WSO2 API Key Manager vs. WSO2 Identity Server

When to choose WSO2 Identity Server over API Key Manager?

Introduction

Identity Management is an inherent requirement of API Management; hence there cannot exist an API Management solution without Identity Management capabilities.

WSO2 API Manager also supports the bare minimum Identity Management capabilities that are required to operate an API Management solution in the WSO2 API Key Manager profile. These capabilities are fundamentally borrowed in the form of OSGi features from the WSO2 Carbon platform. That is why you can see similarities in how OAuth2 and OpenID Connect features are configured in the deployment.toml, and the look and feel of the login portal and account recovery portal.

However, customers who are looking for more Identity & Access Management capabilities beyond what the WSO2 API Key Manager provides, have the option of upgrading the WSO2 API Key Manager to the WSO2 Identity Server. The WSO2 API Key Manager profile adds specific extensions on top of the borrowed OSGi features which are not available in the WSO2 Identity Server. Prior to API Manager 3.2.0, these extensions had to be installed through the WSO2 Carbon P2 OSGi feature installation plugin. Therefore for those customers who wanted to use both WSO2 API Key Manager and WSO2 Identity Server capabilities prior to version 3.2.0, a new distribution known as the WSO2 IS-KM was introduced. The WSO2 IS-KM is built by combining the WSO2 Identity Server distribution + specific extensions in WSO2 API Key Manager.

However, during the WSO2 API Manager 3.2.0 re-architecture this distribution was retired in favour of making the WSO2 API Manager — WSO2 Identity Server integration more standardized, similar to how the WSO2 API Manager integrates with 3rd party Authorization Servers. Therefore users are now required to copy the API Key Manager specific extensions to specific folder locations in WSO2 Identity Server to enhance its capabilities to support the union of WSO2 Identity Server and WSO2 API Key Manager functionality.

WSO2 API Key Manager’s Capabilities

1. Application login and single sign-on using OpenID Connect 1.0 suite of specifications (on par with WSO2 IS)
2. Authentication with username/password
3. API security using OAuth 2.0 and all related profiles (on par with WSO2 IS)
4. Role-based access control for APIs
5. Supports user directories such as LDAP, Active Directory and RDBMS (on par with WSO2 IS)
6. User onboarding workflows
   — Simple admin-initiated user creation with username+password
   — Self-registration workflow with account confirmation via email address verification
   — Just-In-Time Provisioning workflow
7. Inbound provisioning endpoints
   — Users and Groups (historically being called as Roles in WSO2) SOAP APIs
   — WSO2 Self-registration API
8. Identity Lifecycle Management features
   — Account locking for incorrect password attempts
   — Account lock timeout
9. Password Management features
   — Self-service password recovery workflow using email address verification
10. Identity federation with SAML 2.0 or OpenID Connect compliant enterprise Identity Providers

WSO2 Identity Server’s Exclusive Capabilities (not found in WSO2 API Key Manager)

1. Application login and single sign-on using SAML 2.0 SSO, WS-Federation, WS-Trust or CAS.
2. Identity federation with enterprise Identity Providers that don’t support SAML 2.0 or OpenID Connect, or social Identity Providers like Facebook, Google, Twitter, LinkedIn, etc.
3. A plethora of authentication mechanisms beyond username/password, such as IWA, SMS/E-mail OTP, TOTP, X.509 tokens, FIDO 2.0 tokens, mobile push authentication, mobile biometrics, etc.
4. Fine-grained entitlements and authorization policies for applications and APIs using custom permissions or XACML 3.0 policies. Comes with out-of-the-box support to authorize OAuth 2.0 scopes using XACML 3.0 policies.
5. Adaptive access control policies
   — Step-up/elevated authentication
   — Contextual authentication based on user attributes, preferences, static risk profile, etc. such as last successful logged-in time, or environmental attributes such as device, remote IP, date, time, etc.
   — Risk-based authentication based on real-time event processing scenarios. Integrates out-of-the-box with WSO2 Streaming Integrator that can use machine learning algorithms to build behavioural profiles for users based on log-in events.
6. Adaptive access control programming capability can enhance dynamic home realm discovery, dynamic role injections/mappings, dynamic authorization by consuming complex entitlements structures, etc.
7. Advanced Identity Management capabilities
   — Invitation workflow with account confirmation via email address verification or mobile number verification
   — Self-service profile management
   — Account linking
   — SCIM 2.0 inbound provisioning endpoint support for Users and Groups
   — Inbound provisioning endpoint support for Roles
   — Outbound provisioning connectors. E.g. SCIM 2.0, Microsoft Azure AD, etc.
   — Identity Proofing connectors
   — Approval workflows
   — Username recovery
8. Advanced Identity Lifecycle Management capabilities
   — Email address or mobile number verification of existing users
   — Account blocking
   — Idle account suspension
9. Password Management capabilities
   — Setting up password on first log-in
   — Admin-initiated forced password reset
   — Password complexity policy
   — Password rotation policy
   — Password history policy
   — Self-service password recovery using challenge question answers
   — reCAPTCHA on invalid password attempts
   — reCAPTCHA on invalid challenge question answer attempts