Identity Patterns with the WSO2 Identity Server
Federation Proxy

  • All the inbound requests for all the service providers inside the corporate domain must be intercepted centrally and enforce authentication via an Identity Hub. 
  • Users can authenticate to the hub, via different identity providers. 
  • All the users, who authenticate via the hub must be provisioned locally. 
  • One user can have multiple accounts with multiple identity providers connected to the hub and when provisioned into the local system, the user should be given the option to map or link all his/her accounts and then pick under which account he/she needs to login into the service provider.
  • Deploy WSO2 App Manager to front all the service providers inside the corporate domain. 
  • Configure WSO2 Identity Server as the trusted Identity Provider of the WSO2 App Manager. Both the Identity Server + the App Manager setup we call it as the federation proxy. 
  • Introduce the identity provider running at the hub (it can be another WSO2 Identity Server as well) as a trusted identity provider to the WSO2 Identity Server running as the proxy. 
  • Configure git provisioning against the hub identity provider, configured in WSO2 Identity Server. 
  • For all the service provider, the initial authentication will happen via the hub identity provider and once that is done, configure a connector to the 2nd step to do the account linking. 
  • Products: WSO2 Identity Server 5.0.0+, WSO2 App Manager