Introducing WSO2 Identity Server 7.3: Agentic AI, B2B CIAM, and Decentralized Identity
- Geethika Cooray
- Vice President & General Manager IAM BU, WSO2
WSO2 Identity Server's goal is to make IAM simpler for developers without trading away the depth that production environments require. Version 7.3 advances that goal across three areas: securing AI agents that operate in the background, making B2B CIAM less complex, and bringing decentralized identity into the core product.
Expanding support for agentic AI
WSO2 was among the first IAM vendors to deliver support for AI agents. This release reflects what we've learned working closely with customers and prospects, translating real-world requirements into meaningful capability improvements.
Access delegation for background AI agents (CIBA)
Traditional identity systems assume a human is present at login. That assumption breaks down for AI agents that run independently: monitoring data, triggering workflows, or making decisions without a user actively in the loop.
WSO2 Identity Server 7.3 adds support for Client Initiated Backchannel Authentication (CIBA). CIBA enables asynchronous authentication and secure access delegation: an agent can request permission to act, and the user approves that request from their mobile device when it suits them. The device consuming the service no longer needs to be the same device used for authentication. That separation is what makes ambient, autonomous AI workflows practical.
Extending our lead in B2B CIAM
WSO2 was rated an Overall Leader in the 2024 KuppingerCole Analysts B2B IAM Leadership Compass. Version 7.3 adds several capabilities driven by feedback from customers running complex B2B environments.
Enhanced organization authentication
The authentication model for B2B scenarios has been overhauled to reduce redirections and simplify the login flow. The updated model includes:
- API-based authentication with a cleaner developer experience
- Organization discovery during the login process
- Single Sign-On (SSO) across organization-level and B2B SaaS applications
- Extended support for Password and Client Credentials grant types within organization contexts
UI support for B2B user sharing
Inviting or managing users in sub-organizations previously required API calls. Version 7.3 adds a dedicated UI in the Admin Portal for managing users shared across organizations. Administrators can now handle these multi-organization relationships through an interface rather than scripts.
Token issuer selection and exchange for sub-organizations
Architectural flexibility matters in B2B deployments. Sub-organization administrators can now:
- Select the token issuer: Choose whether the root organization or the sub-organization acts as the Identity Provider (IdP) and signs tokens for a given application.
- Token exchange: Allow applications within sub-organizations to participate in delegation flows, exchanging tokens securely within larger B2B ecosystems.
Decentralized identity in the core product
WSO2 has supported decentralized identity through integrations for some time. Version 7.3 brings these capabilities into the product directly. Digital ID adoption is expanding globally, and this release reflects a deliberate decision to treat decentralized identity as a first-class capability rather than a third-party dependency.
Verifiable credential issuance with OpenID4VCI
Manually verifying identity claims (employee badges, professional licenses, certifications) is slow and creates opportunities for fraud. Verifiable Credentials (VCs) address this with cryptographically signed digital documents that users carry in their own wallets.
WSO2 Identity Server 7.3 adds native support for the OpenID for Verifiable Credential Issuance (OpenID4VCI) standard. Organizations can now issue VCs directly to users' wallets without a third-party platform. Administrators define credential templates and manage the issuance flow using the same OAuth 2.0 and OpenID Connect infrastructure already in place.
App-native authentication enhancements
WSO2 introduced App-Native authentication in 2024, allowing developers to build login experiences directly into mobile apps without redirecting users to a browser. Version 7.3 extends this in two directions.
SAML identity provider support
App-Native authentication previously supported OAuth 2.0 applications only. It now supports external SAML IdPs, giving organizations using SAML-based identity providers access to the same native login experience.
Native support for device code flow
App-Native authentication now supports the Device Code Flow, designed for input-constrained devices such as smart TVs and set-top boxes. Users authenticate on a secondary device while the primary device receives access, with the authentication logic running within the native framework.
Security, governance, and compliance
Several additions in 7.3 address regulatory and security requirements directly.
Rule-based approval workflows. Administrators can define rules to trigger approval processes for user management operations. High-risk changes (deleting a user, modifying permissions) can be required to follow a defined approval path before taking effect.
Maximum session lifetime enforcement. Admins can set a hard limit on session duration, requiring users to re-authenticate after a defined period regardless of activity. This addresses requirements in modern security standards that prohibit indefinitely persistent sessions.
Organization-level TOTP enrollment. TOTP (Time-based One-Time Password) enrollment can now be managed at the organization level rather than configured per application. This removes the need for application-specific scripts and gives organizations a consistent MFA posture across all apps in a tenant.
What's in 7.3
WSO2 Identity Server 7.3 adds concrete capabilities in three areas that organizations are actively grappling with: AI agents that need to act without a user present, B2B identity management at scale, and decentralized credentials that work without a third-party platform. The features in this release came directly from production deployments and customer feedback.
Ready to get started?
Download WSO2 Identity Server 7.3
Read the full release notes