Content Comparison

Do we support Enterprise Single Sign On (E-SSO) to enable internal desktop users to seamlessly access heterogeneous applications (including web applications)?

This not supported out of the box. But there are several extension points that can be implemented to support such capabilities.

Do WSO2 products provide single-sign-on (SSO) and identity assertion features for services, applications, portal, etc across the SDP?

WSO2 Identity Server supports SAML and SAML 2.0 web browser single sign-on profile. With this feature, WSO2 Identity Server can act as the Identity Provider in single sign-on scenarios while third party service providers can delegate user authentication to Identity Server. Also this SSO feature is supported for our entire product stack with the above mentioned security standards.

Does WSO2 Identity Server support SAML security token standard and a framework for exchanging security information?

WSO2Identity Server supports SAML 1.0/1.1 and SAML2.0. SAML token can be used to exchange security information using WS-trust scenarios.

When dealing with Credential Mapping it is possible to map different credentials such as User name Token, X.509 tokens, SAML tokens, Kerberos tokens, etc.

Do WSO2 products provide single-sign-on (SSO) and identity assertion features for services, applications, portal, etc across the SDP?

WSO2 Identity Server supports SAML and SAML 2.0 web browser single sign-on profile. With this feature, WSO2 Identity Server can act as the Identity Provider in single sign-on scenarios while third party service providers can delegate user authentication to Identity Server. Also this SSO feature is supported for our entire product stack with the above mentioned security standards.

WSO2Identity Server supports centralized and policy based access control mechanism based on XACML. Authentication mechanism, such as username token, X.509 SAML , OAuth and kerberos can be easily plugged with the XACML access control engine.

What is the difference between SP-Initiated SSO and IDP-Initiated SSO? Do WSO2 products support both scenarios?

In SP-Initiated SSO, user tries to access a resource on SP without logging in. The service provider initiates the SSO message flow by sending authentication request to the Identity Provider (IdP)

But in IdP-Initiated flow, user loges on to IdP first and then tries to access the resource on SP. So IdP initiate the flow by sending an authentication response to the SP directly.

What are differences between SAML2 and PassiveSTS based authentication ?

SAML2 enables a SSO system where users can login to multiple applications within a "trust domain". Identities of the users in the "trust domain" are managed by the identity provider/s withing the same "trust domain". So only the users whose identities are managed within the same "trust domain" can access applications withing the "trust domain".

But PassiveSTS is a cross domain authentication mechanism where users in one "trust domain" can access applications in another "trust domain". The mechanism of brokering trust between "trust domain"s is defined in the WS-Federation specification. PassiveSTS is defined under the topic "Web (Passive) Requesters" of the specification.

STS

Do WSO2 products provide authentication services to authenticate client access to various services across platforms by supporting security tokens and STS?

STS is shipped with WSO2 Identity Server. Services can be protected with a security policy to accept a token issued by STS.

Is it possible to have STS exposed to the external world for external clients?

It is possible for external users (who reside outside the domain where STS is setup) to connect to the STS and get a security token. However, in order to do so, the user store which is associated with the STS, should have these external users' data (credentials etc.) stored in there. 

Does a client need to make a call for each and every request to get the token from STS server, or could it be session based? 

This can be configured at the client's end according to your requirement. For example, if the user needs to keep the token alive for the whole session, you can set up an expiry time for the token. Then the end service (ESB here) successfully authenticates this token until the specified expiration time limit is exceeded.

XACML

How can I write a custom PIP extension for WSO2 IS XACML engine?

See Writing a Custom Policy Info Point .

Do you support hierarchical roles in Carbon based products?

Carbon products do not support hierarchical roles out of the box, but with the support of WSO2 XACML engine(feature of Identity server), we can define set of policies to cater the requirement.

Do WSO2 products provide complex user entitlement support with XACML?

WSO2 products support authorization through entitlement policies defined in XACML. In XACML, complex user entitlement can be defined.

Do WSO2 products provide policy based authorization services?

WSO2 products support centralized, policy-based authorization through entitlement policies defined in XACML.

Do WSO2 products provide fine grained authorization services to determine access rights for users and user groups?

To support authorization requirements, we support RBAC (Role Based Access Control) and XACML. XACML is specifically used to define fine-grained authorization policies that help align your business level security requirements with the security implementation.