For those of you who are not that familiar with the product, WSO2 IS is one of the three major products from WSO2 together with WSO2 API Manager and WSO2 Enterprise Integrator. WSO2 IS focusses on (Customer) Identity and Access Management (CIAM) and is considered a leader or strong performer in its field, just ask Kuppinger Cole and Forrester.
WSO2 IS allows you to manage Identity Access in a secure fashion catering to both employees within the organization as well as customers access. In this blog I will tell you what’s new in WSO2 Identity Server 5.11.
Big numbers
When we take the field of CIAM, we have the possibility to get into larger numbers of users. Although, Amazon is now a company of over 1.2 million employees! However, that is no problem for WSO2 IS where the biggest deployments has 106 million users as you can hear Prabath Siriwardena, WSO2’s Vice President & Deputy CTO – Security Architecture, say when I interviewed him about CIAM & Digital Transformation and the latest release of WSO2 IS.
Starting IS
My Account
The enhanced My Account application which was known as the User Portal in 5.10.0 (and previous versions) allows users to manage their account-related preferences. The login will let a user to change its account and settings of that account.
Like with previous versions you can Create an Account when this is enabled (by default it is not).
The screen below shows some new interface elements. It has a different layout compared to the previous version which consisted of several tabs. This overview shows the administrator account which is the default and only account in and out of the box deployment.As you can see it is not complete some of the mandatory claims of the profile are not filled in hence the shield with the cross signifying this.
Apart from the claims there is a link to your profile there is a new option to export the data in Json format.
The possibility to add a photo to a profile is nice however the photo is stored as a link and will be retrieved from that link when for instance the screen is being refreshed.
The My Account application also allows you to manage consents, see your Account activity and update your security questions for instance.
The Jaggery app has been replaced by a React JS app that looks more modern. This is something that we see across the WSO2 products with separate apps like the API Manager as well.
See the video for a hands-on tour:
Console
Another new element in the WSO2 Identity Server 5.11.0 is the console . This app that is in beta allows you to manage the Identity Server components like identity providers, service providers now called applications another configurations like password settings from an improved interface. As this is a version that is envisioned it to be a test from WSO2 whether people like this new interface over the older, still a fully functional interface of the management UI.
The video mentioned above also shows the console.
More changes
But there are more changes made to this version of the Identity Server. They are less visible; however, they are worth mentioning because they are more internal. For instance, WSO2 switched from asymmetric key encryption to symmetric key encryption. The reason to switch to symmetric encryption is twofold according to WSO2: symmetric key encryption is an industry standard, and it makes it easier to change the key source windows certificate changes. however, you can still use the asymmetric encryption by making changes 2 the configuration in the deployment.toml file.
Another important change has to do with group and role permissions. Both groups and roles were considered roles in the system and you can manage roles using the management console or the SCIM groups endpoints. This new release of the Identity Server has a redesigned groups and roles set up. Where a group is now a representation of a set of users in the user store you can manage these using the management UI, console application or via APIs. Keep in mind that when you are defining a group, the console allows you to put spaces in there, however when you deploy a group like that it will throw an error since there is should not have any spaces in the name of the group. For more information about the relationship between roles groups and users look at the WSO2 documentation online.
The final two changes that I would like to discuss is the fact that there is now an API for the cross-object resource scripting settings (also known as CORS). WSO2 Identity Server has now upgraded to openSAMLv3. We now also have integration with HashiCorp Vault, a popular and widely adopted tool in the community. WSO2 Identity Server can now be used using HashiCorp Vault to keep configuration secrets protected and used at runtime.
Planning to migrate to the new version?
If you already have WSO2 Identity Server 5.10 or an earlier version, you can migrate to the latest version, this of course after you have looked if there are no showstoppers as far as issues go with regards to the components. You can find an overview of solved and open issues here. It looks like that an incremental migration (5.7. to 5.8. to 5.9 etc.) is not needed since we can indicate current and new version in the tool.
Do you want to learn more about WSO2 Identity Server? Watch the interview I had with Prabath Siriwardena on CIAM & Identity and Access Management.
