WSO2 Identity Server 5.8.0 is Here!

WSO2 Identity Server 5.8.0 is the latest success story of our Identity and Access Management team. After a marathon effort, we are glad to release v5.8.0 with new features, major improvements, and bug fixes.

New Features

OpenID Connect Back Channel Logout

So far WSO2 Identity Server has supported OIDC Session Management as the OIDC logout mechanism. From v5.8.0 onwards, it provides support for OIDC Backchannel logout as well. OpenID Connect Backchannel logout is a mechanism by which Relying Party (RP) applications are logged out with logout requests communicated directly between RPs and OpenID Providers (OP) bypassing the User Agent. The main advantage of this method is the ability to skip obtaining the support of user agents, hence this logout mechanism is less fragile.

SAML Front Channel Logout

WSO2 Identity Server 5.8.0 onwards provides supports for SAML Front Channel Logout. In SAML Front Channel Logout, session participants can use asynchronous binding such as:

  • HTTP Redirect Binding
  • HTTP POST Binding
  • Artifact Binding

Use this logout mechanism when the involvement of the browser agent is necessary.

Improvements

Product Observability

Product observability enables rapid debugging of product issues. By using this improvement, it is easy to narrow down issues in a production system by tracking the time of the major flows of the system. This helps to identify issues in production systems such as slow performance. There can be several reasons for the drop in performance. Examples include database bottlenecks, LDAP bottlenecks, or multiple JDBC queries. The observability feature helps you to identify the exact bottleneck that is slowing down performance.

SCIM2 Improvements for Filtering and Pagination

One of the main targets of this release is to stabilize SCIM filtering and pagination. We have mainly addressed some existing inconsistencies and spec compliance issues.

Configuring X509 Authentication with SSL Termination

This is supported by passing the client certificate in the request header from the proxy over SSL tunneling.

Other improvements include:

  • Support for issuing access tokens per token request
  • Support for configuring a JWKS endpoint for OAuth or OIDC based service provider
  • Support for configuring SAML metadata validity period for the resident identity provider
  • Inclusion of OAuth transaction logs for token generation and introspection
  • Supports reCAPTCHA for password recovery and username recovery

Performance Improvements

Compared to previous versions, performance of the major flows of Identity Server have been increased. The following diagram shows the average response times taken for some major flows in v5.8.0 compared to v5.7.0

Seamless Migration WSO2 Identity Server 5.7.0

With few configurations changes, a user can seamlessly migrate from v5.7.0 to v5.8.0. To enable the new features introduced in v5.8.0, the schema changes are necessary. However without those schema changes, the system will not break, so existing customers can simply point to the existing database which they have used v5.7.0 for the v5.8.0 and consume the existing features. A few default configuration changes done with v5.8.0 may cause some behavioral changes and these configurations can be referred to here.

You can learn more about WSO2 Identity Server 5.8.0 from this screencast.

Lindex: Innovating with APIs in the Fashion Retail Industry

Fashion is a dynamic industry and any fashion retail business needs to be as agile as possible, particularly in the present era of e-commerce and instant customer gratification. This is a reality that the Scandinavian based fashion chain Lindex is all too aware of, having been around since the 1950s. Currently Lindex has 470 stores in Scandinavia, Central Europe, Baltic states, Middle East, and the UK, with an employee base of over 5,000. Their business is underscored by sustainability, as 55% of their clothing is made from sustainable materials. Lindex decided to enhance their digital services by exposing APIs over their existing monolithic architecture. This enabled them to build applications that improved user experiences for both customers and employees.

Move With The Times

15 years ago, Lindex began their first foray into e-commerce. This was very much an experimental project, where a team was tasked with designing a platform and more importantly, monitoring customer responses to such a platform. Lindex started with a monolithic architecture which had worked satisfactorily for a decade. But there was a snag – they had accumulated a lot of technical debt over the years and moreover, security models had changed. It was time to try something new. Lindex considered open source, as they understood that it provides greater extensibility and flexibility when building a solution.

That something new was the development of a customer loyalty app – their change agent. Lindex wanted an omni-channel app which gave users a hassle free experience, with product information, prices, and promotions being shared between the app, website, and stores. They were clear that they did not want to integrate this new system with the existing monolith and furthermore, they also knew that a new team was needed.

The new platform consisted of customer loyalty app, the new ‘My Store’ app, and other customer experience solutions on the top layer, all to be exposed via an API layer. Once Lindex had completed the implementation of this first set of APIs it immediately became apparent that different levels of complexity within the backend systems would require different versioning of each of the created API’s moving forward as each monolithic application was adapted to become digital. It was recognized that the team would require some form of management for the API framework and a business case was undertaken to assess a number of API Manager systems which complied with industry standards and more importantly, would work seamlessly with their existing customer repository. Lindex also had a preference for a security solution that was able to work seamlessly with their existing customer repository. These requirements, along with the need for an open source solution, led them to WSO2 API Manager (which addresses API management, development, and integration). They also chose WSO2 Identity Server, which is optimized for identity federation and single-sign.

Multiple Teams for Multiple Customer Experiences

While the app team was developing the new application, Lindex’s team responsible for their existing monolithic architecture was busy refactoring the code in order to expose functionality in the customer shopping experience – i.e. features like shopping cart, wish list, pricing, promotions, and order details. They also had other development teams working on other areas of customer experience simultaneously. The ‘My Store’ program was upgraded, they were able to create a ‘My Stock’ app and a ‘My Customer’ app (when in-store personnel were acting on behalf of customers). During the complex process of setting up multiple levels of authentication across different user groups, Lindex found that WSO2 Identity Server provided the authentication capabilities needed for these apps. In total, there were 5 teams working on enhancing customer experience and there are plans for expansion.

Like their initial venture to e-commerce, this project has also been an experimental one for Lindex, to understand what works best and adds business value. They now believe that a gradual replacement of backend functionality is what works for them. “Thanks to WSO2 and the open source model, this has been a breeze. It’s been risk-free for us. The middleware has been rock solid from the get-go really,” says Johan Edling, an enterprise IT architect at Lindex.

Some Lessons Learnt Along the Way

Lindex gained some valuable insights when they worked on this project, and if they were to return to square one, their key advice to others starting this journey would be as follows:

  • Set up API statistics right at the start of the project, even if it looks expensive at first glance. Failing to do so is not the best course of action.
  • Time is always important – time must not only be allocated to the development of API resources, but to changes you anticipate as well.
  • Perform automatic testing of API resources and ensure that teams working on the project have the relevant API development skills are things to consider.
  • Document error handling guidelines.

With the new API design in place, Lindex now offers a modern shopping experience for their customers.

For more details, watch Johan’s talk.

WSO2 was named a Leader in The Forrester Wave ™: API Management Solutions, Q4 2018 report. Check it out here and learn about WSO2 Identity Server here.