Capabilities of WSO2 Identity Server

• Identity Federation and SSO

Business users typically access multiple heterogeneous applications and identity providers (IdPs) that their systems need to integrate with. WSO2 Identity Server alleviates working with identity silos through the ability to connect Java Database Connectivity (JDBC), lightweight directory access protocol (LDAP), or Active Directory (AD) user stores and enforce role- or attribute-based access control with eXtensible Access Control Markup Language (XACML), since user stores alone cannot enable SSO. Having to fill a form to sign up as a user or having to sign in multiple times creates an unfavorable user experience. Identity federation allows bring your own identity (BYOID) or social logins to access applications and systems. SSO offers the ability to stay signed in to multiple applications. This also includes rule-based authorization support and Google ReCaptcha support for SSO.

• Strong and Adaptive Authentication

Authentication is the process of validating a user’s identity before granting access to a resource. Strong authentication involves multi-step and multi-option with local and federated authenticators such as FIDO, IWA, SAML2, OIDC, MePIN, email/SMS OTP, and Duo security. Adaptive authentication with WSO2 Identity Server enables authenticating a user by considering the context factors, such as user’s risk profile/behavior, identity attributes, environmental attributes, device type, geolocation, machine learning algorithms, and request parameters. With WSO2 Identity Server, an identity admin is able to use ready-made scripting templates to take complete control of the authentication flow to implement adaptive authentication. This includes enforcing rules, attributing transformations, using provisioning or deprovisioning, communicating with external systems, implementing step-up authentication, and more. Based on a user’s context, the authentication sequence changes, providing better usability.

• Identity Bridging

Identity bridging facilitates exchanging identity attributes and authentication decisions between heterogeneous identity systems and protocols in a seamless manner. This includes bridging tokens (OIDC, SAML2, and WS-Federation), service provider claims to IdP claims (email addresses, phone numbers, and names), and identity provisioning requests (from SCIM and SOAP to SCIM, Google apps, and Salesforce).

• Account Management and Identity Provisioning

End users can manage their own profiles and set account recovery options in a self-service manner. WSO2 Identity Server supports inbound, outbound, and just-in-time (JIT) user provisioning. These features efficiently, cost-effectively, reliably, and securely help organizations manage user information held on multiple systems and applications. In terms of managing users and groups, WSO2 Identity Server helps with flexible profile management. This includes the ability to link multiple user accounts belonging to a single user, a self-service user portal for profile management, and password management with Google Recaptcha. Through account management, WSO2 Identity Server offers support for heterogeneous user stores through a built-in LDAP (powered by ApacheDS), an external LDAP, Microsoft Active Directory, or any JDBC database.

• Access Control

This controls access to applications in the login flow, with fine-grained access control policies, and acts as a policy decision point for third-party applications. It also helps with managing user entitlements and role-based access control. In this instance, XACML is used as a basis for fine-grained policy-based access control, user-friendly policy administration (PAP), REST profile support, and easy integration with WSO2 Enterprise Integrator.

• APIs and Microservices Security

Securing APIs that are being exposed using OAuth2 access tokens and associated grant types including access control APIs. OAuth2 being a key standard, WSO2 Identity Server offers OIDC support, introspection and form post response mode. The product also provides user-managed access and delegated access control using OAuth2. WSO2 Identity Server easily integrates with WSO2 API Manager for OAuth2 Key Management. WSO2 API Manager, a part of the WSO2 Integration Agile Platform, is an open source solution that addresses full API lifecycle management, monetization, and policy enforcement.

• Privacy Compliance

WSO2 Identity Server is optimized for privacy regulations such as GDPR, including implementing the Kantara consent management specification. This offers consent management for any application without being locked into a vendor. User consent includes self sign-up to provide consent and for SSO/federation to provide users with choice and control over sharing their personally identifiable information (PII). The product also offers a self-service portal to enable users to control their personal data, manage consent declarations, or make any other changes. The privacy toolkit is instrumental in removing references of user identity as and when required or when requested by a user.

• Identity Analytics

The product is equipped with powerful monitoring and analytics tools to keep track of the enterprise IAM system’s health when it is deployed in production. The analytics system is capable of generating and analyzing login attempts made via WSO2 Identity Server. In addition, the analytics system is also capable of generating and analyzing information relating to specific sessions that have taken place via WSO2 Identity Server, helping to monitor and prevent fraudulent activity. It can help with manually terminating user sessions and admin-forced password resets.

What should you consider when selecting an IAM solution?

1. Make login into disparate systems hassle free

2. Adding and extending your user base with ease for both internal employees and external users/customers/suppliers

3. Self service capabilities

4. Open standards support

5. Compliance with various industry security regulations

6. Integration with heterogeneous technology stacks

7. Ease of integration of new applications being developed into the security ecosystem

8. Cloud vs on-premise deployments and their interconnectivity needs

9. Deployment options and vendor lock-in implications

10. Monitoring (usage and breaches), auditing and alerting

11. Ensuring data security with early detection and prevention of security breaches

12. Ensuring that your solution is future proof where you can incorporate latest algorithms and security protocols with ease as and when they emerge

Benefits of WSO2 Identity Server

1. Scalable design suited for enterprise wide deployment

2. Simple configuration driven design to help connect all identity related components

3. Enables a loosely coupled solution for IAM with easy to use extension points to connect third party systems related to IAM concerns

4. Provides a secure and reliable enterprise IAM solution with proactive patching and regular security updates

WSO2 advantages over competitors

1. 100% open source (both the source code and the binaries are released under the most business friendly Apache 2.0 open source license).

2. Ability to easily integrate with any cloud-based or on-premise identity management framework or use store. Well defined and well documented APIs and numerous readymade connectors available in the WSO2 Connector Store to get this done quickly.

3. Numerous workflow templates, policy templates, samples and reference architectures available to help cut down redundant efforts and enable faster IAM solution implementations.

4. Support for heterogenous identity federation protocols (based on open standards) and token transformation and mediation between those.

5. Freedom for architects and developers to pick and choose federation mechanisms, authentication protocols and standard formats and token formats to match their needs.

6. Ability to automate management operations with built-in REST and SOAP APIs.

7. Ease of deployment, user-friendly management operations and low maintenance cost.

8. Component oriented architecture and cloud and container support enables you to deploy IAM capabilities using a topology of your choice based on your needs in a secure, scalable and adaptive manner.

9. The readymade scripts and tools help with rapid deployments, ensuring the ability to go to market quickly with your solution.

10. Continuous innovation that helps build future proof identity and access solutions.

11. Rigorous and frequent product update cycles and state-of-the-art tooling support for managing IAM deployments with DevOps best practices.

12. Comprehensive security scanning and penetrations testing practices to ensure highest degree of quality and security of IAM product suite.

13. Proactive testing and tuning of performance and innovation around performance enhancements.

References

1. What is WSO2 Identity Server? (December 2021). Retrieved from https://wso2.com/library/articles/2017/08/what-is-wso2-identity-server/.
2. A Guide to WSO2 Identity Server. (December 2021). Retrieved from https://wso2.com/whitepapers/a-guide-to-wso2-identity-server/.
3. WSO2 Identity Server: what is it and how can your company benefit from it? (December 2021). Retrieved from https://www.chakray.com/wso2-identity-server-what-is-it-and-how-can-your-company-benefit-from-it/.