Why Gluu Enterprise ?
Gluu Enterprise is a software subscription for organizations that want to self-host an identity platform. It includes a commercially-backed distribution of several open source identity and access management components, integrated and working together. You can choose ala carte which components you want to use, and how you want to deploy–on Linux servers or containers.
Self-hosting the Gluu Server makes sense if you have security and privacy requirements that prohibit cloud solutions. It also makes sense if you have performance or customization requirements that cloud hosted identity platforms can’t satisfy. Building your identity service takes work. But with a Gluu Enterprise subscription it’s a little easier–we’re here to make sure your deployment and operations are successful.
Here are some typical goals for Gluu customers
Very large deployments where control of scalability is critical. With Gluu’s cloud native distribution, you can scale out by adding more servers–automatically on the fly. No matter what your performance requirements, the Gluu Server can handle it. Gluu is the only identity platform that can take advantage of Couchbase’s next generation persistence capabilities.
Multi-tenant cloud hosted identity services mix your personal data in a shared database with lots of other customers. It also means that secrets, like user passwords and client credentials, are stored in the cloud. By self-hosting a Gluu Server, you know where your personal data resides. Also, use the UMA protocol to interact with end-users after authentication to gather consent before sharing PII with third parties. This can help your organization comply with GDPR.
The Gluu Server is very flexible. You can add custom code to integrate backend systems at many points in the authentication and authorization workflow. We don’t waste your time with a fancy workflow GUI. We define many interfaces, and let you write a little bit of Python or Java code to implement the exact logic you need to get the job done. Plus, Gluu is based on open source code. You’ll never again be stuck waiting for a vendor to ship some critical new feature.
The Gluu Server is comprised of several components, which can be run as standalone services. You can run just the services that you need.
The core identity provider software that renders login pages, authenticates clients and issues tokens.
Based on the Linux Foundation Janssen Project, the Gluu Server is one of the most comprehensive OAuth and OpenID Connect Providers.
An extensible self-service web portal for end-users to view, add and enroll 2FA credentials
What happens when you lose your 2FA credential? With Casa, end-users have a website to remove lost credentials, and to enroll a replacement! FIDO, OTP, Super Gluu, SMS, smart card, and Duo are built in. You can add others via plugins.
Choose LDAP for small deployments and Couchbase for mega-scale.
Choosing the right persistence mechanism is critical for the performance and availability of any identity platform. LDAP has fast performance and good replication. Couchbase offers sharded, multi-datacenter deployments. SQL is coming soon!
Federation broker for SAML IDPs and social login
If your partners or customers have their own SAML IDP, or you want to use a social identity provider, passport enables you to normalize authentication and to map user claims on a per IDP basis.
Shibboleth SAML IDP
SAML identity provider
Using the Shiboleth IDP, you can achieve SSO with SAML websites (SP's). With the Gluu Server, no need to hand edit confusing XML files--use the admin UI (or config API) to create trust relationships and release attributes to websites.
Easy to use web interface for configuration.
The Admin web UI is nice for ad hoc configuration. You can also use the config API to achieve more automation.
You can deploy the Gluu Server on VM’s or bare metal. Gluu has packages for Ubuntu, Red Hat, Debian and Centos. Cluster Manager is a deployment tool that helps you quickly setup a highly available topology of Linux Gluu Servers.
Love K8S? The Gluu Cloud Native (“Gluu CN”) distribution is for you. It’s not just Kubernetes, but Helm and Kustomize too. Use Gluu CN when you need elasticity, zero downtime upgrades, and multi-cloud deployments.
SNAP packages are a new way to distribute software for many linux distributions. This distribution strategy is limited to one server deployments.
Single Sign-On (SSO)Configure web SSO to any application that supports OpenID Connect or SAML. This is critical to improve user experience and productivity.
Mobile SSOUsing the OpenID AppAuth libraries, you can enable SSO to mobile applications without accidentally leaking passwords to third party partners (or hackers!).
Inbound SAMLLeverage the SAML IDPs of your partners to offload credential management and enable end-users to seamlessly access protected resources by bringing their own identity.
Social LoginSupport registration and sign-in at Google, Facebook, GitHub or any other popular consumer IDP.
AdaptiveBased on the context, implement extra authentication steps to reduce fraud. For example, requests from a risky IP address may require 2FA, while internal IP addresses may proceed with password alone.
MFAGluu supports many types of multi-factor authentication out of the box. You can use tokens, mobile phones, biometric and third party services. You can also implement custom MFA workflows, calling your own business logic or technology.
FIDOThe Gluu Server includes a component that implements FIDO U2F and FIDO 2 endpoints. After enrollment, FIDO metadata for each device is stored for the end-user. The Gluu Server SCIM API also includes a FIDO extension, to enable you to list and rem ove FIDO devices for a person.
BiometricsLeverage state-of-the-art behavioral-biometric, environmental, and contextual technologies to provide invisible, adaptive, and risk-based authentication solutions. One SaaS provider Gluu supports out of the box for facial recognition is BioID.
OTPUse software or hardware HOTP or TOTP OATH tokens as an additional factor. It’s a handy option in many use cases where the device requesting the authentication is constrained.
SMSYou can use a SMPP or Twilio (or other API services) to send text messages during an authentication workflow to mitigate the risk of fraud.
Leverage backend LDAP serversSync one or more backend directory servers, like Microsoft AD, to pull identity data into your Gluu Server identity store.
Integrate IDM toolsIf you have an existing IDM tool (like Evolveum Midpoint, or Sailpoint), the preferred interface for user management is the Gluu Server SCIM API. You can also use the native database connector of the IDM platform (for example, LDAP).
RegistrationYou can implement user registration as a special type of authentication workflow. You can also use this approach to reset passwords. Another approach is to build an external registration process, and use the SCIM API to add the user once your done.
Local User ManagementWant to use the Gluu Server as the authoratative source for identity? You can do this! Use the SCIM API to manage identities, and the admin web interface for ad hoc changes.
Central Policy ManagementOAuth and federated identity protocols (i.e. SAML and OpenID) can play an important part in a central policy management infrastructure. Gluu can also conditionally render OAuth scopes and user claims based on contextual data to help implement RBAC or ABAC.
Stepped-Up AuthenticationThere are several ways in the Gluu Server to implement stepped-up authentication and trust elevation. OpenID Connect clients can force reauthentication if the user’s authentication level is insuffucient. You can also use OAuth or UMA to mitigate risk by increasing the strength of the authetnication before allowing a high-value transaction.
User Consent ManagementSometimes you need to get a person’s consent for something after they have already been authenticated. One of the best ways to do this is with the UMA protocol. Using interception scripts, you have the flexibilty to store user conesent records in any application or security backend.
Active DirectoryLeverage an existing Microsoft Active Directory (AD) infrastructure as the authoratitive source for identities and passwords for SSO using SAML and OpenID.
More than Active DirectorySync user information and authenticate against any existing LDAP V3 directory server, including OpenLDAP, Oracle Directory Server (ODSEE), Novell Directory and more.
Multiple DirectoriesGluu uses a virtual directory approach to consolidate identities from multiple backend Active Directory and/or LDAP servers. You can also transform user attribute names or values, or even connect to other resources to enrish the data during the synchronization process.
Use existing passwordsYou can use a different LDAP server for identities and passwords. You can also choose to syncrhonize passwords (if they were hashed using a supported algorithm), or leave them where they are.
Features and Entitlements
Support and license entitlements for Gluu open source products and services.
The Gluu Support Portal (https://support.gluu.org) is the primary mechanism to triage support. It is available to the community, and to VIP customers. Community issues are all public, while VIP customers can open private issues. VIP customers have some additional features, like the ability to attach files and images to support requests.
Gluu makes every possible effort to respond to support incidents to meet SLA obligations that support 99.999% up time. We offer up to 1 hour response and within 4 hour resolution for priority one system down events, and triage based on severity and risk to life and business impact. We do not offer different response times per contract ensuring all support staff respond appropriately the first time , every time.
With a VIP support contract, you have an allocation of hours to schedule ad hoc Zoom calls with the Gluu engineering team. You can use these consultative sessions to review application design, to obtain training, or to dive deeper into a topic of your choice. Advance notice is required so Gluu can schedule the appropriate resources. The quarterly hours are “use-it-or-lose-it”, i.e. they don’t accumulate.
Functional and Devops Support
Application developers and deployers have different sets of challenges. The former frequently need to know how to use the Gluu server, the latter how to operate it. VIP Support covers both requirements. Functional support issues are more common at the start of access management projects. Devops support is critical for the production rollout and subsequent operation.
Prioritization Feature Requests
The requests of VIP Support customers for enhancements get special attention. Gluu cannot guarantee to add new features based on these requests. This decision is ultimately made by the product team, and in some cases, in collaboration with the open source community that leads development. But if possible, customer requests are accommodated.
Cluster Manager is a deployment tool that makes it easier to configure a cluster of Gluu Servers on virtual machines. It saves time by automating many manual tasks, and makes your cluster easier to upgrade. Cluster Manager is commercially licensed. Subscriptions give your organization the right to use software on an annual basis.