All posts by Prabath Siriwardena

What is new in WSO2 Identity Server 5.3.0?

Since its launch in 2007, WSO2 Identity Server (WSO2 IS) has become an industry leading product in the open source, on-premise IAM space. It’s trusted by both the government and private sectors for large scale deployments ranging up to millions of users.

Apart from the open standard support, WSO2 IS has a solid architecture to build a strong identity ecosystem around it. More than 40 connectors are now available for you to download from WSO2 Connector Store – including SMS OTP, Email OTP, TOTP (Google Authenticator), Duo Security, mePIN, RSA, FIDO U2F  – and many more. All these connectors are released under the same open source Apache 2.0 license, as of the product.

The focus of WSO2 Identity Server 5.3.0 is to build and enhance features around Identity/Account Administration and Access Governance. Here are the new features introduced in WSO2 Identity Server 5.3.0:

  • Identify and suspend user accounts that have been idle for a pre-configured amount of time. Prior to account suspension, the administrator can set up the notification system to notify the user with a warning that the account will be suspended.
    For instance, if a user has not logged in to his/her account for 90 days, the user will be notified that his account will be suspended within the next 7 days if there continues to be no activity, after which the account will be suspended.
  • A new REST API was introduced to recover a lost/forgotten password, i.e., by using email notifications or secret questions. It is also possible to recover the username if forgotten. This extends the functionality of the SOAP service WSO2 IS had before 5.3.0.
  • The administrator can trigger the password reset for a given user. This may be required if the user forgets the credentials and then makes a request to the administration to reset the password — and also in cases where the credentials get exposed to outsiders then the administrator can lock the account and enforce password reset.
  • Support for Google reCAPTCHA as a way of brute-force mitigation. The administrator can configure Google reCAPTCHA in the login, password/account recovery and sign up flows.
  • Maintain the history of the user’s passwords according to a pre-configured count. This prevents a user from using a password he/she has used in the recent past. For example, if you configure a count of 5, the user will be prevented from reusing his/her last 5 passwords as the current password.
  • The administrator can monitor all the login sessions — and can selectively terminate.
  • Enforce policies to control outbound user provisioning operations. For example, you can provision users having the salesteam role to Salesforce and anyone having an email address with the domain name foo.com to Google Apps.
  • Partition users by service providers. WSO2 IS had support for multiple user stores since its version 4.5.0. With this new feature, the administrator can specify against which user store the user should authenticate, by the service provider. For example, only the users in the foo user store will be able to access the foo service provider.
  • Enforce policies during the authentication flow. The administrator can, for example, enforce a policy which states only the users having the salesteam role can access Salesforce, and only during a weekday from 8 AM to 4 PM.
  • Improvements for the JIT provisioning flow. The administrator can now specify mandatory attribute requirements for JIT provisioning and if any of those are missing, WSO2 IS will prompt the user to enter the values for the missing attributes.
  • Improvements for identity analytics. With WSO2 IS 5.3.0 the identity administrator can get alerts for abnormal and suspicious login sessions.

In addition to the above set of features, WSO2 IS 5.3.0 also introduced a set of enhancements for its existing open standards.

  • SAML 2.0 Metadata Profile
  • SAML 2.0 Assertion Query/Request Profile
  • OpenID Connect Dynamic Client Registration
  • OAuth 2.0 Token Introspection
  • OpenID Connect Discovery
  • JSON/REST profile of XACML

WSO2 IS 5.3.0 is now the best it’s ever been. We hope you will find it quite useful to address your enterprise identity management requirements, and we’re more than happy to hear your feedback/suggestions — please feel free to post them to bizdev@wso2.com or dev@wso2.org.

WSO2 Joins Cloud Security Alliance

Cloud Security Alliance LogoAfter watching the good work of the Cloud Security Alliance (CSA) for more than a year, WSO2 has joined as a Corporate Member.

As you know, WSO2 offers the very first completely open source Platform as a Service (PaaS). Taking our Carbon-based middleware platform to the next level, WSO2 Stratos offers the most complete, enterprise-grade, open PaaS, with support for more core services than any other available PaaS today. Unlike many cloud platforms, WSO2 Stratos, the software behind the WSO2 StratosLive Java PaaS, is available as a fully supported product that can be installed and run on-premise.

WSO2 Stratos provides the core cloud services and essential building blocks, for example federated identity and single sign-on, data-as-a-service and messaging-as-a-service and more, required for developing SaaS and cloud applications.

Building a cloud PaaS is actually quite a challenge, but no pain, no gain!

We took up the first challenge of getting our Carbon stack running on OSGi runtime, not an easy task and one that some vendors were unable to complete, but one that we found necessary to build cloud nativity deeply into the platform, and to enable incremental upgrades and addition of the platform as a live entity.

Security represents one of the biggest challenges we faced making Stratos a reality.  We had to rebuild the foundations of the system to focus on tenant isolation, data security, restricted operations, tenant-based user stores, standards-based security models, integration with other *aaS models among other concerns. Stratos today supports many of the most popular open standards related to security and identity management including SAML2, OpenID, OAuth, XACML and WS-Security.

KuppingerCole European Identity Award 2011A few months back we received some recognition of this work, as a recipient of KuppingerCole’s European Identity Award 2011 for the Cloud Provider Offerings category.  The award recognizes WSO2 specifically for WSO2 Stratos Identity, citing the multi-tenant open source cloud service for its OpenID and XACML support and its innovative features, including the ability to migrate from on-premise to a full cloud service (and back).

Stratos has come a long way, with customers now adopting the platform, and we welcome the opportunity to both share our experiences with other cloud providers and be part of the conversation in moving cloud security forward.

The CSA is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing.

Among many of our community, questions about whether to move to cloud or not, whether to move to a private or public cloud and so forth mostly revolve around security concerns.  We are looking to helping address those concerns, and contributing to the standards and guidelines promoted by the CSA to educate users about ensuring the future of cloud is secure.

Prabath Siriwardena, Architect & Senior Manager – Carbon Platform & Security
blog: http://blog.facilelogin.com