What is a developer-focused IAM solution?

Shan Chathusanda Jayathilaka
7 min readApr 30, 2020

Hi guys. Hope you are all safe during this difficult time period. Today I am going to discuss about What is a developer-focused IAM solution. Before entering the main topic, let’s break the topic into subtopics as follows.

What is a developer-focused software?

Mainly, a developer-focused software or a developer-focused software project is a project which is developed by developers for other developers who are creating software solutions for end users, usually non-developers. We can categorise most of the open source projects in this category. These open source projects are self-explanatory and usable for other developers. When these projects grow big enough, these are documented, written in blogs and articles in the tech space and also they are discussed in forums as well. Also there are a bunch of non-open-source projects as well which are developer-focused.

What is an IAM solution?

Identity and Access Management (IAM) is all about defining and managing the roles and privileges of a set of networked individual users. These users can be anyone like customers, employees etc. In traditional way, managing users and their privileges are mainly a task of the particular application that these users are using. But there can be many drawbacks in this traditional way like these applications are not focused to manage identities, sometimes users may use simple passwords, sometimes users may use a single password for every application etc. But when it comes to IAM solutions, this picture is a bit different.

Yes, IAM solutions support managing identities. That is the primary goal. But it can be done in an efficient way from these IAM solutions because these solutions are born to manage identities.

At the enterprise level these IAM solutions are playing a major role since there are thousands of users are accessing hundreds of applications. Mainly this is a major challenge for the enterprises and it can be solved by plug-in an IAM solution.

As you can understand here a developer-focused IAM solution means a software solution that can define and manage identities, which have properly documented the features for the developers to use and less or equal OPEN SOURCE.

In this article I am going to explain about one great developer-focused IAM solution which WSO2 presents. The WSO2 Identity Server.

Why WSO2 Identity Server?

I hope you can remember the previous explanations about developer-focused software projects and IAM solutions :-). As these explanations there are several things that have to be fulfilled by these developer-focused IAM solutions.

WSO2 Identity server is 100% OPEN SOURCE. You can download and use this product totally free. You can get the latest product from here. If you are more likely to go through the code and stuff, you can reach out to the code base of WSO2 Identity Server from github as well. Here is the link for the product repository. As you can understand from here WSO2 Identity Server is 100% OPEN SOURCE. NO GIMMICKS :-).

As I mentioned before you can download and run WSO2 Identity Server for free. But in order to run and get your hands dirty, you need to know how to do the stuff that can be done using WSO2 Identity Server. Here comes the documentation. WSO2 Identity Server maintains a well explained documentation space for the users (developers or not) of the product. These documentations describe what are the capabilities of WSO2 Identity Server currently have at the moment because this product is growing and growing with new capabilities day by day. You can go through the documentations for the latest release from here.

Another interesting fact about WSO2 Identity Server is that this was recognised as an overall leader in IAM space by kuppingercole Analysis. You can find the summary of this report from here. This means the WSO2 Identity Server is a globally recognised IAM solution. You can find much more details from here.

Are these facts not enough to select the WSO2 Identity Server? You want more? OK. Let’s check briefly the capabilities that WSO2 Identity Server has which can be used by developers.

First thing first. Let’s see how WSO2 Identity Server (WSO2 IS) manages users and their roles. Mainly the identities of the users are stored in databases. WSO2 IS supports multiple types of databases like in-built Lightweight Directory Access Protocol (LDAP), H2, MYSQL, POSTGRES and MSSQL. Developers have the freedom to select what is the most suitable type for their developments. In WSO2 IS there is a self-service user portal for business end-users which they can use it to maintain their user accounts. So the developers do not need to worry about that all. When it comes to passwords, developers can introduce password policies and password patterns. WSO2 IS will validate the passwords with them. Also WSO2 IS has the ability to lock user accounts by validating the invalid failed login attempts and users can recover the account by using either email or secret questions. The developers just need to do some configurations and they can select one or both as their requirements. It is just that simple.

Another real advantage in WSO2 IS is user provisioning. WSO2 IS can provision users and roles to it self by using SCIM 1.1 or 2.0 APIs and also WSO2’s proprietary SOAP APIs. Also WSO2 IS can provision users to external identity providers by using SCIM 1.1 APIs. Here also developers just need to add the relevant configurations to the WSO2 IS only. No need to do all the things from the scratch :-).

In WSO2 IS, the access control is done in fine-grained authorization. Mainly this is done by role based access control. You can create a role and add some privileges to the role and finally you can add a user to that role in a very easy user-interface. This can be done by a developer or any other administrative person of the business. Mainly XACML 2.0 is used for the fine-grained policy-based access control which is a company standard for access control. So this is also a developer friendly move in WSO2 IS.

When it comes to authentication, WSO2 IS plays a major role here. WSO2 IS supports Context based authentication via user attributes, user risk profile, request parameters etc. These all are commonly known as adaptive authentication. Also multi-factor authentication with emailOTP, Fast IDentity Online (FIDO2.0), x509 authentication and SMSOTP are available in WSO2 IS too. So the developer has a variety of authentication choices to be used in his/her software solution by using WSO2 IS.

Think like this. You are a developer which was assigned to create several applications for an enterprise. The users of these applications must be authenticated before using them. You can create a traditional authentication process like having one for each application. Here if one user wants to access several applications at a single time, he or she needs to go through the login process again and again. Don’t you think this is kind of an overhead to the user as well as the developer :-(. If you are using WSO2 IS, nothing to worry about this.

WSO2 IS provides support to Single-Sign On (SSO) for enterprise or cloud applications. SSO is enabled via SAML2, OpenID Connect and WS-Federation Passive. Also federated SSO is available via SAML2, OpenID Connect and WS-Federation. All these standards are enterprise standards so the developers can easily use them. Also WSO2 IS has the capability to support SSO between on-premise applications and cloud applications. Google ReCaptcha is supported when using SSO. So the developers have much more choices for handling user logins.

Let’s think like this. As same as the SSO requirement you get a requirement to implement when a user signed out from one application of an enterprise, that user also has to be signed out from other signed in applications of that enterprise. In WSO2 IS we can complete this requirement by using the Single-Log-Out feature. No need to develop all the things from the scratch. WSO2 IS SLO is supported by SAML2, metadata profile and assertion request profile. As mentioned previously all these standards are enterprise standards in the technical world so the developers can easily use them for their implementations.

Phew….!!!!! It’s a lot of explanation right? Do you think that’s all? No my friend. This is only a brief of the features that WSO2 Identity Server currently supports. If time is available I can explain all the features :-).

If you are interested in WSO2 Identity Server, you can find the currently supported features from here. Also you can get your hands dirty by downloading WSO2 Identity Server from here and referring documentations from here. So this is the end of the blog. Hope you got something from this blog.

Hope you guys are safe. Until we meet again.

Hasta la vista amigos…!!!




Shan Chathusanda Jayathilaka

Senior Software Engineer @ WSO2 | Graduate in Computer Science, University of Ruhuna