WSO2 Identity Server 5.0.0: Resident Identity Provider & Resident Service Provider

The WSO2 Identity Server 5.0.0 takes the identity management into a new direction. No more there will be federation silos or spaghetti identity anti-patterns. The authentication framework we introduced in IS 5.0.0 powers this all. Along with the authentication framework, we absorbed the concept of service providers and identity providers into the core Identity Server architecture.

WSO2 Identity Server (IS) can mediate authentication requests between service providers and identity providers, at the same time WSO2 IS itself acts as a service provider and an identity provider. When it acts as a service provider - that is known as the resident service provider - and when it acts as an identity provider - that is known as the resident identity provider.

What does IS do as the resident service provider?

Currently the only occasion IS acts as the resident service provider is while adding users to the system. You can enable provisioning configurations against the resident service provider. Say for example, if you try to add users to the system via the SCIM API and authenticate to it using HTTP basic authentication, then the system will read the provisioning configurations from the resident service provider. (If the user authenticates to the SCIM API with OAuth credentials, then the system will load the configuration corresponding to the service provider who owns the OAuth client id).

At the same time if you want to configure outbound provisioning for any user management operation done via the Management Console, SOAP API  or the SCIM API, then also you need to configure out bound provisioning identity providers against the resident service provider. That means, based on the outbound configuration, users added from the Management Console, will also be provisioned to external systems like Salesforce and Google Apps.

What does IS do as the resident identity provider?

If you are a service provider and wants to send an authentication request or a provisioning request to the Identity Server (say, via SAML, OpenID, OpenID Connect, SCIM, WS-Trust) -  what matters for you is the resident identity provider configuration.

Resident identity provider configuration is a one time configuration for a given tenant. It basically shows you the identity server's metadata - like the endpoints. Later we plan to make this configuration available as a downloadable metadata file. In addition to the metadata, if you want to secure the WS-Trust endpoint with a security policy - this where you have to do that too.