Skip to content

Identity Server Documentation Overview

6.0.0

Show all

Get Started
Guides
Setup
APIs
SDKs
References



WSO2 Identity Server Documentation

Home
Get Started
Get Started
- Introduction
- Quickstart
  Quickstart
  - Quick Setup
  - Try a Sample Scenario
    Try a Sample Scenario
    
    Sample Scenario
    
    Use Cases
    Use Cases
    
    Single Sign-On
    
    Multi-Factor Authentication
    
    Federated Authentication
    
    Self Sign-Up
Guides
Guides
- Overview
- Authentication
  Authentication
  - Overview
  - Login
    Login
    
    Overview
    
    Web Application
    Web Application
    
    OIDC
    
    SAML
    
    WS-Federation
    
    SaaS Applications
    SaaS Applications
    
    Google
    
    WordPress
    
    OpenCart
    
    Workday
    
    SimpleSAMLphp
    
    Salesforce
    Salesforce
    
    Salesforce with IS
    
    Salesforce with Facebook
    
    Salesforce with IWA
    
    Office365
    Office365
    
    Office365 with IS
    
    Office365 with SAML2
    
    Office365 with SAML2 for Multiple Domains
    
    Office365 with WS federation
    
    PaaS Applications
    PaaS Applications
    
    Drupal
    
    Microsoft Sharepoint
    
    Magento
    
    Microsoft Dynamics CRM with WS Federation
    
    OIDC Flows
    OIDC Flows
    
    Overview
    
    OIDC Auth Code Flow
    
    OIDC Auth Code Flow with PKCE
    
    OIDC Implicit Flow
    
    OIDC Hybrid Flow
    
    Pass Parameters as a Request Object
    
    Manage Scopes and Claims
    
    Encrypt ID Tokens
    
    Decrypt ID Tokens
    
    Discover OpenID Connect Provider
    
    Obtain Key Set Using JWKS
    
    Validate JWT based on JWKS
    
    SAML Flows
    SAML Flows
    
    Use SAML Artifact Binding
    
    Query SAML Assertions
    
    Use SAML Metadata
    
    Advanced Settings
    Advanced Settings
    
    OIDC Advanced
    OIDC Advanced
    
    Advanced Configurations
    
    Use Advanced Parameters in the Authentication Request
    
    SAML Advanced
    SAML Advanced
    
    Advanced Configurations
    
    Use Advanced Parameters in the Authentication Request
    
    Skip User Consent
    
    SaaS Applications
    
    Use Certificates with Applications
    
    Session Timeout
    
    Multi-Attribute Login
  - Single Sign On
    Single Sign On
    
    Enable Single Sign On
    
    OIDC Applications
    
    SAML Applications
    
    reCAPTCHA for SSO
  - Single Logout
    Single Logout
    
    Overview
    
    OIDC Flows
    OIDC Flows
    
    Overview
    
    Back-Channel Logout
    
    Federated IdP-Initiated Logout
    
    Session Management and Logout
    
    Logout URL Redirection
    
    SAML Flows
    SAML Flows
    
    Front-Channel Logout
    
    Back-Channel Logout
    
    Cross Protocol Logout
  - Request Path Authentication
    Request Path Authentication
    
    Overview
    
    Basic Auth Request Path Authentication
    
    OAuth Request Path Authentication
  - Passwordless Authentication
    Passwordless Authentication
    
    Overview
    
    FIDO
    FIDO
    
    FIDO Passwordless Authentication
    
    FIDO2 Attestation Validations
    
    Magic Link
  - Multi-Factor Authentication
    Multi-Factor Authentication
    
    Overview
    
    Username and Password
    
    Email OTP
    
    SMS OTP
    
    TOTP
    
    X509
    
    FIDO
    
    Advanced configs
    Advanced configs
    
    Email OTP configs
    
    TOTP configs
    
    SMS OTP configs
  - Adaptive Authentication
    Adaptive Authentication
    
    Overview
    
    Adaptive Authentication Scenarios
    Adaptive Authentication Scenarios
    
    Overview
    
    Role-Based
    
    User Age-Based
    
    Tenant-Based
    
    User store-Based
    
    IP-Based
    
    Device-Based
    
    Login Attempts-Based
    
    ACR-Based
    
    Elk analytics-Based
    
    TypingDNA-Based
    
    Using Function Library
    
    Limiting Active User Sessions
- Identity Federation
  Identity Federation
  - Overview
  - Enterprise Identity Federation
    Enterprise Identity Federation
    
    Overview
    
    SAML
    
    OpenID Connect
    
    ADFS
    
    WS-Federation
    
    Shibboleth
  - Social Login
    Social Login
    
    Overview
    
    Log in with Facebook
    
    Log in with Google
    
    Log in with Twitter
    
    Log in with Microsoft Live
    
    Log in with IWA
- Access Delegation
  Access Delegation
  - Overview
  - OAuth 2.0 Grant Types
    OAuth 2.0 Grant Types
    
    Authorization Code Grant
    
    Client Credentials Grant
    
    Device Flow Grant
    
    Refresh Tokens
    
    Implicit Grant
    
    Password Grant
  - Microprofile JWT
  - SAML2 Bearer Assertion Profile
  - Kerberos
  - JWT Grant
  - OAuth 2.0 Introspection
  - OAuth 2.0 Dynamic Client Registration
  - OAuth 2.0 Client Authentication
  - OAuth 2.0 Transaction Logs
  - OAuth 2.0 Token Hashing
  - Revoke OAuth Tokens
  - User Managed Access
  - Mutual TLS for OAuth Clients
- Consent Management
  Consent Management
  - Manage user consent
  - Manage consent puposes
- User Management
  User Management
  - Overview
  - Onboard Users
    Onboard Users
    
    Overview
    
    Create User
    
    Invite User
    
    User Self-Registration
    
    Lite User Registration
    
    Bulk Import Users
  - Manage Users
    Manage Users
    
    Overview
    
    List/Search Users
    
    Delete Users
    
    View/Update User Profiles
    
    Add Multiple User Profiles
    
    Manage User Attributes
    
    Track User Deletion
  - Manage Roles
    Manage Roles
    
    Overview
    
    Add User Roles
    
    Edit/Delete Roles
    
    Role-Based Permissions
  - Manage Accounts
    Manage Accounts
    
    Overview
    
    Admin-initiated Account Locking
    
    Lock Accounts by Failed Login Attempts
    
    Lock Accounts by Failed OTP Attempts
    
    Lock Accounts per User
    
    Associate Accounts
    
    Suspend Accounts
    
    Disable Accounts
    
    Pending Account Status
    
    Username Recovery
    
    Resend Account Recovery Mail
    
    Configure Emails with Special Characters
    
    Send Notifications per User Operation
  - Manage Passwords
    Manage Passwords
    
    Overview
    
    Password Policies
    
    Admin-Initiated Password Reset
    
    Password Recovery via Email
    
    Password Recovery via Challenge Questions
    
    Configure Email Masking Pattern for Notification Based Password Recovery
  - Provisioning
    Provisioning
    
    Overview
    
    Provisioning Patterns
    
    Role Based Provisioning
    
    Rule Based Provisioning
    
    Outbound Provision Users
    Outbound Provision Users
    
    Overview
    
    SCIM 2.0
    
    Microsoft Azure AD
    
    Google Directory
    
    Salesforce
    
    Hubspot
    
    Inbound Provision Users
    Inbound Provision Users
    
    Overview
    
    Configure User stores for SCIM 1.1
    
    Configure User stores for SCIM 2.0
    
    Configure Active Directory User stores for SCIM 1.1
    
    Configure Active Directory User stores for SCIM 2.0
    
    Setup Service Provider for Inbound Provisioning
  - Configure Account Confirmation Methods for Self-Registration
  - Enable Verification for Updated User Attributes
    Enable Verification for Updated User Attributes
    
    Enable Email Account Verification for an Updated Email Address
    
    Enable Mobile Number Verification for an Updated Mobile Number
  - Sync User Accounts
    Sync User Accounts
    
    Overview
    
    Hubspot
    
    MailChimp
    
    Pardot
    
    Pipedrive CRM
    
    Salesforce
    
    Sendgrid
    
    Zoho CRM
- User Self-Service
  User Self-Service
- Analytics
  Analytics
- Tenant Management
- Claim Management
  Claim Management
- Access Control
  Access Control
  - Overview
  - Access Management
    Access Management
    
    Intro
    
    Create a policy
    Create a policy
    
    Create a new policy
    
    Customize an existing template
    
    Edit a policy
    
    Version control
    
    Publish a policy
    
    View status of a policy
    
    Enable and Disable a policy
    
    Clear cache
  - Configure the XACML Engine
  - Use the XACML Tryit tool
    Use the XACML Tryit tool
    
    Overview
    
    Evaluate a XACML Policy
  - Fine-Grained Authorization
    Fine-Grained Authorization
    
    Using XACML
    
    Using JSON
  - Multiple Decision Point
    Multiple Decision Point
    
    Introduction
    
    MDP to authorize hierarchical resources
    
    MDP with repeating attributes
    
    MDP requests and responses
Setup
Setup
- Install
  Install
  - Install
  - Run
  - Get WSO2 Updates
  - Management Console
    Management Console
    
    Overview
    
    Customize
    
    MFA for management console
- Configure
  Configure
  - User Stores
    User Stores
    
    Overview
    
    Configure the Authorization Manager
    
    Configure the System Administrator
    
    Configure User Stores
    Configure User Stores
    
    Overview
    
    Configure the Primary User store
    Configure the Primary User store
    
    Overview
    
    Configure a JDBC User store
    
    Configure a Read-only LDAP User store
    
    Configure a Read-write Active Directory User store
    
    Configure a Read-write LDAP User store
    
    Add High Availability for LDAP
    
    Configure Secondary User stores
    
    Work with Properties of User stores
    
    Secure a JDBC user store with PBKDF2 hashing
  - Data Stores
    Data Stores
    
    Databases
    Databases
    
    Overview
    
    Change the Carbon Database
    Change the Carbon Database
    
    Change to IBM DB2
    
    Change to MariaDB
    
    Change to MSSQL
    
    Change to MySQL
    
    Change to Oracle
    
    Change to Oracle RAC
    
    Change to PostgreSQL
    
    Change to remote H2
    
    Change the Default Datasource of BPS
    
    Change the Default Datasource for Consent Management
    
    Data Dictionary
    Data Dictionary
    
    Registry Related Tables
    
    User Management Related Tables
    
    Identity Related Tables
    
    Service Provider Related Tables
    
    Identity Provider Related Tables
    
    Data Purging
    
    Remove References to Deleted User Identities
  - Session Persistence
  - Analytics
    Analytics
    
    Configure ELK Analytics
    
    Configure SSO in ELK Analytics
    
    Configure ELK Alerts
    
    Configure ELK for Adaptive Authentication
    
    Configure an SP and IdP Using Configuration Files
  - Email Notifications
    Email Notifications
    
    Configure Email Sender
    
    Customize Email Templates
  - Tenant Loading Policy
  - CORS
  - reCAPTCHA
- Secure
  Secure
  - Mitigate Attacks
    Mitigate Attacks
    
    Mitigate Cross Site Request Forgery Attacks
    
    Mitigate Authorization Code Interception Attacks
    
    Mitigate Brute Force Attacks
    
    Mitigate Replay Attacks
    
    SameSite Attribute Support
    
    Prevent Browser Caching
  - Work with Tokens
    Work with Tokens
    
    Add Logs for Tokens
    
    Token Persistence
    
    Remove Unused Tokens from the Database
    
    Enable Assertions In Access Tokens
  - Enable HostName Verification
  - Configure TLS Termination
  - Maintain Logins and Passwords
  - Secure Passwords in Configuration Files
    Secure Passwords in Configuration Files
    
    Encrypt Passwords with Cipher Tool
    
    Resolve Encrypted Passwords
    
    Customize Secure Vault
    
    Set Passwords using Environment Variables/System Properties
  - Enable HTTP Strict Transport Security (HSTS) Headers
  - Configure Transport Level Security
  - Enable Java Security Manager
  - Security Guidelines
    Security Guidelines
    
    Overview
    
    Product-Level
    
    OS-Level
    
    Network-Level
  - Encryption
    Encryption
    
    Asymmetric Encryption
    Asymmetric Encryption
    
    Use Asymmetric Encryption
    
    Create New Keystores
    
    Configure Keystores
    
    Renew a CA-Signed Certificate in a Keystore
    
    Manage Keystores via UI
    
    Add Multiple Keys to the Primary Keystore
    
    Symmetric Encryption
    Symmetric Encryption
    
    Overview
    
    Configurations Related to Symmetric Key Encryption
    
    Symmetric Data Encryption Key Rotation
- Deploy
  Deploy
- Monitor
  Monitor
  - Overview
  - Monitor Logs
    Monitor Logs
    
    Overview
    
    HTTP Access Logging
    
    Mask Sensitive Information in Logs
    
    Log Claims in Audit Logs
  - System Statistics
  - Monitor TCP-Based Messages
    Monitor TCP-Based Messages
    
    Monitor TCP-based Messages
    
    Message Monitoring with TCPMon
    
    Other Usages of TCPMon
  - Monitor Server Health
  - JMX-Based Monitoring
  - Work with Product Observability
- Upgrade WSO2 Identity Server
APIs
APIs
- Overview
- Authentication API
- Session management API
- Entitlement management API
- User management
  User management
  - SCIM 1.1 API
  - SCIM 2.0 API
    SCIM 2.0 API
    
    SCIM 2.0 API Definition
    
    SCIM 2.0 Patch Operations
    
    SCIM 2.0 Batch Operations
  - Account recovery API
  - Associated accounts API
  - Challenge question API
  - Challenge answers API
  - Self Sign-Up API
- Identity provider API
- IdP session extension API
- Self-service
  Self-service
- Application management
  Application management
  - Application management API
  - Authorized apps
    Authorized apps
    
    Authorized apps API V1
    
    Authorized apps API V2
  - OAuth 2.0 scope management API
  - OpenID Connect scope management API
  - OIDC Dynamic Client Registration API
  - Script Library management API
- Claim management API
- Server management
  Server management
  - Configuration management
    Configuration management
    
    Configuration management API
    
    Retrieve Tenant Resources Based on Search Parameters
  - Identity governance API
  - Keystore management API
  - User store management API
  - Tenant management API
  - CORS API
  - Consent management
    Consent management
    
    Overview
    
    Consent management API
  - Email templates API
  - Workflow engine management API
- Notification sender management API
- Server configuration API
- Permission management API
- User Functionality management API
- Admin services
  Admin services
  - Call admin services
  - One way operations
SDKs
SDKs
References
References
- Overview
- About this Release
- Feature Deprecation
- WSO2 IS Architecture
  WSO2 IS Architecture
- WSO2 IS Concepts
  WSO2 IS Concepts
  - Users, Roles, Permissions
    Users, Roles, Permissions
    
    Overview
    
    Users
    
    Roles and Permissions
  - User stores
    User stores
    
    User stores
    
    Realms
  - Claims
  - Access control
  - Service Providers
    Service Providers
    
    Overview
    
    Register a Service Provider
    
    Configure a Service Provider
    Configure a Service Provider
    
    Claims
    
    Roles and Permissions
    
    Inbound Authentication
    
    Local and Outbound Authentication
    
    Inbound Provisioning
    
    Outbound Provisioning
    
    Manage a Service Provider
    
    Set up a Resident Service Provider
  - Identity Providers
    Identity Providers
    
    Overview
    
    Register an IdP
    
    Configure an IdP
    Configure an IdP
    
    Roles of an IdP
    
    Claims of an IdP
    
    Federated Authenticators
    
    JIT Provisioning
    
    Outbound Provisioning Connectors
    
    Manage an IdP
    
    Resident IdP
    Resident IdP
    
    Set up a Resident IdP
    
    Inbound Authentication
    
    Inbound Provisioning
    
    JIT Consent Purposes
  - Tenants
- WSO2 IS Extensions
  WSO2 IS Extensions
  - Authentication
    Authentication
    
    OAuth2
    OAuth2
    
    Write a Custom OAuth2 Grant Type
    
    X509 Authenticator
    
    Adaptive authentication
    Adaptive authentication
    
    Write Custom Functions for Adaptive Authentication
    
    Authentication endpoint
    
    Localization
    
    Host authentication endpoint on a different server
  - Identity Federation
    Identity Federation
    
    Write a Custom Federated Authenticator
    
    Write a Custom OAuth 2.0 Federated Authenticator
    
    Write a Custom Local Authenticator
  - Access Control
    Access Control
    
    XACML policy writing
    XACML policy writing
    
    XACML policy language structure and syntax
    
    Write a XACML 2 policy
    Write a XACML 2 policy
    
    Introduction
    
    XACML 2 sample policy 1
    
    XACML 2 sample policy 2
    
    XACML 2 sample policy 3
    
    XACML 2 sample policy 4
    
    XACML 2 sample policy 5
    
    XACML 2 sample policy 6
    
    Write a XACML 3 policy
    Write a XACML 3 policy
    
    Introduction
    
    XACML 3 sample policy 1
    
    XACML 3 sample policy 2
    
    XACML 3 sample policy 3
    
    XACML 3 sample policy 4
    
    XACML 3 sample policy 5
    
    XACML 3 sample policy 6
    
    XACML 3 policy using XPath
  - User Management
    User Management
    
    Write a Custom Claim Handler
    
    Write a Custom Event Handler
    
    User store Listeners
    
    Write a Post-Authentication Handler
    
    Write a Custom Global Scope Validator
    
    User Management Errors Event Listener
    
    User provisioning
    User provisioning
    
    Extend SCIM 2.0 User Schemas
    
    Add SCIM2 Custom User Schema Support
    
    Write an Outbound Provisioning Connector
  - User self-service
    User self-service
    
    Customize the UI
    
    Configure the Application
  - User Stores
    User Stores
    
    Write a Custom User Store Manager
  - User interfaces (Rebrand)
    User interfaces (Rebrand)
    
    Re-brand WSO2 Identity Server UIs
    
    Re-brand the Default Login Page
    
    Re-brand the SSO Redirection Page
    
    Customize Login Pages
  - Workflow management
    Workflow management
    
    Extend the workflow event handler
    
    Write a cutom workflow template
  - Errors
    Errors
    
    Error messages
    
    Error Pages
- WSO2 IS Configurations
  WSO2 IS Configurations
- WSO2 IS Best Practices
  WSO2 IS Best Practices
  - Usernames in WSO2 Identity Server
- WSO2 IS Troubleshooting
  WSO2 IS Troubleshooting
  - Error Codes and Descriptions
  - REST API error catalog
- Adaptive Authentication JS API
- Scopes for REST APIs
- Permissions for Admin Services
- IAM Topics
  IAM Topics
  - Evolution of Identity Federation Standards
  - Authentication
    Authentication
    
    Introduction
    
    Authentication Protocols
    Authentication Protocols
    
    Introduction
    
    OIDC
    OIDC
    
    Introduction
    
    OIDC Client Profiles
    OIDC Client Profiles
    
    Introduction
    
    Basic Client Profile
    
    Implicit Profile
    
    Hybrid Profile
    
    OIDC Tokens
    OIDC Tokens
    
    Overview
    
    ID Tokens
    
    End-User Authentication
    End-User Authentication
    
    Overview
    
    Request Object
    
    Traditional Authentication Request
    
    User Information
    
    Scopes and Claims
    
    Discovery
    
    JWKS
    
    Dynamic Client Registration
    
    Session Management and Logout
    
    Back-Channel Logout
    
    Microprofile JWT 1.0
    
    SAML
    SAML
    
    Introduction
    
    SAML2 Artifact Binding
    
    SAML Front-Channel Logout
    
    SAML Back-Channel Logout
    
    WS-Federation
    WS-Federation
    
    Introduction
    
    WS-Trust
    WS-Trust
    
    Introduction
    
    Adaptive Authentication
    
    Multi Factor Authentication
    
    FIDO
  - Authorization
    Authorization
    
    OAuth 2.0
    OAuth 2.0
    
    Introduction
    
    OAuth 2.0 Client Types
    
    Grant Types
    Grant Types
    
    Overview
    
    Authorization Code Grant Type
    
    Implicit Grant Type
    
    Resource Owner Password Credentials Grant Type
    
    Client Credentials Grant Type
    
    Refresh Token Grant Type
    
    Device Flow Grant Type
    
    JWT Bearer Grant Type
    
    SAML2 Bearer Assertion Profile
    
    Kerberos Grant Type
    
    Tokens
    Tokens
    
    Access Tokens
    
    Refresh Tokens
    
    Client Authentication
    
    Token Introspection
    
    User Managed Access (UMA)
    User Managed Access (UMA)
    
    Introduction to UMA
    
    Resource Registration Endpoint
    
    Permission Endpoint
  - Single Sign On
  - Identity Bus
  - Identity Federation
  - Identity Provisioning
    Identity Provisioning
    
    Introduction
    
    Provisioning Framework
    
    JIT Provisioning
  - Consent Management
  - Identity Anti-Patterns and the Identity Bus
  - Integrated Windows Authentication
  - Master Data Management
- IAM Compliance
  IAM Compliance
  - Overview
  - GDPR
  - eIDAS
  - CCPA



Security Guidelines for Production Deployment¶

When deploying WSO2 Identity Server in a production server, make sure to comply with the following security guidelines.

Product-Level Security Guidelines
OS-Level Security Guidelines
Network-Level Security Guidelines

Top

Previous Enable Java Security Manager

Next Product-Level

WSO2 Identity Server - Documentation

© WSO2 LLC.