Consumer Onboarding made Easy, Effective & Engaging

Consumer onboarding is one of the, if not the most, important functions of a customer identity and access management (CIAM) solution. An overly complicated onboarding workflow significantly detracts from the consumer experience. Providing an effective, engaging and efficient onboarding workflow without compromising security has always been a challenge among security and risk professionals.

The inspiration for this two-part article series comes from many customer implementations carried out by WSO2 over the past 15 years on consumer onboarding and log-in journeys in CIAM. …

Authorizing the Caller’s Security Context in an API Workflow


WSO2 Identity Server provides many identity management workflows and password management workflows out-of-the-box. E.g. self-registration, user invitations, password recovery, etc. However, it is not atypical to come across situations where you would find that the workflow capabilities provided out-of-the-box in the product is not sufficient to fulfil your business requirement.

In such situations users would generally prefer to take one of the following alternative courses of action, listed in ascending order of complexity:

  1. Combining couple of existing Rest APIs in a specific sequence to produce the expected workflow.
  2. Implementing custom Rest APIs and combining them with existing Rest APIs in…

Intercepting Filter and Decorator Patterns to the Rescue


WSO2 Identity Server supports two kinds of Rest APIs.

  1. Admin Rest APIs
  2. Self-service Rest APIs

The intention of Admin Rest APIs is to authorize users/systems that have the required level of permission under the Mandatory Access Control (MAC) model, or OAuth 2.0 scope under the delegated access control model, to invoke these Rest APIs. These Rest APIs generally operate on system configuration data or identity data of a different user/system than the one calling the Rest API. In WSO2 Identity Server, any Rest API URL that does not contain “/Me” in its path is an Admin Rest API. E.g. SCIM…

Answering the most common questions about WSO2 Identity Server by its users

Question 1

How to configure MFA and/or adaptive authentication for a group of service providers, instead of at an individual service provider level?

Configuring MFA and/or adaptive authentication for a group of service providers is not possible with WSO2 Identity Server as of version 5.11.0.

However, configuring MFA on a global (tenant) level is possible by configuring the ‘default’ sequence in:


The ‘default’ sequence can then be selected from ‘Local and Outbound Authentication’.

Question 2

How to configure what MFA methods are made available for a specific user?

Configuring MFA methods that are available for a specific user is not an out-of-the-box feature…

Security Patterns for Centralized Management Plane — Decentralized Data Plane and Control Plane


In the first part of this two-part article series I’ve introduced “heterogeneous API Management clusters”, its well known examples and its different patterns. I’ve then gone on to discuss the “API Store Separated Clusters” deployment pattern in detail, how they can be implemented in WSO2 API Manager and shortfalls in implementing them in WSO2 API Manager. In this part I will discuss about “Key Manager Separated Clusters” deployment pattern.

Figure 1: Heterogeneous WSO2 APIM Cluster Deployment Patterns

Key Manager Separated Cluster Deployment Patterns (#3,#4,#7,#8)

In the Key Manager separated patterns, there are mainly 3 important security properties that users look for.

  1. Avoid sharing of the OAuth 2.0 credentials (e.g. client_id, client_secret) between Key Managers at…

End-to-end Identity Lifecycle Management for your Customers

This is for those of you who wanted to understand the WSO2 CIAM User Lifecycle in detail.

Points to keep in mind for Readers

1. This diagram is a state diagram; NOT a “flow chart” diagram. Therefore it doesn’t show you the different workflows that trigger the state transitions. The next step would be to come up with a flow diagram as well for this state diagram, to see the full picture.

2. This diagram illustrates an “ideal” user lifecycle based on WSO2 CIAM’s current identity management features; it does not necessarily mean that all the transitions mentioned here are currently possible with out-of-the-box capabilities of the…

Security Patterns for Centralized Management Plane — Decentralized Data Plane and Control Plane


WSO2 API Manager supports a variety of deployment patterns for varying business and technical use cases [1,2]. While the all-in-one deployment pattern is at one end of the spectrum as the most simplest deployment pattern, the fully distributed deployment is at the other end of the spectrum as the most flexible deployment pattern. However, in between these two are a wide variety of deployment patterns with varying levels of distribution of components that users may consider from in order to have the most optimal deployment considering aspects such as complexity, flexibility, security and cost.

While the level of distribution of…

Fine-grained Authorization for Platform Resources


A permission in IAM is defined as, a combination of a resource and one of its corresponding actions. Permissions are a fundamental element of any authorization decision.

For an overview of the permission levels that are supported by WSO2 Identity Server, and the various use cases around permissions in WSO2 Identity Server, refer my article “Permissions with WSO2 Identity Server” [1].

Platform Roles

The WSO2 Identity Server comes with native multi-tenancy capability which allows it to be deployed as SaaS solution in your enterprise. An IAM SaaS solution is commonly known as an ‘Identity-as-a-Service’ (IDaaS).

The direct consumers of the IDaaS become…

Why WSO2 Identity Server fits the bill well?


It is true that WSO2 API Manager [1] can integrate with most Customer IAM (CIAM) vendors out there in the market, with efforts ranging from integrating using standard endpoints and messages with no-code configurations, to writing Java plug-ins to integrate with non-standard endpoints and messages. Among these options you have The WSO2 Identity Server [2] which is one of the most advanced CIAM products in the market that is targeted for organizations that are embracing a developer-first culture. It is secure, scalable, API-driven, extensible and uniquely customizable to meet every organizations’ challenging business needs in a dynamic application landscape. You…

Johann Dilantha Nallathamby

IAM Enthusiast, Solutions Architect @ WSO2

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store