Fed Up with User Provisioning? Try with WSO2 Identity Server.

Image for post
Image for post

This is the first blog of Provisioning Blog series with WSO2 Identity Server.

User Provisioning

User Provisioning is an important aspect of the Identity Federation. In simple terms, user provisioning in IAM is to create, update or delete a user account from the system and manage users by providing them access to the resources.

Provisioning APIs are required to manage users in a remote system. For example, Identity Server can be used to manage users and groups. An organization can have an administrative portal which requires to communicate with the Identity Server to manage the users and groups.

So the provisioning APIs are required to support a centralized user base through an IAM system.

In a typical system usually, the administrators provision the users to the system, but in order to reduce the burden of the administrators some automatic ways of user provisioning has been introduced.

Nowadays most of the web application uses social logins to provisioning users to their system. It makes the user’s life easy. User has to just login to the social web sites such as Facebook, Google. This is also a handy feature when it comes to the user provisioning.

Using standards in Provisioning

In provisioning WSO2 Identity Server Uses standards as SCIM2.0, SCIM 1.0 and SPML. The key advantage of using these standard methods is that it is easy to integrate the solutions with other existing systems. Open source and open standards help avoid vendor lock-in

Provisioning Methods supports in WSO2 IS server

1. Inbound Provisioning

Inbound provisioning is to add users to the system by an external system. WSO2 Identity server users SCIM APIs and SOAP services for inbound provisioning. Once the identity server receives the inbound provisioning request, if all the configurations have done accordingly the user will be persisted in the configured user store.

Use Case 01 using SCIM2:

ABC is a reputed bank and Tom is the user operation manager who works there. The bank needs to have it’s own portal to do user management operations such as user creation, deletion. This portal consumes SCIM2 REST APIs which have exposed from WSO2 Identity Server.

Image for post
Image for post
Inbound Provisioning

Use Case 02 using Self Registration

Some users of the bank need to do credit card related operations by using the Web. So ABC Bank has granted the users the facility to self register themselves by giving credit card number and the PIN as one time credential. .So the users can create their own accounts and provision to the system by using self registration.

Image for post
Image for post

Use Case 03 using WSO2 Identity Server Management Console

John who plays the administrator role in the bank adds users directly to the Identity Server using the Management Console in some special cases. When he uses the Management Console the underlying UserAdmin admin service is invoking.

Image for post
Image for post

Following Rest APIs are available in WSO2 Identity Server for user provisioning.

SCIM 1.1

SCIM 2

Self Registration

Following SOAP APIs are available in WSO2 Identity Server for user provisioning.

RemoteUserManagerService

UserAdmin

2. Just in time provisioning

Just in Time provisioning is to provision users to a system in a successful federated authentication.

- A SP initiates an authentication request.

- WSO2 IS redirect the request to the configured IDP

- Identity Server receives a successful response

In this point, if the JIT provision is configured the user is created in the Identity server’s configured user store

ABC bank trusts the Google IDP and if a user logs to the client application using this trusted IDP, the bank needs to provision the users to the Identity Server side with some user attributes and roles as it allows automatic provisioning without engaging any human effort. Once the user is provisioning either the admin can provide a Password or it can be configured identity server to provision the user with a random password.

Image for post
Image for post
Just In Time Provisioning

3. outbound provisioning

Outbound Provisioning involves sending provisioning requests from one system to other external applications. Using WSO2 identity server this feature can be used to synchronize users to trusted identity providers. From the identity server, the outbound provisioning is supported by using SCIM, SPML standards and Salesforce, Google connectors. Apart from that we can write a custom outbound connector and plug it to with WSO2 Identity Server. This outbound provisioning can be configured as synchronous and asynchronous manner.

- A SP initiates an authentication request

- WSO2 IS redirect the request to the configured IDP

- Identity Server receives a successful response

At this point, the user is provisioned to the configured IDP.

If a system or an application needs to eliminate manual user creations then it can use this mechanism. By using this it can synchronize users from an existing user store to a particular application.

Why WSO2 Identity Server for User Provisioning?

User Provisioning with WSO2 Identity Server is more quickly, reliably and it has high security. Further OOTB the product contains plenty of ways to provision users according to the user requirements and most of the ways are customizable to plug custom implementations. So you can try those different ways with user provisioning using WSO2 Identity Server.

Written by

Associate Technical Lead @ WSO2

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store