Enterprise Identity Integration with WSO2 Identity Server

Posted by Hans Bot on 16 May, 2017

Nowadays, identities are everywhere. They’re in employee accounts, customer accounts, email accounts, IM accounts, Facebook accounts, Google accounts, Microsoft accounts, LinkedIn accounts, not to mention many, many application and system-level accounts. Now this account proliferation is quickly becoming a management burden - for individuals as well as enterprises. Just have a look at your password manager to see how many accounts you’ve got laying around.For enterprises, there may be valuable information hidden inside the account databases (or directories, for that matter). Information about account behavior that may well serve to build better profiles. Sometimes much better profiles. Perhaps information allowing to better predict customer behavior. Predictions that can in turn help improve your conversion rate, your customer retention rate, your cross-selling power. If just you could uncover this information and use it to its full potential.

Why WSO2 Identity Server still is the best enterprise IAM Solution around

Whether your overwhelmed by the effort of managing millions of accounts or looking for new ways to leverage your hidden potentials, or perhaps looking for a solid solution to provide single sign-on/and -off, or be it a combination of the above, WSO2 Identity Server should definitely be on your shortlist.

Unlike other high-end identity management solutions, WSO2 Identity Server is fully open-source. There is no premium edition, extension or option pack on top of an open-source kernel. You don’t have to pay for documentation. Everything is there in the open. Heck, they even run a public Jira.

Now that’s all good, but that doesn’t make you the best solution, right? Okay, let’s talk architecture then. Identity Server is unique because at the core, it’s an integration product. ‘The others’ are often simple extensions to a former directory product. It makes sense, because after all WSO2 is first and foremost an integration company offering an integration platform - and they are not. Now why is that important?

  1. In today’s enterprise, “users” are seldom a homogenous group. You have to deal with employees, business partners, customers, suppliers and sometimes one person can belong to several groups at once.
  2. Through mergers and acquisitions, or through technical migrations, user accounts live in different realms or account stores
  3. Increasingly, 3rd party identity providers – either social, or civil, or communal, serve to help solve the identity proliferation problem your users face

Your milage may vary, of course, but chance are that you will sooner or later also benefit from the flexibility that’s built in WSO2 Identity Server. How this works? Well, Identity Server has an Identity Bus at its core. This is where the authentication and provisioning frameworks live. It separates the user-facing authenticators and portals from the internal and external datasources. It provides lots of standard protocols to connect to virtually every other identity provider, authentication server and key store. And it does so transparently.

Imagine you have an app using ID Connect tokens for authentication. You might want to log in with your Facebook credentials over OAuth 2.0. Alternatively, a customer may have an account in a Identity Server database. And employee accounts are kept in an Active Directory, available over ADFS. WSO2 Identity Server succeeds in providing all the integration logic, such that your app only needs to be concerned with the claims once it receives in the token. Everything else is taken away. Moreover, all the integration logic is automatically available for reuse in other apps - be it your own apps, or 3rd party apps.

Conceptual view of WSO2 Identity Server

Enterprise Identity Integration with WSO2 Identity Server - Conceptual view of WSO2 Identity Server

Thirdly, I’d like you to consider extensibility. I’m sure you’re well aware of the power of your WSO2 digital innovation platform as it comes to scalability. It really allows you to scale up to meet increased volumes (horizontally as well as vertically), to scale out by distributing components over specialized nodes, and to add features and functions to meet future needs. And everything can be managed as part of a consistent, integrated platform. 

From a functional perspective, managing identities can highly profit from complementary products. Take for instance WSO2 Business Process Server. This allows for managed workflows, for instance to create an account for a new employee. I know for a fact that many companies dream of a single workflow providing all user accounts, a mobile phone, a laptop with all the necessary software installed, a badge, and all available on the first working day. With Business Process Server you can make this a reality. And should you face an application integration challenge here, do remember that WSO2 offers an excellent Enterprise Service Bus too.

Next suppose a user is locked out of his account. Now wouldn’t it be cool if the service desk not only would be alerted, but was directly connected to this user on his mobile phone. That would be a great service, and at the same time pro-actively enhance your security.

There are just so many use cases where workflows continue to be a great, be it possibly underused, fit.

Another great tool is WSO2 Business Process Server. With (just-in-time) provisioning, business rules as to where to store accounts, what roles to assign and what outbound destinations to provision can get quite complex and can be prone to change. WSO2 Business Process Server provides capability to define your decisions in a language close to business analysts, ready to deploy, monitor, and maintain them. WSO2 Business Process Server simply exposes your decisions as secure, reliable Web services. Presto. The Identity Bus just calls a decision service that encapsulates all the complexity and your done.

A third useful extension lays in API management. With WSO2 Identity Server you have ample functionality to build an account management or self-service portal. WSO2 even provides an example portal you can use out-of-the-box. Now, if the users of such a portal are outside your local network, you might feel the desire to secure the access to the underlying APIs - to create a user, a role, assign a role, and what not. You could even modify your entitlement policies. This is powerful, for sure, but it does also open up some perhaps undesirable attack vectors. Yes, there is the option of using captchas (who likes captchas?), but this will only take you so far. So it’s much better to manage the APIs you’re exposing actively. WSO2 API Manager is ideally suited to do just that.

And I didn’t even mention the fancy analytics package that ships with WSO2 Identity Server. Neither did I mention the multi-tenancy features. Or pinpoint at XACML. Or the WSO2 store. Man, there’s so much more cool stuff to tell about. 

Puzzled about all the options and choices? No worries, at Yenlo we’ll be glad to be of help. We’ve been there before and we’ve done it before. Just ask.

API Selection Guide

Topics: WSO2 IS, Identity Server, Identity and Access Management

Written by Hans Bot

Hans Bot
Hans is an experienced architect in the digital world, has always been at the frontline of developments. Nowadays Hans is focused on state-of-the-art cloud and integration platforms serving as a base for digital transformation. Hans has a passion for modern technologies. At the same time, he values the merits of proven ones.