1 Dec, 2020 | 3 min read

What’s New with WSO2 Identity Server 5.11?

  • Pulasthi Mahawithana
  • Software Engineer - WSO2 Inc.

We’re excited to announce the latest version of our product—WSO2 Identity Server 5.11. Our mission is to continuously make the life of the developer easier. With this latest release, we’ve introduced a beta version of a new console (dev portal), SDKs, integration with HashiCorp, and more. You can also watch our release demo for this version here.

The WSO2 Identity Server team

Feature Highlights

A New Console for Developers and Administrators (BETA)

This is a continuation of our efforts to provide a better user experience with the product. This time, developers and administrators will benefit from our all-new console. Just like the user portal—which we introduced in the prior release—the new console provides an excellent user-friendly UX and consumes our recently introduced REST APIs.

Software Development Kits (SDK) for Java, .Net, and Android

Taking a further step to make the developer experience better, we introduced three new SDKs, targeting java, .net, and android developers. These will alleviate the burden of requiring knowledge in authentication protocols, writing code, and performing advanced configuration, leaving developers a simple integration with simple configurations.

Group and Role Separation

Identity Server used to treat the roles and groups as a single type of entity in the form of roles. With this release, we separated those two and introduced ‘Groups’, which will be a collection of users. Roles will continue to have permissions assigned to them, and, in addition to just users, (as in previous versions), they may now have groups assigned to them as well. As a part of this effort, we also introduced a new API to manage the roles, whereas the SCIM Group API will continue to be the option for group management.

Symmetric Key Encryption

In our previous releases, asymmetric key encryption was used for encrypting internal data as well as for signing purposes. From this release onwards, we will be using symmetric key encryption as the default encryption mechanism to encrypt internal sensitive data. This will result in better performance and will have a lower impact on data migration, as we will only need to re-encrypt the symmetric key protected by the asymmetric key whenever there is a need to rotate the keys.

Integration with HashiCorp Vault

When it comes to storing secrets, HashiCorp Vault is known as the most popular and widely adopted tool in the community. In addition to keeping your secrets protected, it provides the capabilities to govern your secrets. And, with this release, Identity Server is capable of using HashiCorp Vault to keep its configuration secrets (such as database passwords, key store passwords) protected and used at the runtime.

Tenant Qualified URLs (BETA)

WSO2 Identity Server has been relying on the payload or the query parameters on the HTTP request, to identify the tenant context until this release. There have been limitations on the above approach on tenant level sharing and branding use cases. The reason was the inconsistency and HTTP level limitations of tenant identification, and processing complexity at the routing level.

With this release, we introduced an option to switch to tenant qualified endpoints, which consistently qualifies every URL/endpoint of WSO2 Identity Server with tenant in a path parameter. This provides more flexibility in tenant wise sharing and branding than previous releases.

Tenant Wise CORS Management (BETA)

Cross-Origin Resource Sharing (CORS) is a key requirement for single-page applications (SPAs) to use OpenID connect based authentication. We supported this as a global configuration in previous versions. Due to that, introducing new origins required a server restart and configuring origins tenant-wise was not a possibility. With this release, the CORS configurations are made easy to apply by making them configurable at the application level and enforced at the tenant level.

Upgrade to OpenSAML 3

We upgraded the outdated versions of the third-party libraries along with the release, and the OpenSAML 3 upgrade is the most significant one out of those. With this upgrade, all our use cases around SAML and STS are further improved.

And Other Helpful Features for CIAM

Identity Server was rated as a top-level performer for Customer Identity and Access Management (CIAM) in many different analyst reports, which include Forrester and Kuppingercole. To make the CIAM stories more compelling, we made some notable improvements around the CIAM use cases. These include:

  • Trigger email validation on email address change
  • Trigger SMS based verification on mobile number change
  • Enforcing uniqueness and regex validation for challenge question answers to avoid risks due to weaker answers
  • Auto-login the user upon successful password recovery improving account recovery experience
  • Revoke session bounded tokens on logout and session expiry events.

Planning to migrate to the new version?

If you already have Identity Server 5.10.0 or an earlier version, you can seamlessly migrate to this version. We have carefully analyzed how the new features and improvements will impact the migration, and prepared a comprehensive migration process guide to make your migration journey seamless. You can refer our migration process documented here.

What’s Next?

We are currently working on further improvements to our newly introduced developer portal, and introducing new SDKs for more and more platforms to make it a great experience for developers. We are also working on stabilizing and improving the scalability and cloud-native aspect of the product core.

Until then, you can join our mailing lists and engage with our developers directly. You can also participate in discussions related to the product in the architecture mailing list. If you’re ready, you can go try the product here—it’s open source.

If you have any questions regarding the product, you can use our Stack Overflow forum to raise them as well. You can also reach out to us via [email protected], [email protected], [email protected], Stack Overflow, Twitter, and Slack.