This documentation is for WSO2 Identity Server 5.4.0 . View documentation for the latest release.

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Button Hyperlink
iconconfigure
titleSSO and Identity Federation
typestandard
urlSingle Sign-On and Identity Federation

Access control

Panel
borderColorcoral
bgColorlightyellow
titleColorwhite
borderWidth4
titleBGColorcoral
borderStylesolid
titleXACML - eXtensible Access Control Markup Language

XACML (eXtensible Access Control Markup Language) is a tool for controlling access to applications. XACML is an XML-based language for access control that has been standardized by the Technical Committee of the OASIS consortium. XACML is very popular as a fine grained authorization method amongst the identity community. See Access Control Concepts for more information.

Panel
borderColorcoral
bgColorlightyellow
titleColorwhite
borderWidth4
titleBGColorcoral
borderStylesolid
titleRBAC - Role Based Access Control

Role-based access control (RBAC) is a type of access control. It is an approach used to restrict access to authorized users based on their role. It is used by the majority of enterprises with more than 500 users. See Access Control Concepts for more information.

Panel
borderColorcoral
bgColorlightyellow
titleColorwhite
borderWidth4
titleBGColorcoral
borderStylesolid
titleABAC - Attribute Based Access Control

Attribute-based access control (ABAC) is a type of access control. ABAC defines a new access control paradigm whereby access rights are granted to users through the use of policies which combine attributes together. See Access Control Concepts for more information.

API security

Panel
borderColorcoral
bgColorlightyellow
titleColorwhite
borderWidth4
titleBGColorcoral
borderStylesolid
titleOAuth

OAuth is an open standard to authorization. OAuth provides a method for clients to access server resources on behalf of a resource owner (such as a different client or an end-user). It also provides a process for end-users to authorize third-party access to their server resources without sharing their credentials (typically, a username and password pair), using user-agent redirections. See OAuth Concepts for more information.

Panel
borderColorcoral
bgColorlightyellow
titleColorwhite
borderWidth4
titleBGColorcoral
borderStylesolid
titleGrant Types

There are many supported grant types in the OAuth2 specification. A grant type is a credential representing the resource owner's authorization (to access its protected resources) used by the client to obtain an access token. See OAuth Concepts for more information.

Identity provisioning

Panel
borderColorcoral
bgColorlightyellow
titleColorwhite
borderWidth4
titleBGColorcoral
borderStylesolid
titleIdentity Provisioning

Identity provisioning plays a key role in propagating user identities across different SaaS providers. Provisioning is the process of coordinating the creation of user accounts, e-mail authorizations in the form of rules and roles, and other tasks such as provisioning of resources associated with enabling new users. See The Evolution of Provisioning Standards for more information.

Panel
borderColorcoral
bgColorlightyellow
titleColorwhite
borderWidth4
titleBGColorcoral
borderStylesolid
titleSPML - Service Provisioning Markup Language

Service Provisioning Markup Language (SPML) is an XML-based framework developed by OASIS for exchanging user, resource and service provisioning information between cooperating organizations. See The Evolution of Provisioning Standards for more information.

Panel
borderColorcoral
bgColorlightyellow
titleColorwhite
borderWidth4
titleBGColorcoral
borderStylesolid
titleSCIM - System for Cross-domain Identity Management

The System for Cross-domain Identity Management (SCIM) specification is designed to make managing user identities in the WSO2 Identity Server easier. SCIM is an emerging open standard which defines a comprehensive REST API along with a platform neutral schema and a SAML binding to facilitate the user management operations across SaaS applications; placing specific emphasis on simplicity and interoperability as well. See The Evolution of Provisioning Standards for more information.

SOAP security

Panel
borderColorcoral
bgColorlightyellow
titleColorwhite
borderWidth4
titleBGColorcoral
borderStylesolid
titleSOAP - Simple Object Access Protocol

SOAP, originally defined as Simple Object Access protocol, is a protocol specification for exchanging structured information in the implementation of Web services. It relies on XML Information Set for its message format, and usually relies on other application layer protocols, most notably Hypertext Transfer Protocol (HTTP) or Simple Mail Transfer Protocol (SMTP), for message negotiation and transmission.

Panel
borderColorcoral
bgColorlightyellow
titleColorwhite
borderWidth4
titleBGColorcoral
borderStylesolid
titleSTS - Security Token Service

The "Security Token Service" component of WSO2 Carbon enables you to configure the generic STS to issue claim-based security tokens. A claim-based security token is a common way for applications to acquire and authenticate the identity information they need about users inside their organization, in other organizations, and on the Internet. This Security Token Service is capable of issuing SAML 1.1 and SAML 2.0 tokens as recommended in WS-Trust and SAML Web Service Token Profile specifications.

Panel
borderColorcoral
bgColorlightyellow
titleColorwhite
borderWidth4
titleBGColorcoral
borderStylesolid
titleWS-Federation - Web Services Federation

WS-Federation (Web Services Federation) describes the management and brokering of trust relationships and security token exchange across Web services and organizational boundaries. WS-Federation is a part of the larger WS-Security framework. For example, WS-Federation builds on the Security Token Service (STS) by providing mechanisms that facilitate interactions. In the WS-Federation Model, an Identity Provider is a Security Token Service (STS).

Panel
borderColorcoral
bgColorlightyellow
titleColorwhite
borderWidth4
titleBGColorcoral
borderStylesolid
titleWS-Security - Web Services Security

Web Services Security (WS-Security, WSS) is an extension to SOAP to apply security to Web services. It is a member of the Web service specifications and was published by OASIS. The protocol specifies how integrity and confidentiality can be enforced on messages and allows the communication of various security token formats.

Panel
borderColorcoral
bgColorlightyellow
titleColorwhite
borderWidth4
titleBGColorcoral
borderStylesolid
titleWS-Trust - Web Services Trust

WS-Trust is a WS-* specification and OASIS standard that provides extensions to WS-Security, specifically dealing with the issuing, renewing, and validating of security tokens, as well as with ways to establish, assess the presence of, and broker trust relationships between participants in a secure message exchange.

SSO and identity federation

Panel
borderColorcoral
bgColorlightyellow
titleColorwhite
borderWidth4
titleBGColorcoral
borderStylesolid
titleIdentity Federation

Identity federation enables users to access multiple applications using the same access credentials. This makes access easy, as users do not have to remember a different set of credentials for every application they use. However, the users have to provide their credentials to each one of the applications separately although the credentials used are the same. See Evolution of Identity Federation Standards for more information.

Panel
borderColorcoral
bgColorlightyellow
titleColorwhite
borderWidth4
titleBGColorcoral
borderStylesolid
titleSSO - Single Sign On

On the other hand, SSO enables users to provide their credentials once and obtain access to multiple applications. In SSO, the users are not prompted for their credentials when accessing each application until their session is terminated. See Evolution of Identity Federation Standards for more information.

...

borderColorcoral
bgColorlightyellow
titleColorwhite
borderWidth4
titleBGColorcoral
borderStylesolid
titleSAML Metadata

...


...

Identity Provisioning and its Standards

The identity provisioning section introduces the concept along with inbound and outbound provisioning. This section provides information on SCIM and SPML, which are protocols supported by the Identity Server. It also delves into the history of provisioning standards and how these progressed over time. Click the button below to view this content.

Button Hyperlink
iconconfigure
titleIdentity Provisioning and its Standards
typestandard
urlIdentity Provisioning and its Standards


...

Access Control and Entitlement Management

The access control and entitlement management section introduces the concept of access control, the various types of access control and dives deep into XACML. This section provides detailed information on XACML including the concept, terminology, and architecture. Click the button below to view this content.

Button Hyperlink
iconconfigure
titleAccess Control and Entitlement Management
typestandard
urlAccess Control and Entitlement Management


...

Identity Anti-patterns and the Identity Bus

This section introduces the business problem of spaghetti identity and federation silos. It then expands on how the identity bus that runs within the WSO2 Identity Server. Click the button below to view this content. 

Button Hyperlink
iconconfigure
titleIdentity Anti-patterns and the Identity Bus
typestandard
urlIdentity Anti-patterns and the Identity Bus