Skip to main content

WSO2 Identity Server 5.5.0 - Cheat Sheet

WSO2 Identity Server Architecture

WSO2 Identity Server a.k.a WSO2 IS is a fully fledged Identity and Access Management (IAM) solution which provides capabilities for your enterprise to secure your resources. The product is build with a rather simplistic but powerful architecture to support variety of identity and access management requirements. Below figure explains the high level architecture of the WSO2 Identity Server.








Figure 1: WSO2 Identity Server Architecture

The main components included in the above figure are explained below.

  • Service Providers - These are the applications which needs to be secured using WSO2 IS as the authentication and authorization framework. This includes your mobile applications, web applications, SaaS applications, etc.
  • Inbound Authentication - This component deals with various protocols like SAML, OIDC, WS-Federation, OAuth, etc. which are used to authenticate the users by the service providers (applications).
  • Authentication Framework - This component handles the claim mapping across service providers, local and identity providers so that the incoming data is corretly mapped to the claims which are stored in the user stores within the system.
  • Local Authenticators - If the users are stored within the Identity Server connected user stores, the actual authentication of the user occurs within this component.
  • Federated Authenticators - If the actual user resides in another Identity Provider or within an external SaaS application (e.g. google, facebook, etc.) user store, actual authentication occurs within those external systems and the relevant federated authenticator will connect with the external system and get the result back to the IS
  • Identity Providers - These are the systems or applications which are capable of providing authentication capabilities so that IS can delegate it’s tasks to these systems
  • Provisioning Framework - This is the component which handles all sorts of user provisioning in to the WSO2 IS and connected external IDPs.

Main features

Following are the most powerful features of the WSO2 IS
  • Single Sign On (SSO) - Ability to access multiple applications by signing into one application. Different applications can be implemented with different protocols like SAML2, OIDC, WS-Federation, WS-Trust but WSO2 IS is capable of supporting SSO across those applications
  • Identity Federation - Ability to access totally different applications using the same credentials can be defined as identity federation. Your users may need to access multiple applications with their social media logins. WSO2 IS provides the capabilities to connect with well known identity providers to federate the user authentication (e.g. Google, Yahoo, Facebook, Salesforce, etc.)
  • Identity Provisioning - Ability to provision users into your system is another key capability of WSO2 IS. Users can be provisioned into primary/secondary user stores or external applications through WSO2 IS
  • Access Control and Entitlement Management - Applications needs to be controlled through proper access control levels to different users. WSO2 IS supports Role Based Access Control (RBAC) as well as Attribute Bases Access Control (ABAC) to authorize the users. Through the XACML support, it supports fine grained policy based access control.
  • Access Delegation through OAuth2 - Your applications needs access to resources on behalf of the users. OAuth2 has become the defacto standard for access delegation and WSO2 IS can act as the authorization server for OAuth2 applications.
  • Authenticators and Connectors - If your users are coming from applications which requires special authentication mechanism specific to that application, WSO2 IS provides authenticators and provisioning connectors to interact with them. These authenticators and connectors can be freely downloaded from WSO2 Store.
  • GDPR Compliance - General Data Protection Regulation comes into effect with 28, May 2018, and can affect any organization that processes Personally Identifiable Information (PII) of individuals who live in Europe. WSO2 IS complies with the GDPR and can be used to build systems which are GDPR compliant.

Other features

On top of the above mentioned main features, WSO2 IS has many other features which makes it an easy to use, easy to configure product for all your identity and access management requirements. Here are the bonus features

User Account management
  • Account recovery
  • Self sign up and email confirmation
  • Ask password for new users
  • Forced password reset
  • Account suspension
Password policy management
  • Password history validation
  • Password patterns
User login management
  • Account locking and disabling
  • Adding ReCaptcha
Workflow management
  • User administration workflow
  • Custom workflow
Customizing email templates
 
Notifications for user operations
 
Associating user accounts
 
Use email address as the username
 
Analytics on user activities
  • monitor login activities
  • managing real time alerts

Single Sign On (SSO) Feature

WSO2 IS supports SSO across applications which uses different protocols. Here are the supported protocols
  • SAML 2.0 Web SSO
  • WS-Trust
  • WS-Federation
  • Integrated Windows Authentication
  • OAuth2-OpenID Connect

Identity Federation

Users coming into WSO2 IS for authentication can be federated into external Identity provider using the federated authenticator capability. WSO2 IS supports below mentioned federated authenticators OOTB.
  • SAML 2.0 Web SSO
  • OAuth2-OpenID Connect
  • WS-Federation
  • Facebook
  • Yahoo
  • Google
  • Microsoft Windows Live
  • IWA on Linux
  • AD FS as a Federated Authenticator
  • Twitter
  • SMS OTP
  • Email OTP

In addition to the above mentioned authenticators, it supports many other applications with the authenticators which can be downloaded from WSO2 Store.

Identity Provisioning

Provisioning users to into your system is another key feature of the WSO2 IS. It supports 3 main types of provisioning capabilities.

Inbound provisioning - Provisions users or groups in to the WSO2 Identity Server by an external application(service providers). WSO2 IS supports the  SCIM API and SOAP-based Web service inbound provisioning. Once the users are provisioned, IS can
  • Persist the users or groups within the Identity Server.
  • Persist the users or groups to the Identity Server and provision them to external applications using outbound provisioning.
  • Provision the users or groups to the external applications using outbound provisioning, without persisting them  internally.
Outbound provisioning - Provisions users to a trusted identity provider from the WSO2 IS. It can be Google, Salesforce, another Identity Server, etc. Outbound Provisioning involves sending provisioning requests from the Identity Server to other external applications. Outbound provisioning is supported via SCIM or SPML standards. There are outbound provisioning connectors for Google and Salesforce available by default in the Identity Server. There are additional connectors available at WSO2 Store. WSO2 IS supports
  • Role Based Provisioning
  • Rule Based Provisioning
  • Provisioning Patterns

Just In Time (JIT) provisioning - Provisions users to the WSO2 IS at the time of federated authentication. When WSO2 IS is used for federated authentication, it redirects the user to an external Identity Provider for authentication. JIT provisioning is triggered when the Identity Server receives a positive authentication response from the external Identity Provider. The Identity Server provisions the user to its internal user store using the user claims of the authentication response. Using JIT provisioning you can:
  • Persist users within the Identity Server.
  • Persist users to the Identity Server and provision them to the external system using outbound provisioning.

Access Control and Entitlement management

Access control defines the rules for “who accesses what” in your enterprise. WSO2 IS supports
  • Role Based Access Control (RBAC)
  • Attribute Bases Access Control (ABAC)
  • Policy Based Access Control (PBAC) using XACML as policy language

Access delegation and OAuth2

OAuth2 has become the de-facto standard for access delegation. Based on the different types of applications, OAuth2 has different grant types defined. WSO2 IS supports following OAuth2 grant types
  • Authorization Code Grant
  • Implicit Grant
  • Resource Owner Password Credentials Grant
  • Client Credentials Grant
  • Refresh Token Grant
  • Kerberos Grant


GDPR Compliance

WSO2 IS has the following features in relation to GDPR compliance
  • Privacy by design and privacy by default
  • Consent identity management
  • Consent life cycle management
  • Right to be forgotten
  • Exercising individual rights
  • Personal data portability 
  • Personal data protection

Extension points

As a final note to this cheat sheet, WSO2 IS is a configuration driven solution where you need to configure different components based on the use case. In most cases, users don’t need to change the applications or write programs (code) to fullfill the security requirements. There can be situations where WSO2 IS not capable of handling with OOTB features, in such cases, it provides extension mechanisms to implement the functionality with some custom Java code.

Extending Access Control
  • Writing a Custom Policy Info Point

Extending Identity Federation
  • Writing a Custom Federated Authenticator
  • Writing a Custom Local Authenticator

Extending Provisioning
  • Extensible SCIM User Schemas With WSO2 Identity Server
  • Writing an Outbound Provisioning Connector

Extending User Management
  • Carbon Remote User Store Manager
  • User Store Listeners
  • Using the User Management Errors Event Listener
  • Working with Errors
  • Writing a Custom Password Validator

Extending Workflow Management
  • Writing a Custom Event Handler
  • Writing a Custom Workflow Template

Labels:

Comments

Post a Comment

Popular posts from this blog

WSO2 ESB tuning performance with threads

I have written several blog posts explaining the internal behavior of the ESB and the threads created inside ESB. With this post, I am talking about the effect of threads in the WSO2 ESB and how to tune up threads for optimal performance. You can refer [1] and [2] to understand the threads created within the ESB. [1] http://soatutorials.blogspot.com/2015/05/understanding-threads-created-in-wso2.html [2] http://wso2.com/library/articles/2012/03/importance-performance-wso2-esb-handles-nonobvious/ Within this blog post, I am discussing about the "worker threads" which are used for processing the data within the WSO2 ESB. There are 2 types of worker threads created when you start sending the requests to the server 1) Server Worker/Client Worker Threads 2) Mediator Worker (Synapse-Worker) Threads Server Worker/Client Worker Threads These set of threads will be used to process all the requests/responses coming to the ESB server. ServerWorker Threads will be used to pr
4 comments
Read more

How puppet works in your IT infrstructure

What is Puppet? Puppet is IT automation software that helps system administrators manage infrastructure throughout its lifecycle, from provisioning and configuration to orchestration and reporting. Using Puppet, you can easily automate repetitive tasks, quickly deploy critical applications, and proactively manage change, scaling from 10s of servers to 1000s, on-premise or in the cloud. How the puppet works? It works like this..Puppet agent is a daemon that runs on all the client servers(the servers where you require some configuration, or the servers which are going to be managed using puppet.) All the clients which are to be managed will have puppet agent installed on them, and are called nodes in puppet. Puppet Master: This machine contains all the configuration for different hosts. Puppet master will run as a daemon on this master server. Puppet Agent: This is the daemon that will run on all the servers, which are to be managed using p
7 comments
Read more

How to configure timeouts in WSO2 ESB to get rid of client timeout errors

WSO2 ESB has defined some configuration parameters which controls the timeout of a particular request which is going out of ESB. In a particular  scneario, your client sends a request to ESB, and then ESB sends a request to another endpoint to serve the request. CLIENT->WSO2 ESB->BACKEND The reason for clients getting timeout is that ESB timeout is larger than client's timeout. This can be solved by either increasing the timeout at client side or by decreasing the timeout in ESB side. In any of the case, you can control the timeout in ESB using the below properties. 1) Global timeout defined in synapse.properties (ESB_HOME\repository\conf\) file. This will decide the maximum time that a callback is waiting in the ESB for a response for a particular request. If ESB does not get any response from Back End, it will drop the message and clears out the call back. This is a global level parameter which affects all the endpoints configured in ESB. synapse.global_timeout_inte
3 comments
Read more