Looking for a GDPR compliant IAM product ?

WSO2 Identity Server (WSO2 IS) is a leading open source IAM (Identity and Access Management ) product and a member of WSO2 middleware platform. Like any other WSO2 product WSO2 IS is also licensed with Apache 2.0 which grants true freedom for users, in other words as far as you can manage yourself you don’t need to purchase any special licenses from us to run WSO2 IS for any production use.

GDPR formalized in EU parliament in 2016 will come in to effect on May 2018, GDPR compliance is absolutely must for any organization which process personal data from individuals live in EU territory. Managing various security and privacy aspects of individuals is one of the top priority of any IAM product, this is same for WSO2 IS as well, within this context GDPR set several challenges for IAM products. Anyone who already use IAM product or anyone evaluate IAM product for organizational purposes must pay special attention to evaluate current/candidate IAM product against these challenges set by GDPR, here are few of them.

  1. Does the IAM product itself in compliance with GDPR ?
  2. Are their any toolkit provided by the IAM product to make existing deployments (based on previous releases ) GDPR compliant without migration to newer version ?
  3. Can the IAM product use as a building block to build GDPR solution for the organization in a time and cost effective manner ?
  4. Does the IAM product set any vendor lock-in for your organization ?
  5. Does the IAM product bundled with necessary knowledge base required implement GDPR solution within your organization ?

Although foundations of WSO2 IS were built based on well known “Security by Default” and “Privacy by Default” principles from it’s very first release, during last few months we have been busy with reviewing the product architecture to ensure product itself in compliance with GDPR and the product can be used to build any GDPR solution. This exercise also extended to build set of new features such as full consent lifecycle management support, Privacy Toolkit which can be used with not only with latest release but with older versions which are still run on production systems. Here is our answers for above questions from WSO2 IS point of view

  1. WSO2 IS 5.5.0 is in compliance with GDPR.
  2. WSO2 Privacy Toolkit can be used with older versions of IS ( in fact this toolkit can be used with any WSO2 platform product)
  3. WSO2 IS can be used as a building block to build GDPR solution.
  4. WSO2 IS does not set you on any vendor lock-in
  5. WSO2 IS product is bundled with great level of knowledge base including white papers, articles, tutorials, solution briefs, case studies etc.

Here are some of the key highlights related to WSO2 IS GDPR support

WSO2 Privacy Toolkit

The idea is to build reusable and independent set of tools that can help to make systems to be in compliance with GDPR , there are several design goals.

  • This toolkit can be used to anonymous PII data scattered in databases connect to WSO2 IS.
  • This toolkit can be used to anonymous PII data scattered in log files.
  • These toolkit can be used with older versions of WSO2 IS as well.
  • The toolkit can be extended to support for custom components deployed in WSO2 IS.
  • The toolkit should not make performance bottleneck for running system.
  • It should be possible to run the toolkit outside WSO2 IS runtime.
  • The toolkit should be automation friendly.
  • The toolkit should provide full flexibility for identity administrators.

Consent Lifecycle management

  • Now any self-care user profile creation, user provisioning to other systems, sharing user attributes through SSO and identity federation are fully based on user consent.
  • User can review, modify and revoke given consents via self-care user portal or via the RESTful Consent API.
  • Consent API can be also used to integrate WSO2 IS consent management capabilities with existing applications.
  • WSO2 IS can be used to manage consent of any 3rd party application via the RESTful Consent API.

Support for Kantara Consent Receipt Specification

We believe & support for open standards, whenever possible we try to be interoperable with industry standards, this motivates us to support Consent Receipt specification from Kantara Initiative despite of its current draft state. We hope our move will help Kantara Initiative also to build Consent Receipt as a widely used open standard.

You can find documentation related to Consent Receipt API from here.

Personal data export API

Personal data export API can be used to download individuals profiles stored in WSO2 IS in a machine readable, structured and well known JSON format. Individual can download these profiles by login to self-care user portal or organization can facilitate individual by integrating existing applications/portals with RESTful Personal data export API exposed by WSO2 IS.

User Self-care portal

The self-care portal of WSO2 IS is enriched with set of new features so that individuals can use this portal to exercise their individuals rights defined in the GDPR. This will eliminate the requirement of building own user self-care portal by each organization. Self-care portal can be rebranded and customized according to your organizational theme as well.


If you look for a GDPR compliant IAM product, download WSO2 IS 5.5.0 today and evaluate ! I’m sure you will not disappoint on the time you spend for evaluation :) If you have suggestions, improvements, complaints, issues report us through our Github repo here.

Here are some resources

Product download page

WSO2 GDPR landing page

Integration and Identity Architect & PMC Member @ The Apache Software Foundation, was a Director @ WSO2