Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

OneWelcome Identity Platform
- Explore Thales Docs

IDAAS core
User journey orchestration
Consent and preference management
Delegated user management
- Getting started
- Roles
- Rules
- User management
- Self service page
- Data
- APIs
- Apps
- Jobs
- Reports
Externalized authorization
Identity broker
Mobile identity
Mobile SDK
API references
Release notes and FAQ
Integrations

All

All

IDAAS core

IDAAS core
Tenants and brands
Identity store and data model
SCIM API
- SCIM schemas
- SCIM user management
- SCIM user attributes
- SCIM API versions
Credential store
- Email address management
- Password management
- Password migration
Tokens
- Access tokens
- ID tokens
- Refresh tokens
- Access token API
- Token introspection API
Authentication
- Client authentication methods
- Step-up authentication
- Custom authenticators
- Authentication FAQ
Custom registration
- Custom registration examples
- QR registration example
- Stateless custom registration
- Custom registration API v1
- Custom registration v2
- Back-channel communication API
OAuth 2.0 and OpenID Connect
- OAuth 2.0 and OpenID Connect API
- Proof Key for Code Exchange
- Dynamic client registration API
- OAuth client authentication methods
- Device flow
- OAuth OIDC error handling
- OAuth 2.0 and OpenID Connect setup
- OpenID Connect
- OpenID Connect authentication
- OpenID Connect scopes and claims
- User claims and attributes
- OpenID provider configuration
- ID token encryption
- iFrame session monitoring
  - Relying party iFrame
  - End session API
  - Session management APIs
- Relying party examples
- OAuth endpoints
- Discovery API
- JSON Web Key Set API
- User information API
- OAuth configuration
- OAuth consent API
Web clients
- Web clients API
- Migration of web clients with hashed secrets
- Resource owner password credentials
Web hooks
- Web hooks configuration API
API rules
Notification API
Event store
- Audit events
- Audit log
- Events API
- Excluded events
- Security events
Securing resources
User session API
User management
Uniquely identify guests
Email overview

Was this document helpful? Yes No

Feedback Sent!

If you like, you can provide additional feedback.

OneWelcome Identity Platform
IDAAS core

IDAAS core

The Identity and Access (IDAAS) core is the secure and stable foundation for the OneWelcome Identity Platform. It provides the common, shared identity and access functions needed by the other identity applications to perform their business-specific functions. It hosts functions such as the identity store, authentication engine, access component, event store, and credential store.

Most identity applications require generic functionality such as knowledge about identity, an authentication service, or a central location to store all generated events. That’s exactly what the IDAAS core provides. It is a REST API-enabled component that supports open standards for the functions that it provides. For example, for authentication, it supports SAML and OIDC, for access, it supports OAuth, and for identity manipulation, it supports SCIM.

Components in the IDAAS core

Identity store

The Identity store is where all identity-related data is stored. The data model is based on SCIM and supports multiple SCIM schemas. The OneWelcome Identity Platform provides the Core and OneWelcome extension schemas. To provide maximum flexibility and support any attributes that you need, you can create additional schemas. You can manipulate the identity records through the SCIM API with fine-grained authorizations. This results in a very flexible data model.

In addition to the actual attributes, the identity store stores metadata based on NIST 8112. The metadata provides the necessary context for understanding the value of the actual attribute. For example, the metadata stores when the attribute was created and last updated, but also stores what processing purpose the user consented to, where the data came from, and what the trust level is.

Credential store

The Credential store stores the actual credentials, meaning usernames and passwords, for those accounts that are held locally. The credential store supports a wide range of hashing algorithms and can support pre-encoded passwords to allow for seamless migration of existing users into the OneWelcome Identity Platform.

Event store

The Event store stores all events that the platform generates. These events contain references to the identity record that the event applies to, the event type, and relevant data related to the event type. You should retain events for long-term retention and further processing.

Access component

The Access component provides the ability to connect with external applications for authentication and authorization. These applications, service providers (in SAML terminology) or clients (in OAuth or OIDC terminology), can integrate based on SAML, or on OAuth or OIDC. In these scenarios, the IDAAS core acts as the identity provider (IDP) or OpenID Provider (OP) for the applications, which authenticates users, establishes sessions, and issues assertions or tokens.

The access component has a strong relationship with the federation, authentication, and authorization components. Combined, they provide the needed capabilities to sign a user in, either with an internal or an external account.

Federation component

The Federation component provides the ability to connect to an external IDP. These can be, for instance, the social providers, like Google, Facebook and so on, national ID schemes (eIDs), or any other IDP that supports SAML or OIDC. The federation component takes care of attribute mapping and can, if configured, match the external user to an internal user and link both accounts.

Authentication component

The Authentication component takes care of the actual authentication and session management. Authentication can be done internally, with the locally stored credentials, or externally through the federation component. It supports single-factor, multi-factor, and step-up authentication. Supported authentication mechanisms include:

Unique ID (UID) and password
One-time password (OTP) (email, SMS, or voice)
Time-based one-time password (TOTP)
One-time link (Magic link)
QR code (requires the Mobile Identity module)
Push notification (requires the Mobile Identity module)

The authentication component also takes care of session management to provide single sign-on (SSO), and it can support SAML single logout (SLO) and token revocation (including front channel logout).

Authorization component

The Authorization component is the component that acts as the OP in terms of OAuth OIDC. This is the component that issues tokens based on internal provided data (like attributes) and issues the right claims for the relying party requesting access tokens.

Insights component

The Insights component provides basic reporting capabilities. Reports are provided on a per-customer basis and created as part of the onboarding process.

On this page

OneWelcome Identity Platform

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Customer Release Notes
- Support Contacts
Legal
- End User License Agreement
- Terms of Service

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com