WSO2 Identity Server vs Key Manager
The below table contains the key differences between WSO2 Identity Server and WSO2 Key Manager which are bundled in the same package of API Management product.
The table will help decide to choose the product for different project scenarios. In most cases, the default Key Manager is enough for API authentication and authorization. If the application requires to have a permission-based authorization, then Identity Server is necessary.
Feature | Key Manager | Identity Server | |
API Authentication | Basic | x | x |
API Key | x | x | |
OAuth 2.0 | x | x | |
OpenID Connect | x | x | |
IWA | x | ||
Support MFA (OTP, Token, Mobile Push Notification, Bio Metrics,...) | x | ||
Step-up authentication | x | ||
Contextual-based authentication | x | ||
Risk-based authentication (using AI) | x | ||
API Authorization | Role-based access control | x | x |
Permission Tree | x | ||
XACML 3.0 | x | ||
OAuth2 scopes | x | ||
Adaptive access control (dynamic role injections/mappings) | x | ||
User Store | LDAP | x | x |
Active Directory | x | x | |
RDBMS | x | x | |
Identity federation | SAML 2.0 | x | |
OpenID Connect | x | ||
Social Identity Provider (Google, Facebook,...) | x | ||
Application SSO | OpenID Connect | x | x |
SAML 2.0 | x | x | |
WS-Federation | x | ||
WS-Trust | x | ||
CAS | x | ||
User onboarding workflows | Admin-initiated user creation with username+password | x | x |
Self-registration workflow with account confirmation via email | x | x | |
Just-In-Time Provisioning workflow | x | x | |
Identity Lifecycle Management | Account locking for incorrect password attempts | x | x |
Account lock timeout | x | x | |
Password Management | Self-service password recovery workflow using email | x | x |