WSO2 Identity Server 5.8.0 is the latest success story of our Identity and Access Management team. After a marathon effort, we are glad to release v5.8.0 with new features, major improvements, and bug fixes.
So far WSO2 Identity Server has supported OIDC Session Management as the OIDC logout mechanism. From v5.8.0 onwards, it provides support for OIDC Backchannel logout as well. OpenID Connect Backchannel logout is a mechanism by which Relying Party (RP) applications are logged out with logout requests communicated directly between RPs and OpenID Providers (OP) bypassing the User Agent. The main advantage of this method is the ability to skip obtaining the support of user agents, hence this logout mechanism is less fragile.
WSO2 Identity Server 5.8.0 onwards provides supports for SAML Front Channel Logout. In SAML Front Channel Logout, session participants can use asynchronous binding such as:
- HTTP Redirect Binding
- HTTP POST Binding
- Artifact Binding
Use this logout mechanism when the involvement of the browser agent is necessary.
Product observability enables rapid debugging of product issues. By using this improvement, it is easy to narrow down issues in a production system by tracking the time of the major flows of the system. This helps to identify issues in production systems such as slow performance. There can be several reasons for the drop in performance. Examples include database bottlenecks, LDAP bottlenecks, or multiple JDBC queries. The observability feature helps you to identify the exact bottleneck that is slowing down performance.
One of the main targets of this release is to stabilize SCIM filtering and pagination. We have mainly addressed some existing inconsistencies and spec compliance issues.
Configuring X509 Authentication with SSL Termination
This is supported by passing the client certificate in the request header from the proxy over SSL tunneling.
Other improvements include:
- Support for issuing access tokens per token request
- Support for configuring a JWKS endpoint for OAuth or OIDC based service provider
- Support for configuring SAML metadata validity period for the resident identity provider
- Inclusion of OAuth transaction logs for token generation and introspection
- Supports reCAPTCHA for password recovery and username recovery
Compared to previous versions, performance of the major flows of Identity Server have been increased. The following diagram shows the average response times taken for some major flows in v5.8.0 compared to v5.7.0
Seamless Migration WSO2 Identity Server 5.7.0
With few configurations changes, a user can seamlessly migrate from v5.7.0 to v5.8.0. To enable the new features introduced in v5.8.0, the schema changes are necessary. However without those schema changes, the system will not break, so existing customers can simply point to the existing database which they have used v5.7.0 for the v5.8.0 and consume the existing features. A few default configuration changes done with v5.8.0 may cause some behavioral changes and these configurations can be referred to here.
You can learn more about WSO2 Identity Server 5.8.0 from this screencast.