Introducing WSO2 Private CIAM Cloud and Identity Server 6.0

WSO2 Identity Server is an API-driven open source IAM product designed to help you build effective CIAM solutions. It is based on open standards such as SAML, OAuth, and OIDC with the deployment options of on-premise, cloud, and hybrid. It supports complex IAM requirements given its high extensibility. WSO2 Identity Server manages more than 1 billion identities worldwide. 

WSO2 Identity Server 6.0.0 adds integration with third-party analytics tools (ELK), integration with TypingDNA for authentication based on typing biometrics, password-less authentication with MagicLinks, multi-attribute log-in support to give users more sign-in options, and device flow support to bring CIAM to a broader range of devices and more features and enhancements.

WSO2 Private CIAM Cloud is a new solution offering a fully managed CIAM platform that comes with proven best practices so that you can innovate fast and deploy projects on your dedicated cloud infrastructure in your region - in just a few weeks. In addition to containing all of the capabilities of Identity Server 6.0, WSO2 Private CIAM Cloud has new Organization Management capabilities for B2B CIAM deployments.

Identity Server 6.0 Key Features and Enhancements

Integration of ELK for identity analytics 

WSO2 Identity Server 6.0.0 now supports Elastic stack-based Analytics (also known as ELK). Also, Identity Server can integrate with other Analytics solutions through the events it publishes. The ELK Stack is an open-source log analytics solution that is popular, scalable, and cloud-native.

The Elastic Stack meets the needs of growing businesses with an efficient, integrated toolset designed to deliver actionable real-time insights from large sets of search data. Its highly active community and years of successful implementations offer an unmatched combination of maturity and future-proof development. Considering all the benefits of the Elastic stack we have chosen it for our analytics solution.

The implemented ELK-based analytics solution contains 4 main components: Filebeats, Logstash, Elasticsearch, and Kibana.

Figure 1: Implemented ELK-based analytics solution

WSO2 Identity Server publishes analytics data to a log file and that file is used as a source for the ELK analytics solution. Filebeat monitors the log file collects log events, and forwards them to Logstash. Logstash transforms the data and sends it to Elasticsearch. Elasticsearch is the core component of the Elastic Stack and is a distributed RESTful search and analytics engine that can be used to store, search, and analyze large volumes of data quickly and in near real-time. Kibana is a visualization layer that works on top of Elasticsearch, giving users the ability to analyze and visualize data in many ways, including their own custom-designed views. The Kibana dashboard can be accessed using basic authentication or single sign-on with the WSO2 identity server. There are three default dashboards in the dashboard section.

Auth dashboard 

Shown below is the auth dashboard for the login analytics, which includes statistics related to login attempts made via the WSO2 Identity Server.

Figure 2: Auth dashboard

Session dashboard

The session dashboard is used for the visualization of user session statistics. It displays critical session-related data including the currently active session count, session count over time, and average session duration. 

Alert dashboard

The alert dashboard is used to fulfill alerting requirements. It can be used to send events upon detection of abnormal behavior related to authentication operations carried out by the WSO2 Identity Server. Suspicious Login is an example of abnormal behavior. That happens when there is a successful login attempt after a few consecutive failed attempts.

Integration with TypingDNA

TypingDNA is a behavioral biometrics vendor delivering typing biometrics technology as an API for user-friendly authentication. TypingDNA authentication is integrated as an additional authentication mechanism in WSO2 Identity Server 6.0.0, that supports 2FA, without sacrificing UX. TypingDNA provides a perfect balance of both strong 2FA security and good UX. It leverages typing biometrics to provide customers with a seamless, user-friendly, risk-based authentication (RBA) experience to enhance security and fraud detection. TypingDNA achieves this functionality by using a combination of both client-side and server API resources. TypingDNA provides typing pattern recorders to record the users typing biometrics. The recorded typing patterns are then sent to their REST API for pattern enrollment and verification. The user experience of the login flows can be improved with the integration of TypingDNA without compromising security. 

Passwordless authentication with MagicLinks

Passwords are becoming obsolete, and the world is exploring various technologies to allow users to log in without passwords. It helps to prevent password-based attacks. Using MagicLinks is a viable passwordless authentication approach for all those who prefer an alternative to FIDO2. When a user attempts to log in, a link (the MagicLink) will be sent to the user’s registered email address. The user can seamlessly log in to the application by clicking the MagicLink.

Multi-attribute login support 

Depending on the business, the applications may need to authenticate with different login attributes. For example, 

• Social Media applications use userId, email, or mobile number as the identifier. 
• Internet banking applications use userId or username as the identifier
• Corporate enterprise applications use email as the identifier. 

In WSO2 Identity Server 6.0.0 provides the capability to use different login attributes as a productized feature. It gives users the flexibility to choose their preferred identity attribute when logging in, such as email, username, or mobile number. A privileged user in the organization can configure the list of allowed attributes that can be used as the login identifier. 

Device flow support 

This expands the range of devices an organization can use within their overall digital customer experience solution to include devices with limited user input capabilities (such as smart TVs which do not have keyboards). With device flow support, users can leverage other devices, such as smartphones, to complete the login on the limited input device. An example of using the device flow support is shown below.

Figure 3: Device flow support

PBKDF2 hashing support for user passwords

Identity Server 6.0.0 now supports PBKDF2 hashing for improved user password security. This is a simple cryptographic key derivation function, which is highly resistant to brute force attacks. PBKDF2 is recommended by NIST and PBKDF2 is required to achieve FIPS-140 compliance.

Authentication SDKs (React, Javascript, Angular, Python)

Taking a further step to make the developer experience better, we introduced four new SDKs, targeting Javascript, React, Angular, and Python developers. These will alleviate the burden of requiring knowledge in authentication protocols, writing code, and performing advanced configuration, leaving developers a simple integration with simple configurations.

Federated IDP initiated OIDC back-channel logout:

Logout is an operation done by users when the active sessions are no longer needed. The logout can be initiated from the Application side or the IDP side. In both cases, the connected application sessions should also be logged out in order to prevent the likelihood that unauthorized parties can "take over" the sessions.

When it comes to the OIDC identity federation in Identity Server, WSO2 IS acts as an RP to the federated identity provider. This feature enables the termination of the sessions and revokes tokens in WSO2 IS (RP), whenever there is a session update on the federated IDP (OP) side. The OIDC Back Channel Logout v1.0 spec defines a mechanism for communicating logout requests to all RPs that have established sessions with an OP. This mechanism relies upon direct communication of such requests between OP and RPs bypassing the User-Agent. It imposes new requirements that RPs have a logout endpoint that is reachable by the OP. 

Try WSO2 Identity Server 6.0.0 today!

WSO2 Identity Server 6.0.0 is available today as an open-source product released under the Apache License 2.0. The product is backed by a WSO2 Subscription, which features access to WSO2 Update for continuous delivery of bug fixes, security updates, and performance enhancements, along with WSO2 Support for 24x7 support. Unified pricing means customers can simply buy a WSO2 Subscription and choose the hosting model— cloud, on-premises, or hybrid— based on their preferences. 

Details on WSO2 Subscription are available at https://wso2.com/subscription; information on WSO2 Consulting Services can be found at https://wso2.com/consulting.

Download the latest version of WSO2 Identity Server and follow the official product documentation to get started. 

If you want community guidance, head over to our slack channel. We have a global community ready to help.

WSO2 Private CIAM Cloud Delivers B2B CIAM Capabilities Through Organization Management

For organizations that need the convenience of an externally managed service with the added benefits of a single tenancy, WSO2 Private CIAM Cloud provides a dedicated CIAM solution that’s hosted in our own secure cloud environment and completely managed and maintained by our WSO2 expert staff.

Figure 4: WSO2 Private CIAM Cloud

In today’s competitive environment, many organizations seek to expand their business operations through innovative partnerships (B2B). These partnerships can transform an organization’s entire value delivery chain, allowing them to create new business models and reach more customers. WSO2’s new Organization Management features enable businesses to leverage best-in-class CIAM capabilities to increase revenue throughout their partner network.

WSO2 Private CIAM Cloud supports B2B and B2B2C business models through the B2B organization management feature. Unlike other CIAM products that are limited to simple organization management, the B2B organization management in WSO2 Private CIAM Cloud handles complex nesting, which gives enterprises the flexibility to:

• Define multiple sub-organizations as required to map unique B2B organization hierarchies


Figure 5: MedVerse

In this example, MedVerse is a business that provides services to hospitals. It directly provides services to ‘Hospital a’ and ‘Hospital b’. Also, it provides services to the ‘Hospital x’ and ‘Hospital y’ through the MedCo reseller. The complex business hierarchies can be defined in the WSO2 Private CIAM Cloud. 

Figure 6: WSO2 Private CIAM Cloud

• Define fine-grained delegated administration controls to sub-organizations to reduce administrative complexity. 


Figure 7: Medverse

In this example, Tony is the MedVerse system administrator. He can delegate the Administration privileges to Jay and Pam who are the system administrators of ‘Hospital a’ and ‘Hospital b’. so that Jay and Pam can manage the operations in their respective organizations. Likewise, Tony can delegate access to Joe who is the system administrator of MedCo reseller organization. Then, Joe can delegate access to Tim and Mary who are the system administrators of ‘Hospital x’ and ‘Hospital y’. so that Tim and Mary can manage the operations of their respective organizations.

• Create unique security and operational processes within each domain, including login options, strong authentication, and self-service features. 

Try WSO2 Private CIAM Cloud today!

WSO2 Private CIAM Cloud is available today as a hosted solution. The sandbox provides a simulated environment to test the WSO2 Private CIAM Cloud. Try out the sandbox