Components of Gluu

The goal of Gluu is to be the best open-source IAM platform and to have the lowest total cost of operation (TCO). This has been done by building with the strongest open-source components and by designing control mechanisms to harden them. In this post we break down the components of our Gluu 4.X distribution and our cloud-native offering, Gluu Flex.

Components of Gluu 4

Gluu Server 4 is a commercially-backed distribution of several open source identity and access management components, integrated and working together. You can choose which components you want to use, and how you want to deploy–on Linux VM’s or cloud native containers.

oxAuth

oxAuth is an Open Source User-Managed Access and OpenID Connect Provider component of the Gluu Server that implements the OpenID Connect Core 1.0 stack of REST services. The project also includes OpenID Connect Client code which can be used by websites to validate tokens.

oxAuth currently implements all required aspects of the OpenID Connect stack, including an OAuth 2.0 authorization server, Simple Web Discovery, Dynamic Client Registration, JSON Web Tokens, JSON Web Keys, and User Info Endpoint.

oxAuth is tightly coupled with oxTrust.

oxTrust

oxTrust is a single-point of administration for all components of Gluu 4.x servers. It includes an identity synchronization engine for external LDAP user stores. In addition to a web interface, oxTrust also provides an API to enable the automation of many tasks.

Shibboleth Identity Provider Shib IDP

Maintained by the Shibboleth Foundation, this component provides the SAML identity provider endpoints. This component relies on oxAuth for session management, enabling SSO between SAML and OpenID websites. It is configured by oxTrust, which renders the correct configuration files.

Casa

An Apache 2.0 licensed open source project governed by Gluu, Casa is a self-service web portal for end-users to manage devices and other multi-factor authentication credentials associated with their account in an IDP. Casa is brandable and you can write plugins to support new multi-factor credentials or other user requirements.

FIDO

Another core Janssen Project component, this server provides the enrollment and authentication endpoints which enable people to use USB, Bluetooth or platform FIDO credentials. An example of a USB FIDO credential is a YubiKey. An example of a platform FIDO credential is Apple TouchID. These powerful new credentials not only are more secure than passwords, but they are also phishing-resistant.

Passport-JS

The Gluu Server uses this component to enable social login. With over 300 existing “strategies”, Passport provides a crowd-sourced approach to offering users social login at popular consumer IDPs. Passport not only normalizes authentication, it also provides a standard mechanism to map user claims.

Gluu LDAP

Gluu maintains a fork of OpenDJ in our Github repository. This has been a stable and performant database for many years.

Gluu Cluster Manager

Gluu Cluster Manager is a commercially licensed GUI tool for installing and managing a highly available, clustered Gluu Server infrastructure on physical servers or VMs.

oxd / Client API

A middleware service that simplifies and standardizes the process of integrating server-side web applications with a standard OpenID Provider. A simple REST application. oxd-server is designed to work over the web (via https), making it possible for many apps across many servers to leverage a central oxd service for OAuth 2.0 security.

Super Gluu

Super Gluu is a push-notification mobile app for two-factor authentication (2FA). It is free and available on the App Store and Play Store.

Components of Gluu Flex

Gluu Flex is a self-hosted software stack based on the Linux Foundation Janssen Project providing single sign-on, strong multi-factor authentication (with or without passwords) and centralized token management to control access to APIs.

Like the Gluu Server, you have the same “interception scripts” that enable you to enhance or secure the user experience during user login, add extra data into API access tokens, or customize more then 20 other important steps during authentication and authorization workflows.

Jans Auth Server

The heart of the Janssen Project, this is the server that provides the OpenID Connect and OAuth endpoints. From a functional standpoint, Jans Auth Server is an “identity provider” or IDP and renders central login pages which enable the authentication of a person using a browser or mobile device. Jan Auth Server also mints access tokens which are used by websites and mobile apps to securely call an API.

Gluu Flex Admin UI

A commercially licensed interface to simplify the management and configuration of Jans Auth Server. Easily view and edit configuration properties, interception scripts, clients, and metrics in one place.

Casa

An Apache 2.0 licensed open-source project governed by Gluu, Casa is a self-service web portal for end-users to manage devices and other multi-factor authentication credentials associated with their account in an IDP. Casa is brandable and you can write plugins to support new multi-factor credentials or other user requirements.

FIDO

Another core Janssen Project component,this server provides the enrollment and authentication endpoints which enable people to use USB, bluetooth or platform FIDO credentials. An example of a USB FIDO credential is a Yubikey. An example of a platform FIDO credential is Apple TouchID. These powerful new credentials not only are more secure than passwords, they are also phishing-resistant.

SCIM

SCIM, or the System for Cross-domain Identity Management specification, is an open standard designed to manage user identity information. SCIM provides a defined schema for representing users and a RESTful API to search, add, edit and delete people in the IDP user store.

Jans Config-API

The configuration API is required to configure Jans Auth Server. Each endpoint is protected with OAuth, so to call it you’ll need a token with the right scope for that operation.

Jans Command Line Interface (CLI)

The CLI connects Jans Config API to perform configuration. It provides an interactive menu-driven mode for admins who don’t want to struggle with lengthy curl commands. You can also use the CLI as one liners.

You now know the components of Gluu’s modern identity stack, and hopefully you’ve installed your first identity component and are on your way to becoming a Gluu guru. Digital identity is a fast-growing discipline that needs more practitioners. If you’re interested in continuing, you should consider joining the Janssen Project.

For a more in-depth overview of components, please visit the components page and follow the links in the diagrams.

You now know the components of Gluu’s modern identity stack, and hopefully you’ve installed your first identity component and are on your way to becoming a Gluu guru. Digital identity is a fast-growing discipline that needs more practitioners. If you’re interested in continuing, you should consider joining the Janssen Project.

For a more in-depth overview of components, please visit the components page and follow the links in the diagrams.

Interested in cloud-native Flex?