WSO2 Identity & Access Management - Features

原文地址 https://wso2.com/identity-and-access-management/features/
5.7.0

WSO2 Identity Server is an extensible, open source IAM solution to federate and manage identities across both enterprise and cloud environments including APIs, mobile, and Internet of Things devices, regardless of the standards on which they are based.

Enterprise/Cloud Identity Federation and SSO

  • Single Sign-On (SSO) via SAML2, OpenID Connect and WS-Federation Passive
  • SAML 2.0 based Single Logout (SLO), metadata profile and assertion query/request profile
  • OpenID Connect session management, discover and dynamic client registration
  • Federated SSO via SAML2, OpenID Connect and WS-Federation Passive with external identity providers
  • Enterprise SSO with applications such as Microsoft Office 365, Microsoft Sharepoint, Microsoft Dynamics and Microsoft Exchange
  • Provisioning, SLO and cloud synchronization capabilities with Microsoft Office 365
  • SSO between on-premise applications and cloud applications that support heterogeneous SSO protocols (identity bridging)
  • Simple service provider (SP) and identity provider (IDP) ecosystem management because SPs and IDPs are decoupled from each other (identity hub)
  • Ability to consume identities and attributes from third party IDPs by translating between different claim dialects
  • White label login and registration pages
  • Rule-based authorization support for SSO
  • Google ReCaptcha support for SSO

Adaptive and Strong Authentication

  • Context based authentication via user attributes, user behavior, user risk profile, request parameters and machine learning algorithms
  • Support for multi-option/multi-step authentication
  • Integrated Windows authentication (IWA) with Kerberos
  • X.509 authentication
  • Multi-factor authentication based on Fast IDentity Online (FIDO)
  • Time-based One-time Password (TOTP) based authentication

Account Management and Identity Provisioning

User/Group management

  • Manage users and groups
  • Claim management that supports decoupling of application dialect from underlying user store implementation
  • Flexible profile management for users supporting multiple profiles per use
  • Ability to link multiple user accounts that may belong to a single user
  • Support for heterogeneous user stores, either through built-in lightweight directory access protocol (LDAP) - powered by ApacheDS, an external LDAP, Microsoft Active Directory, or any JDBC database
  • Ability to support multiple user stores
  • Self-service user portal for business end-users to manage their credentials, profile, and authorized applications
  • Configurable password policies
  • Account locking for invalid failed login attempts
  • Account recovery with email and secret questions
  • Password history validation
  • Password pattern configuration
  • Account locking in single and multi-tenant environments
  • Account suspension reminders and locking idle accounts
  • Google ReCaptcha support for password recovery flow and self sign up
  • HTML support for email templates
  • Email template internalization and dynamic properties for email templates

Provisioning

  • Provision users and groups to WSO2 Identity Server using System for Cross-domain Identity Management (SCIM) 1.1 and 2.0 or WSO2's proprietary SOAP APIs
  • Provision users to external identity providers using SCIM 1.1
  • Create identities on the fly with just-in-time (JIT) provisioning
  • Rule-based identity provisioning

Workflows

  • Multi-option/Multi-step approval template based workflows for user and role management operations

Access Control

Fine-grained authorization

  • Manage user entitlements
  • Role-based access control (RBAC)
  • Fine-grained policy-based access control based on eXtensible Access Control Markup Language (XACML) 2.0/3.0
  • Explore policy impact prior to publishing the policies to runtime using the try-it tool
  • High performance network protocol (over Apache Thrift) for Policy Enforcement Point/Policy Decision Point (PEP/PDP) interaction
  • User-friendly Policy Administration Point (PAP) to edit XACML 2.0/3.0 policies
  • Manage multiple PDPs from a single PAP
  • Notifications on policy updates
  • Multiple Policy Information Points (PIP) to retrieve additional attributes required for policy evaluation
  • Integrates with WSO2 Enterprise Service Bus for XACML 3.0 based authorization for REST or SOAP services
  • XACML REST profile support

API Security

  • User managed access based on OAuth2 protocol
  • Delegated access control using OAuth2 and WS-Trust
  • Microprofile JWT 1.0 support for RBAC
  • Support for SAML2 bearer grant type, JWT assertion grant type and NTLM-IWA grant type
  • OAuth2 token revocation support
  • OAuth token introspection
  • OAuth 2.0 form post response mode
  • Integrates with WSO2 API Manager for OAuth2 key management

Identity Analytics

  • Login events and session monitoring
  • Monitor logged in users/sessions
  • Manually terminate user sessions
  • Admin forced password reset
  • Real-time security alerting for suspicious login activities and abnormal sessions
  • Auditing of privileged operations using distributed auditing system (XDAS)
  • Built-in collection and monitoring of standard access and performance statistics
  • Key metrics monitoring and management using JMX MBeans

Connectors to Extend the Identity Ecosystem

  • Easy access to a wide range of self-contained connectors via WSO2 Connector Store
  • Support for federated authentication with popular enterprise IDPs such as Microsoft Office 365
  • Connectors to strong authentication platforms like MePIN, Duo Security, Tiqr, Clef and more
  • Social login with popular sites like Facebook, Twitter, LinkedIn and more
  • Provisioning connectors to enterprise cloud applications like Salesforce and Google

Deployment Flexibility

  • Lightweight, developer-friendly and easy to deploy
  • Container friendly deployment
  • Clustering for high availability deployment
  • Choice of deployment to on-premise servers, private cloud, or managed cloud, without configuration changes
  • Complete SOAP API for integrating or embedding into any application or system
  • Centralized configuration management across different deployment environments with life cycles and versioning with integration to WSO2 Governance Registry

Pluggable, Extensible and Themable

  • Plug-in model for user stores, authenticators, OAuth2 grant types, etc.
  • Extension points allow integration with legacy systems
  • Numerous extension points to allow customization of certain aspects of the product if required
  • White label login and registration pages

Privacy

  • Comprehensive RESTful API which supports Kantara consent management specification. With the use of this API, you can enable consent management for any application without being vendor lock.
  • Privacy ToolKit to remove references of a deleted user's identity as and when required.
  • User Consent for Self Sign Up to provide consent when a user self registers to WSO2 Identity Server.
  • User Consent for Single-Sign-On/federation to provide users with choice and control over sharing their personal data.
  • Self care portal to manage user's consents, where users can go back to their consent declarations at any time for review, validation, revocation, or other changes.
  • Personal Information Export Capability so end users can retrieve personal information stored in WSO2 Identity Server.
  • User Consents in OpenID Connect which integrate User Consent Management into OIDC Authorization Code and Implicit flow.
  • Consent Purposes Management capabilities in administrative portal to provide an interactive UI to manage consent purposes/PII categories.
2018/10/13 posted in  Authn&Authz