The goal of Gluu is to be the best open-source IAM platform and to have the lowest total cost of operation (TCO). This has been done by building with the strongest open-source components and by designing control mechanisms to harden them. In this post we break down the components of our Gluu 4.X distribution and our cloud-native offering, Gluu Flex.
Gluu Server 4 is a commercially-backed distribution of several open-source identity and access management components, integrated and working together. You can choose which components you want to use, and how you want to deploy them–on Linux VMs or cloud-native containers.
oxAuth is an Open Source User-Managed Access and OpenID Connect Provider component of the Gluu Server that implements the OpenID Connect Core 1.0 stack of REST services. The project also includes OpenID Connect Client code which can be used by websites to validate tokens.
oxAuth currently implements all required aspects of the OpenID Connect stack, including an OAuth 2.0 authorization server, Simple Web Discovery, Dynamic Client Registration, JSON Web Tokens, JSON Web Keys, and User Info Endpoint.
oxAuth is tightly coupled with oxTrust.
oxTrust is a single point of administration for all components of Gluu 4.x servers. It includes an identity synchronization engine for external LDAP user stores. In addition to a web interface, oxTrust also provides an API to enable the automation of many tasks.
Maintained by the Shibboleth Foundation, this component provides the SAML identity provider endpoints. This component relies on oxAuth for session management, enabling SSO between SAML and OpenID websites. It is configured by oxTrust, which renders the correct configuration files.
An Apache 2.0 licensed open source project governed by Gluu, Casa is a self-service web portal for end-users to manage devices and other multi-factor authentication credentials associated with their account in an IDP. Casa is brandable and you can write plugins to support new multi-factor credentials or other user requirements.
Another core Janssen Project component, this server provides the enrollment and authentication endpoints that enable people to use USB, Bluetooth, or platform FIDO credentials. An example of a USB FIDO credential is a YubiKey. An example of a platform FIDO credential is Apple TouchID. These powerful new credentials not only are more secure than passwords, but they are also phishing-resistant.
The Gluu Server uses this component to enable social login. With over 300 existing “strategies”, Passport provides a crowd-sourced approach to offering users social login at popular consumer IDPs. Passport not only normalizes authentication, it also provides a standard mechanism to map user claims.
Gluu maintains a fork of OpenDJ in our GitHub repository. This has been a stable and performant database for many years.
Gluu Cluster Manager is a commercially licensed GUI tool for installing and managing a highly available, clustered Gluu Server infrastructure on physical servers or VMs.
A middleware service that simplifies and standardizes the process of integrating server-side web applications with a standard OpenID Provider. A simple REST application. oxd-server is designed to work over the web (via HTTP), making it possible for many apps across many servers to leverage a central oxd service for OAuth 2.0 security.
Super Gluu is a push-notification mobile app for two-factor authentication (2FA). It is free and available on the App Store and Play Store.
Gluu Flex is a self-hosted software stack based on the Linux Foundation Janssen Project providing single sign-on, strong multi-factor authentication (with or without passwords), and centralized token management to control access to APIs.
Like the Gluu Server, you have the same “interception scripts” that enable you to enhance or secure the user experience during user login, add extra data into API access tokens, or customize more than 20 other important steps during authentication and authorization workflows.
The heart of the Janssen Project, is the server that provides the OpenID Connect and OAuth endpoints. From a functional standpoint, Jans Auth Server is an “identity provider” or IDP and renders central login pages which enable the authentication of a person using a browser or mobile device. Jan Auth Server also mints access tokens which are used by websites and mobile apps to securely call an API.
Gluu Flex is the first IAM solution that enables you to deploy your low-code Agama language projects. The Agama language was purpose-built for digital identity cloud authentication flows, speeding the implementation of great user experiences that improve the security posture of your organization.
Now, developers, including Application Managers, Governance and Risk teams, Auditors, and Identity Architects can all design and review authentication flows naturally and graphically without writing a line of code.
A commercially licensed interface to simplify the management and configuration of Jans Auth Server. Easily view and edit configuration properties, interception scripts, clients, and metrics in one place.
An Apache 2.0 licensed open-source project governed by Gluu, Casa is a self-service web portal for end-users to manage devices and other multi-factor authentication credentials associated with their account in an IDP. Casa is brandable and you can write plugins to support new multi-factor credentials or other user requirements.
Another core Janssen Project component, this server provides the enrollment and authentication endpoints that enable people to use USB, Bluetooth, or platform FIDO credentials. An example of a USB FIDO credential is a Yubikey. An example of a platform FIDO credential is Apple TouchID. These powerful new credentials not only are more secure than passwords, they are also phishing-resistant.
SCIM, or the System for Cross-domain Identity Management specification, is an open standard designed to manage user identity information. SCIM provides a defined schema for representing users and a RESTful API to search, add, edit, and delete people in the IDP user store.
The configuration API is required to configure Jans Auth Server. Each endpoint is protected with OAuth, so to call it you’ll need a token with the right scope for that operation.
The CLI connects Jans Config API to perform configuration. It provides an interactive menu-driven mode for admins who don’t want to struggle with lengthy curl commands. You can also use the CLI as one-liners.
You now know the components of Gluu’s modern identity stack, and hopefully, you’ve installed your first identity component and are on your way to becoming a Gluu guru. Digital identity is a fast-growing discipline that needs more practitioners. If you’re interested in continuing, you should consider joining the Janssen Project.
For a more in-depth overview of the components, please visit the components page and follow the links in the diagrams.
You now know the components of Gluu’s modern identity stack, and hopefully you’ve installed your first identity component and are on your way to becoming a Gluu guru. Digital identity is a fast-growing discipline that needs more practitioners. If you’re interested in continuing, you should consider joining the Janssen Project.
For a more in-depth overview of components, please visit the components page and follow the links in the diagrams.