WSO2 debuts Identity Solution to simplify authentication across Web applications, protect users from attacks

Open Source Identity Solution Ensures Interoperability with Multiple Vendors’ CardSpace Components

Colombo, Sri Lanka and Mountain View, CA – December 11, 2007 – WSO2, the open source SOA company, announced today the launch of the WSO2 Identity Solution (IS) to help customers address the challenges of managing user identities in Web applications and protect against attacks, such as phishing. Providing an easy-to-use management console, the highly interoperable WSO2 IS removes the barriers to implementing consistent identity management across the many applications, data sources and services that comprise a service-oriented architecture (SOA).

The WSO2 IS enables LAMP and Java websites to provide strong authentication based on the new interoperable Microsoft CardSpace technology, which is built on the open standards Security Assertion Mark-up Language (SAML) and WS-Trust. WSO2’s new open source security offering features an easy-to-use Identity Provider that is controlled by a simple Web-based management console and supports interoperability with multiple vendors’ CardSpace components, including those provided by Microsoft .NET. The WSO2 IS also works with enterprises’ current identity directories, such as those based on the Lightweight Directory Access Protocol (LDAP) and Microsoft Active Directory, allowing them to leverage their existing infrastructure.

“The inherent heterogeneous nature of modern SOA and Web applications brings a new challenge in managing and protecting the identities of the users it serves,” said Dr. Sanjiva Weerawarana, CEO of WSO2. “With our new Identity Solution, we can help developers and administrators solve this challenge using open standards and open source to deliver a proven secure and interoperable system with a simple, intuitive interface that anyone can readily use.”

WSO2 Open Source Approach to Identity Metasystem

CardSpace is Microsoft’s approach to the Identity Metasystem, an interoperable architecture for digital identity that has emerged to address the growing problem of securely maintaining and managing identities across extended spaces, including large enterprises and the Web. WSO2’s Identity Solution offers customers a new open source alternative that works with popular open source and Java websites while supporting the new CardSpace approach found in Microsoft’s Internet Explorer 7.0 browser and Mozilla’s Firefox.

Built on a core of open standards such as SAML and WS-Trust with proven interoperability, the WSO2 IS ensures interoperability with CardSpace components from different vendors. At the same time, it allows easy integration and migration of traditional identity management solutions to CardSpace-based identity management.

The WSO2 Identity Solution also works closely with existing websites, including those built on the market-leading Apache HTTPD and Tomcat servers, as well as many PHP, LAMP, and J2EE servers.

By working with existing IT infrastructures, the WSO2 IS helps enterprises to address the top identity management issues they face today, including:

  • Protecting users from identity-related attacks.
  • Empowering users to securely provide the minimum required private information to websites.
  • Eliminating the need for websites to maintain unnecessary or duplicate user information.
  • Reducing overall the data that websites must store while minimizing the dangers of identity theft.

WSO2 Identity Solution Features

The WSO2 IS features two primary components: the Identity Provider and Relying Party Component Set.

The Identity Provider is an application that provides the ability to issue “cards”—a new cross-vendor standard for identity management. WSO2 supports both managed information cards, which are issued by the Identity Provider and backed by a username and password, as well as self-issued cards, which enable users to manage their own identities using software in their browsers. Once a user has a card, this can be used to login to any Web application that supports CardSpace authentication. One key benefit is that the security details are only stored by the trusted Identity Provider—the website doesn’t need to store any passwords or other personal details. Key features of the Identity Provider include:

  • User store support. Identity Provider supports most common directories that offer the standard LDAP or Java Database Connectivity (JDBC) interfaces, in addition to offering a simple built-in user store for smaller companies.
  • Claim support. By providing full support for standard and custom claims, the Identity Provider helps users keep full control over what personal information is shared with websites.
  • Statistics, reporting and an audit trail. These functions enable administrators to monitor user accounts and issuances of information cards and tokens for login requests to relying party Web applications.
  • Revoking mechanism. Administrators can revoke issued information cards and block them from being used for authentication.

The other key part of the WSO2 Identity Solution is the Relying Party Component Set which plugs into the most common website servers to add support for CardSpace authentication requests. At the core is the Apache HTTPD module (mod_cspace), which processes incoming CardSpace authentication requests and provides the extracted information from the received token to the Web application. Because this is independent of any server-side Web framework, the module can be used to set up CardSpace authentication with any Web framework running on Apache2, including PHP, Python and Perl applications.

Significantly, the Apache HTTPD Relying Party component enables CardSpace authentication for both dynamic Web applications and static content, including a special feature to allow access control for static content in Apache HTTPD. Other key features of the Apache HTTPD module include an easy integration interface for developers; simple configuration for server administrators; and support for leading content management frameworks, such as Drupal and MediaWiki. In addition, the Relying Party support includes a Java servlet filter that provides an easy integration point for J2EE-based Web applications, including the popular Apache Tomcat and JBoss application servers.

Service and Support Options

WSO2 offers a range of service and support options for the WSO2 Identity Solution. These include full commercial support, training, consulting, custom development, and sponsorship of open source feature development. For information on the webinars, as well as service and support fees, visit . Additionally, the WSO2 Oxygen Tank ( ) is an open portal that provides in-depth product information, tutorials, tools, forums, wikis and more.