for OpenMRS to afford.
Another requirement is that the IDP should support a mechanism to export the user base in case it is needed for migration purposes. Additionally, it should support login from unverified domains.
Identity Providers listed by Atlassian
After conducting research on various identity providers, the following information was found regarding their pricing:
Note: Atlassian currently does not support unverified domains. Therefore, using the identity providers listed directly may not help. Atlassian has mentioned that they are working on supporting external users here, but there is no clear expected date. However, they have mentioned the feature is available for workspaces with early access here.
Auth0
- Pricing: $1420/mo (7000 users)
- Discount: 50% discount available for non-profit
Azure AD
- Pricing: $6/user/month
- Discount: No discounts available
Cyberark
- Pricing: $3/user/month
- Discount: No mention of discounts for open-source projects on the document
Google Cloud Identity
- Pricing: $6 USD per month
- Discount: No mention of discounts for open-source projects on the document
JumpCloud
- Pricing: Starts at $4/user/month
- Discount: No mention of discounts for open-source projects on the document
Okta
- Pricing: Starts at $2/user/month
- Discount: No mention of discounts for open-source projects on the document
OneLogin
- Pricing: Starts at $2/user/month
- Discount: No mention of discounts for open-source projects on the document
Ping Identity
- Pricing: No publicly available pricing
- Discount: No information available on discounts for open-source projects
Here’s a summary:
| Identity Provider | Pricing | Price per User | Discount for Open-Source |
|---|---|---|---|
| Auth0 | $1420/mo (7000 users) | $0.203/user/month | No (50% for nonprofits) |
| Azure AD | $6/user/month | $6/user/month | No |
| Cyberark | $3/user/month | $3/user/month | No |
| Google Cloud Identity | $6 USD per month | $6 USD per month | No |
| JumpCloud | Starts at $4/user/month | $4/user/month | No |
| Okta | Starts at $2/user/month | $2/user/month | No |
| OneLogin | Starts at $2/user/month | $2/user/month | No |
| Ping Identity | No publicly available pricing | No publicly available pricing | No |
Keycloak
To gain a better understanding of the fundamental concept tied with the task, I configured KeyCloak with our LDAP.
Fortunately, I was able to connect KeyCloak with LDAP successfully. To provide a reference for others, I created a dev environment and pushed it to Github. You can access it via GitHub - jayasanka-sack/openmrs-keycloak-ldap.
Below are some screenshots of the setup:
The next step is to explore other self-hosting options for Keycloak in order to select the best solution that is compatible with our needs and has higher security.
Email Redirection
As Atlassian cloud does not support unverified domains, the only viable solution would be to introduce an email alias. This has been discussed here: GSoC 2023: Limitations of Migrating from OpenMRS ID to a new SSO System - #27 by cintiadr
I reviewed possible solutions and here are my findings:
Postfix
Postfix is a popular mail transfer agent that can be used for email redirection. It is free and open-source software that runs on various operating systems. With Postfix, we can configure email forwarding rules based on the sender, recipient, subject, and other criteria. Therefore, we can easily forward emails that are sent by Atlassian. Some advantages of using Postfix for email redirection include:
- It is free and open-source software.
- It provides advanced customization options for email redirection.
- It does not have a pricing model since it is open-source software.
Based on our previous discussions regarding the requirement to restart the service after adding a alias, I have discovered that it is not necessary to do so. By executing the “reload” command, Postfix will re-read its configuration files and apply the changes without requiring a full restart. This allows us to add new users or modify existing configurations without interrupting the email service.
One downside is that emails may end up in spam. Therefore, we need to properly configure the service to avoid this.
Cloudflare Email Redirection
Cloudflare offers email redirection as part of their Cloudflare Pages service. However, it appears that the service is still in its beta stage. You can read more about this on their blog post, Email Routing leaves Beta.
Alternatives
Alternatives to Postfix include using a mailing service such as Mailgun or Sendgrid. Prices usually range from $35 per 100,000 emails per month. Since Jira and Confluence send email updates to users frequently, we might need a higher quota.
What’s next?
First, I need your input on the above findings.
Meanwhile, I’ll look into the following:
- Research other viable alternatives to Keycloak.
- Connect JIRA Cloud with SAML and test the integration.