Skip to content
Identity Server Documentation Overview
6.0.0
  • Show all
    • Get Started
    • Guides
    • Setup
    • APIs
    • SDKs
    • References
    
    Report Issues
    wso2/docs-is
    • Home
      • Introduction
        • Quick Setup
          • Sample Scenario
            • Single Sign-On
            • Multi-Factor Authentication
            • Federated Authentication
            • Self Sign-Up
      • Overview
        • Overview
          • Overview
            • OIDC
            • SAML
            • WS-Federation
            • Google
            • WordPress
            • OpenCart
            • Workday
            • SimpleSAMLphp
              • Salesforce with IS
              • Salesforce with Facebook
              • Salesforce with IWA
              • Office365 with IS
              • Office365 with SAML2
              • Office365 with SAML2 for Multiple Domains
              • Office365 with WS federation
            • Drupal
            • Microsoft Sharepoint
            • Magento
            • Microsoft Dynamics CRM with WS Federation
            • Overview
            • OIDC Auth Code Flow
            • OIDC Auth Code Flow with PKCE
            • OIDC Implicit Flow
            • OIDC Hybrid Flow
            • Pass Parameters as a Request Object
            • Manage Scopes and Claims
            • Encrypt ID Tokens
            • Decrypt ID Tokens
            • Discover OpenID Connect Provider
            • Obtain Key Set Using JWKS
            • Validate JWT based on JWKS
            • Use SAML Artifact Binding
            • Query SAML Assertions
            • Use SAML Metadata
              • Advanced Configurations
              • Use Advanced Parameters in the Authentication Request
              • Advanced Configurations
              • Use Advanced Parameters in the Authentication Request
            • Skip User Consent
            • SaaS Applications
            • Use Certificates with Applications
            • Session Timeout
            • Multi-Attribute Login
          • Enable Single Sign On
          • OIDC Applications
          • SAML Applications
          • reCAPTCHA for SSO
          • Overview
            • Overview
            • Back-Channel Logout
            • Federated IdP-Initiated Logout
            • Session Management and Logout
            • Logout URL Redirection
            • Front-Channel Logout
            • Back-Channel Logout
          • Cross Protocol Logout
          • Overview
          • Basic Auth Request Path Authentication
          • OAuth Request Path Authentication
          • Overview
            • FIDO Passwordless Authentication
            • FIDO2 Attestation Validations
          • Magic Link
          • Overview
          • Username and Password
          • Email OTP
          • SMS OTP
          • TOTP
          • X509
          • FIDO
            • Email OTP configs
            • TOTP configs
            • SMS OTP configs
          • Overview
            • Overview
            • Role-Based
            • User Age-Based
            • Tenant-Based
            • User store-Based
            • IP-Based
            • Device-Based
            • Login Attempts-Based
            • ACR-Based
            • Elk analytics-Based
            • TypingDNA-Based
            • Using Function Library
            • Limiting Active User Sessions
        • Overview
          • Overview
          • SAML
          • OpenID Connect
          • ADFS
          • WS-Federation
          • Shibboleth
          • Overview
          • Log in with Facebook
          • Log in with Google
          • Log in with Twitter
          • Log in with Microsoft Live
          • Log in with IWA
        • Overview
          • Authorization Code Grant
          • Client Credentials Grant
          • Device Flow Grant
          • Refresh Tokens
          • Implicit Grant
          • Password Grant
        • Microprofile JWT
        • SAML2 Bearer Assertion Profile
        • Kerberos
        • JWT Grant
        • OAuth 2.0 Introspection
        • OAuth 2.0 Dynamic Client Registration
        • OAuth 2.0 Client Authentication
        • OAuth 2.0 Transaction Logs
        • OAuth 2.0 Token Hashing
        • Revoke OAuth Tokens
        • User Managed Access
        • Mutual TLS for OAuth Clients
        • Manage user consent
        • Manage consent puposes
        • Overview
          • Overview
          • Create User
          • Invite User
          • User Self-Registration
          • Lite User Registration
          • Bulk Import Users
          • Overview
          • List/Search Users
          • Delete Users
          • View/Update User Profiles
          • Add Multiple User Profiles
          • Manage User Attributes
          • Track User Deletion
          • Overview
          • Add User Roles
          • Edit/Delete Roles
          • Role-Based Permissions
          • Overview
          • Admin-initiated Account Locking
          • Lock Accounts by Failed Login Attempts
          • Lock Accounts by Failed OTP Attempts
          • Lock Accounts per User
          • Associate Accounts
          • Suspend Accounts
          • Disable Accounts
          • Pending Account Status
          • Username Recovery
          • Resend Account Recovery Mail
          • Configure Emails with Special Characters
          • Send Notifications per User Operation
          • Overview
          • Password Policies
          • Admin-Initiated Password Reset
          • Password Recovery via Email
          • Password Recovery via Challenge Questions
          • Configure Email Masking Pattern for Notification Based Password Recovery
          • Overview
          • Provisioning Patterns
          • Role Based Provisioning
          • Rule Based Provisioning
            • Overview
            • SCIM 2.0
            • Microsoft Azure AD
            • Google Directory
            • Salesforce
            • Hubspot
            • Overview
            • Configure User stores for SCIM 1.1
            • Configure User stores for SCIM 2.0
            • Configure Active Directory User stores for SCIM 1.1
            • Configure Active Directory User stores for SCIM 2.0
            • Setup Service Provider for Inbound Provisioning
        • Configure Account Confirmation Methods for Self-Registration
          • Enable Email Account Verification for an Updated Email Address
          • Enable Mobile Number Verification for an Updated Mobile Number
          • Overview
          • Hubspot
          • MailChimp
          • Pardot
          • Pipedrive CRM
          • Salesforce
          • Sendgrid
          • Zoho CRM
        • Overview
        • Manage Own Profile
        • Export User Profile
        • Link User Accounts
        • Reset Password
        • Recover User Account
        • Enroll MFA
        • Manage Active Sessions
        • Manage Consent
        • Overview
        • Access the Analytics Dashboard
        • Analyze Logins using Auth Dashboard
        • Analyze Sessions using Session Dashboard
        • ELK Alerts
      • Tenant Management
        • Overview
        • Add Claim Dialects
        • Edit Claim Dialects
        • Delete Claim Dialects
        • Configure Claims
        • Add Claim Mapping
        • Edit Claim Mapping
        • Delete Claim Mapping
        • Configure unique claims
        • Configure Email Address as the Username
        • Overview
          • Intro
            • Create a new policy
            • Customize an existing template
          • Edit a policy
          • Version control
          • Publish a policy
          • View status of a policy
          • Enable and Disable a policy
          • Clear cache
        • Configure the XACML Engine
          • Overview
          • Evaluate a XACML Policy
          • Using XACML
          • Using JSON
          • Introduction
          • MDP to authorize hierarchical resources
          • MDP with repeating attributes
          • MDP requests and responses
        • Install
        • Run
        • Get WSO2 Updates
          • Overview
          • Customize
          • MFA for management console
          • Overview
          • Configure the Authorization Manager
          • Configure the System Administrator
            • Overview
              • Overview
              • Configure a JDBC User store
              • Configure a Read-only LDAP User store
              • Configure a Read-write Active Directory User store
              • Configure a Read-write LDAP User store
            • Add High Availability for LDAP
            • Configure Secondary User stores
            • Work with Properties of User stores
            • Secure a JDBC user store with PBKDF2 hashing
            • Overview
              • Change to IBM DB2
              • Change to MariaDB
              • Change to MSSQL
              • Change to MySQL
              • Change to Oracle
              • Change to Oracle RAC
              • Change to PostgreSQL
              • Change to remote H2
              • Change the Default Datasource of BPS
              • Change the Default Datasource for Consent Management
              • Registry Related Tables
              • User Management Related Tables
              • Identity Related Tables
              • Service Provider Related Tables
              • Identity Provider Related Tables
            • Data Purging
            • Remove References to Deleted User Identities
        • Session Persistence
          • Configure ELK Analytics
          • Configure SSO in ELK Analytics
          • Configure ELK Alerts
          • Configure ELK for Adaptive Authentication
          • Configure an SP and IdP Using Configuration Files
          • Configure Email Sender
          • Customize Email Templates
        • Tenant Loading Policy
        • CORS
        • reCAPTCHA
          • Mitigate Cross Site Request Forgery Attacks
          • Mitigate Authorization Code Interception Attacks
          • Mitigate Brute Force Attacks
          • Mitigate Replay Attacks
          • SameSite Attribute Support
          • Prevent Browser Caching
          • Add Logs for Tokens
          • Token Persistence
          • Remove Unused Tokens from the Database
          • Enable Assertions In Access Tokens
        • Enable HostName Verification
        • Configure TLS Termination
        • Maintain Logins and Passwords
          • Encrypt Passwords with Cipher Tool
          • Resolve Encrypted Passwords
          • Customize Secure Vault
          • Set Passwords using Environment Variables/System Properties
        • Enable HTTP Strict Transport Security (HSTS) Headers
        • Configure Transport Level Security
        • Enable Java Security Manager
          • Overview
          • Product-Level
          • OS-Level
          • Network-Level
            • Use Asymmetric Encryption
            • Create New Keystores
            • Configure Keystores
            • Renew a CA-Signed Certificate in a Keystore
            • Manage Keystores via UI
            • Add Multiple Keys to the Primary Keystore
            • Overview
            • Configurations Related to Symmetric Key Encryption
            • Symmetric Data Encryption Key Rotation
        • Deployment Patterns
        • Set up WSO2 clusters with Nginx
        • Set up Separate Databases for Clustering
        • Change the hostname
        • Configure Hazelcast
        • Deployment Checklist
        • Backup and Recovery Recommendations
        • Troubleshoot in Production Environments
        • Configure External PEP Endpoints Notifications
        • Enable XACML Policy Updates Notifications
          • Performance Tuning Recommendations
          • Configure Cache Layers
          • Improve PDP performance
        • Environment Compatibility
        • Overview
          • Overview
          • HTTP Access Logging
          • Mask Sensitive Information in Logs
          • Log Claims in Audit Logs
        • System Statistics
          • Monitor TCP-based Messages
          • Message Monitoring with TCPMon
          • Other Usages of TCPMon
        • Monitor Server Health
        • JMX-Based Monitoring
        • Work with Product Observability
      • Upgrade WSO2 Identity Server
      • Overview
      • Authentication API
      • Session management API
      • Entitlement management API
        • SCIM 1.1 API
          • SCIM 2.0 API Definition
          • SCIM 2.0 Patch Operations
          • SCIM 2.0 Batch Operations
        • Account recovery API
        • Associated accounts API
        • Challenge question API
        • Challenge answers API
        • Self Sign-Up API
      • Identity provider API
      • IdP session extension API
        • FIDO API
        • TOTP API
        • User discoverable application API
        • Approvals management API
        • Application management API
          • Authorized apps API V1
          • Authorized apps API V2
        • OAuth 2.0 scope management API
        • OpenID Connect scope management API
        • OIDC Dynamic Client Registration API
        • Script Library management API
      • Claim management API
          • Configuration management API
          • Retrieve Tenant Resources Based on Search Parameters
        • Identity governance API
        • Keystore management API
        • User store management API
        • Tenant management API
        • CORS API
          • Overview
          • Consent management API
        • Email templates API
        • Workflow engine management API
      • Notification sender management API
      • Server configuration API
      • Permission management API
      • User Functionality management API
        • Call admin services
        • One way operations
      • Overview
      • Integrate a React app
      • Integrate an Angular app
      • Integrate a JS app
      • Integrate your Spring Boot app
      • Overview
      • About this Release
      • Feature Deprecation
        • Architecture
        • Provisioning Architecture
        • User Management Architecture
          • Overview
          • Users
          • Roles and Permissions
          • User stores
          • Realms
        • Claims
        • Access control
          • Overview
          • Register a Service Provider
            • Claims
            • Roles and Permissions
            • Inbound Authentication
            • Local and Outbound Authentication
            • Inbound Provisioning
            • Outbound Provisioning
          • Manage a Service Provider
          • Set up a Resident Service Provider
          • Overview
          • Register an IdP
            • Roles of an IdP
            • Claims of an IdP
            • Federated Authenticators
            • JIT Provisioning
            • Outbound Provisioning Connectors
          • Manage an IdP
            • Set up a Resident IdP
            • Inbound Authentication
            • Inbound Provisioning
            • JIT Consent Purposes
        • Tenants
            • Write a Custom OAuth2 Grant Type
          • X509 Authenticator
            • Write Custom Functions for Adaptive Authentication
          • Authentication endpoint
          • Localization
          • Host authentication endpoint on a different server
          • Write a Custom Federated Authenticator
          • Write a Custom OAuth 2.0 Federated Authenticator
          • Write a Custom Local Authenticator
            • XACML policy language structure and syntax
              • Introduction
              • XACML 2 sample policy 1
              • XACML 2 sample policy 2
              • XACML 2 sample policy 3
              • XACML 2 sample policy 4
              • XACML 2 sample policy 5
              • XACML 2 sample policy 6
              • Introduction
              • XACML 3 sample policy 1
              • XACML 3 sample policy 2
              • XACML 3 sample policy 3
              • XACML 3 sample policy 4
              • XACML 3 sample policy 5
              • XACML 3 sample policy 6
              • XACML 3 policy using XPath
          • Write a Custom Claim Handler
          • Write a Custom Event Handler
          • User store Listeners
          • Write a Post-Authentication Handler
          • Write a Custom Global Scope Validator
          • User Management Errors Event Listener
            • Extend SCIM 2.0 User Schemas
            • Add SCIM2 Custom User Schema Support
            • Write an Outbound Provisioning Connector
          • Customize the UI
          • Configure the Application
          • Write a Custom User Store Manager
          • Re-brand WSO2 Identity Server UIs
          • Re-brand the Default Login Page
          • Re-brand the SSO Redirection Page
          • Customize Login Pages
          • Extend the workflow event handler
          • Write a cutom workflow template
          • Error messages
          • Error Pages
        • Configuration Model
        • Default Ports of WSO2 Products
        • Product Startup Options
        • Directory Structure of WSO2 Products
        • Usernames in WSO2 Identity Server
        • Error Codes and Descriptions
        • REST API error catalog
      • Adaptive Authentication JS API
      • Scopes for REST APIs
      • Permissions for Admin Services
        • Evolution of Identity Federation Standards
          • Introduction
            • Introduction
              • Introduction
                • Introduction
                • Basic Client Profile
                • Implicit Profile
                • Hybrid Profile
                • Overview
                • ID Tokens
                • Overview
                • Request Object
                • Traditional Authentication Request
              • User Information
              • Scopes and Claims
              • Discovery
              • JWKS
              • Dynamic Client Registration
              • Session Management and Logout
              • Back-Channel Logout
              • Microprofile JWT 1.0
              • Introduction
              • SAML2 Artifact Binding
              • SAML Front-Channel Logout
              • SAML Back-Channel Logout
              • Introduction
              • Introduction
          • Adaptive Authentication
          • Multi Factor Authentication
          • FIDO
            • Introduction
            • OAuth 2.0 Client Types
              • Overview
              • Authorization Code Grant Type
              • Implicit Grant Type
              • Resource Owner Password Credentials Grant Type
              • Client Credentials Grant Type
              • Refresh Token Grant Type
              • Device Flow Grant Type
              • JWT Bearer Grant Type
              • SAML2 Bearer Assertion Profile
              • Kerberos Grant Type
              • Access Tokens
              • Refresh Tokens
            • Client Authentication
            • Token Introspection
            • Introduction to UMA
            • Resource Registration Endpoint
            • Permission Endpoint
        • Single Sign On
        • Identity Bus
        • Identity Federation
          • Introduction
          • Provisioning Framework
          • JIT Provisioning
        • Consent Management
        • Identity Anti-Patterns and the Identity Bus
        • Integrated Windows Authentication
        • Master Data Management
        • Overview
        • GDPR
        • eIDAS
        • CCPA
    

    Security Guidelines for Production Deployment¶

    When deploying WSO2 Identity Server in a production server, make sure to comply with the following security guidelines.

    • Product-Level Security Guidelines

    • OS-Level Security Guidelines

    • Network-Level Security Guidelines

    Top
    Previous Enable Java Security Manager
    Next Product-Level
    WSO2 Identity Server - Documentation
    © WSO2 LLC.