This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Architecture

System Overview

WSO2 Identity Server is a product built on top of WSO2 Carbon. Based on the OSGi specification, it enables easy customization and extension through its componentized architecture. This page details the important features of the Identity Server. The users are given the choice of deployment to on-premise servers, private cloud or public cloud (WSO2 StratosLive Identity-as-a-Service) without configuration changes.

Each server in the WSO2 platform is built using the Carbon platform. Carbon Server is a term used to depict any product, such as WSO2 Enterprise Service Bus, WSO2 Application Server, and WSO2 Identity Server, that is built on top of the Carbon Platform.

The WSO2 Identity Server is used directly by multiple users, through the user-friendly ‘Management Console’ of the Identity Server. Apart from the default admin user (with the user name ‘admin’), other users can be created later by the admin users that have the privileges to create a new user, or by signing up. Each user can have roles, where each role can have privileges assigned to them. A user’s roles can be changed at any time by the admin user.

Apart from such registered users, Identity Server is also used as an identity provider for third party applications, which also have their own sets of users.

Components

The following are the components found within the WSO2 Identity Server, some of which are depicted in the above diagram.

System and User Identity Management

WSO2 Identity Server implements flexible user store via built-in LDAP (powered by ApacheDS), external LDAP, Microsoft Active Directory or any JDBC database. It provides an API for integrating identity management to any application. WSO2 Identity Server allows tenants/organizations to configure their user stores through the admin console. WSO2 Identity Server supports multiple profiles per user using its flexible profile management feature.

WSO2 Identity Server enables Single Sign-On (SSO) for the enterprise applications via OpenID, SAML2, and it comes bundled with Apache KDC out of the box, supporting Kerberos Key Distribution Center. It also provides an SSO bridging between on-premise systems and cloud applications, enhancing the single sign-on experience of the user. It also provides multi-factor authentication for OpenID, via XMPP.

WSO2 Identity Server implements REST security with OAuth 2.0 and XACML. WSO2 Identity Server integrates with Microsoft SharePoint with Passive STS support. It provides credential mapping across different protocols. Provisioning via SCIM instead of legacy SPML and Auditing via XDAS too are supported. Delegation is supported via OAuth 1.0a, OAuth 2.0, OpenID Connect and WS-Trust, while Federation is supported via OpenID, SAML2 and WS-Trust STS. XKMS for key storage and distribution too is provided by the Identity Server.

Entitlement Management

WSO2 Identity Server contains an advanced entitlement auditing and management. It provides entitlement management for any REST or SOAP calls. WSO2 Identity Server provides Attribute and Claim based access control via XACML, WS-Trust, OpenID, OpenID Connect and claim management. WSO2 Identity Server also provides Role based access control (RBAC) and Fine-grained policy based access control via XACML. See here for more information.

XACML 2.0/3.0 Support

WSO2 Identity Server provides a friendly user interface for policy editing. It also supports multiple Policy Information Point (PIP) and policy distribution to various Policy Decision Points (PDPs). It provides a high performance network protocol (over Thrift) for PEP/PDP interaction, and policy decision and attribute caching. Notifications are provided for policy updates. Moreover, the WSO2 Carbon TryIt tool that comes bundled with the Identity Server lets the user explore the policy impact.

Management and Monitoring

WSO2 Identity Server provides a comprehensive management console with enterprise-level security. It also comes with a built-in collection and monitoring of standard access and performance statistics. Operational audit and KPI monitoring and management is achieved by integrating with the WSO2 Business Activity Monitor. Further key metrics monitoring and management is achieved with JMX MBeans. WSO2 Identity Server offers a flexible logging support with integration to enterprise logging systems. WSO2 provides a centralized configuration management across different deployment environments with lifecycles and versioning, with integration to WSO2 Governance Registry.

Keystore Management

Keystore is a special file type that can hold your keys and certificates and encrypt them all with a password. In other words, a keystore is just like a hashtable which has an alias that identifies a certificate and the certificate itself. See here for more information.

XKMS

XML Key Management Service Specification (XKMS) defines a standard way of generating key pairs, storing public key information, and retrieving public key information. The XKMS services can be exposed as Web Services which allow other applications to delegate some of the key information processing functions to such services. The Identity Server usershall be able to configure XKMS and also reset the configuration. See here for more information.

Single Sign-On

WSO2 Identity Server supports SAML2-based Single Sign-on. This implementation complies with the SAML2 Web Browser SSO profile and the Single Logout Profile. The user shall be able to add or remove the service providers from the "SAML 2.0-based Single Sign-On" page. See here for more information.

OAuth

New applications can be registered for OAuth support in the Identity Server. The user is able to view the details of the registered applications by clicking on them. Additionally it is possible to delete the registered applications later. See here for more information

OpenID Connect

Another Identity layer on top of OAuth 2.0. OAuth applications can get authentication events information over the IDToken and can get the users extra claims of the authenticated user from the OpenID Connect UserInfo endpoint. See here and here for more information on this feature.  

User Stores

WSO2 Identity Server has a comprehensive support for Multiple User Stores. The server administrator configures the primary userstore by changing the user-mgt.xml. The administrator is able to configure Realm, Default LDAP user store, internal JDBC user store, and external active directory user store and change RDBMS. Identity Server can be configured using the configuration files in repository/conf folder. Then the Tenant Admins can configure their own user stores using the Admin Console UI. See here and here for more information.

XMPP

A user can enable the XMPP-based multi-factor authentication for OpenIDs. If a PIN is chosen, it should be provided during the authentication process. See here for more information.

SCIM

The System for Cross-domain Identity Management (SCIM) specification is designed to make managing user identities in the WSO2 Identity Server easier. See here for more information.

OpenID

You may choose to associate information with your OpenID that can be shared with the websites you visit, such as a name or email address. With OpenID, you control how much of that information is shared with the websites you visit. See here for more information.

STS

The "Security Token Service" component of WSO2 Carbon enables you to configure the generic STS to issue claim-based security tokens. This Security Token Service is capable of issuing SAML 1.1 and SAML 2.0 tokens as recommended in WS-Trust and SAML Web Service Token Profile specifications. See here for more information.