This page aims at providing a high level overview of the iWelcome features for B2E and Tulip. It indicates if these features are applicable in Tulip on 'segment level' or 'tenant level'.

This page does not aim at providing a detailed product description, and therefore does not compare features on the same level of detail.

!!! Caution Features that are available in both releases may not be 100% compatible.

On this page the following notations are used:

Icon Description
βœ… functionality that is supported
⚠️ feature or functionality is available, but with certain limitations
πŸ”† feature or functionality that fits the product vision and will be - dependent on
prioritisation - added to the roadmap for release Tulip or a subsequent release
βœ–οΈ feature or functionality that will not be added to the indicated iWelcome release

iWelcome's product backlog and roadmap are subject to updates as result of revised prioritisation and product vision. iWelcome does not commit itself by means of this page to release of features listed as 'roadmap' or 'backlog'.

Functional Breakdown

Authentication

Feature iWelcome B2E Tulip Applicable on Level (Tulip)
local password validation βœ… βœ… segment
AD-password validation βœ… βœ–οΈ on backlog segment
inbound federation based on Kerberos βœ… βœ… (not GA) segment
inbound federation with Facebook βœ… βœ… segment
inbound federation with Google βœ–οΈ βœ… segment
inbound federation with Microsoft βœ–οΈ βœ… segment
inbound federation with ADFS βœ… βœ… (not GA) segment
2FA: SMS βœ… βœ… segment
2FA: iWelcome-app βœ… πŸ”† segment
2FA: U2F βœ… βœ–οΈ N/A
2FA: step-up βœ–οΈ βœ…
2FA: activation βœ–οΈ βœ…
2FA: password reset βœ… logout βœ… segment
2FA-logic: enforcement on all users βœ… βœ… segment
2FA-logic: risk based βœ… βœ–οΈ on backlog to be defined
2FA-logic: segment based βœ… βœ… to be defined
2FA-logic: group based βœ… βœ–οΈ on backlog to be defined
2FA-logic: attribute based βœ–οΈ βœ… segment
2FA-logic: application based βœ… βœ… to be defined

SSO and Federation

Feature iWelcome B2E Tulip Applicable on Level
federation: SAML 1.1 βœ… βœ–οΈ N/A
federation: SAML 2.0 βœ… βœ… web SSO and single logout profiles segment
βœ… IDP-initiated

βœ… SP-initiated
πŸ”† IDP-initiated

βœ… SP-initiated
segment
federation: OAuth 2.0 (grants as per RFC 6749 ) βœ… βœ… For more details, refer to OAuth 2.0 and OpenID Connect 1.0 segment
OAuth device flow βœ–οΈ βœ… to be defined
federation: WS-Fed (O365) βœ… βœ–οΈ segment
federation: OIDC βœ… βœ… segment
SAML Assertions (profile attributes) βœ… βœ… segment
Single Log off βœ… πŸ”† to be defined
forms-based SSO ⚠️ identity gateway βœ–οΈ N/A

Lifecycle Management

Feature iWelcome B2E Tulip Applicable on Level
inbound provisioning through SCIM βœ… βœ… segment
inbound provisioning: SQL sync βœ… βœ–οΈ segment
inbound provisioning: LDAP sync βœ… βœ–οΈ segment
inbound provisioning via federation (JIT) βœ–οΈ βœ… segment
guest accounts βœ… πŸ”† segment
self-registration flexibility ⚠️ a limited set of supported processes βœ… configurable in screens and attributes segment
activation based on email βœ… βœ… segment
activation based on attributes (KBA) βœ… βœ–οΈ N/A
user grouping βœ… πŸ”† to be defined

Profile Management

Feature iWelcome B2E Tulip Applicable on Level
flexible user attributes / SCIM extensions βœ… βœ… tenant
self-registration with local account βœ… βœ… flexibility segment
self-registration with Facebook account βœ… βœ… Segment
self-registration flexibility ⚠️ a limited set of supported processes βœ… various out of the box registration flows are supported segment
profile visibility in ServiceDesk ⚠️ limited attributes βœ… full profile tenant
configurable profile in self-service (read and/or edit) ⚠️ limited possibilities βœ… flexibility segment
family management βœ–οΈ πŸ”† to be defined
iDIN based identity proofing βœ–οΈ βœ…
iDIN based registration βœ–οΈ βœ… to be defined
Feature iWelcome B2E Tulip Applicable on Level
ask user's consent during registration βœ… βœ… segment
storage of consent records for Terms of Service and Privacy Policy βœ–οΈ βœ… segment
consent tracking on processing purposes for personal information βœ–οΈ βœ… segment
revoke/ give consent on processing purposes via Self-Service consent page (My Page) βœ–οΈ βœ… segment
consent notifications to back-end systems βœ–οΈ βœ… segment

Credential Management

Feature iWelcome B2E Tulip Applicable on Level
set/update password via SCIM βœ… βœ… segment
password policy applied on SCIM βœ–οΈ βœ… segment
hashed passwords through SCIM βœ… βœ… tenant
set password during self-registration βœ–οΈ βœ… segment
change password on first login βœ–οΈ βœ…
change password in Self-Service UI βœ… βœ… segment
reset password in Self-Service UI βœ… βœ… segment
password complexity enforced βœ… Self-Service

βœ–οΈ SCIM
βœ… Self-Service

βœ… SCIM (when not hashed)
segment
check password against history βœ… Self-Service

βœ–οΈ SCIM
βœ… segment
password expiry ⚠️ there are limitations in combination with 2FA βœ… to be defined
activation: set security questions βœ… βœ–οΈ to be defined
activation: set password βœ… βœ… segment
activation: verify phone number βœ–οΈ βœ… segment
activation: verify email address βœ… βœ… segment
Self-Service add 2FA token (SMS, app) βœ… πŸ”† to be defined
ServiceDesk (remove token) βœ… πŸ”† to be defined
linking / unlinking social accounts via Self-Service βœ–οΈ βœ… to be defined
Self-Service APIs to manage credentials βœ–οΈ πŸ”† to be defined

Authorisation

Feature iWelcome B2E Tulip Applicable on Level
assign guest roles βœ… πŸ”† to be defined
assign groups/roles via SCIM βœ… πŸ”† to be defined
multiple contract support βœ… βœ–οΈ N/A
ABAC-based MyApps ⚠️ βœ… to be defined
OAuth - Consent UI to access resource βœ… βœ–οΈ N/A

Provisioning

Feature iWelcome B2E Tulip Applicable on Level
inbound AD provisioning connector βœ… βœ–οΈdeprecated to be defined
various application connectors βœ… βœ–οΈdeprecated to be defined
provisioning connector framework βœ… βœ–οΈdeprecated tenant
connector: on-prem AD βœ… βœ–οΈdeprecated to be defined
connector: SOAP βœ… βœ–οΈdeprecated to be defined
connector: SQL βœ… βœ–οΈdeprecated to be defined
connector: Graph API for Azure AD βœ… βœ–οΈdeprecated to be defined
provisioning reconciliation βœ–οΈ βœ–οΈ N/A

(Delegated) User Management

Feature iWelcome B2E Tulip Applicable on Level
create groups βœ… βœ… to be defined
manage group memberships (add/delete users) βœ… βœ… to be defined
create user βœ… via API or DUMS application βœ… to be defined
access only to restricted set of users βœ… via AdminUI or DUMS βœ… N/A
user hierarchy βœ… βœ… to be defined

Profile Validation

Feature iWelcome B2E Tulip Applicable on Level
user profile attribute metadata βœ–οΈ βœ… N/A
identity look-up during registration βœ–οΈ βœ…
validated attribute retrieval via iDIN βœ–οΈ ⚠️ available as building block,
no end-to-end feature.
N/A

Identity Analytics

Feature iWelcome B2E Tulip Applicable on Level
statistics in ServiceDesk βœ… (Admin UI) βœ–οΈ N/A
full SCIM filtering capabilities to query identities βœ–οΈ βœ… segment
predefined reports βœ… πŸ”† tenant/segment
syslog event publisher βœ–οΈ βœ…
tag manager support βœ–οΈ βœ…

Non-functionals

Feature iWelcome B2E Tulip Applicable on Level
Look&feel ⚠️ limited capabilities to adjust βœ… based on material UI tenant
multi-branding: CSS βœ… βœ… segment/brand
multi-branding: Apply 'branded' texts on UIs ⚠️ partial βœ… UI texts can be changed. No possibility to add additional explanations and links. segment
multi-branding: email templates βœ… βœ… segment/brand
multi-language for end user facing screens βœ… βœ… segment
responsiveness ⚠️ limited βœ… fully responsive, mobile-first designs tenant
performance SCIM ⚠️ fair βœ… good tenant
product documentation ⚠️ offline
⚠️ high level documentation
⚠️ limited scope
βœ… online documentation
βœ… detailed documentation
πŸ”† scope is being extended
tenant

Component Breakdown

UI Components

Note: Functionality in each of the components listed here is clarified elsewhere on this page.

Component iWelcome B2E Tulip Applicable on Level
ServiceDesk UI βœ… user tab as part of AdminUI βœ… limited functionality (search & delete) tenant
Self-Service βœ… βœ… segment
ConfigUI - for iWelcome config βœ–οΈ πŸ”† tenant
Delegated User Management app ⚠️ guest module as part of ConfigUI

βœ… DUMS application
βœ… (DUMS will be replaced with a new module - Access RITM) tenant
iWelcome authenticator app βœ… πŸ”† to be defined
SCIM user management interface βœ… βœ… segment
My Apps βœ… part of Self-Service βœ… to be defined
login app ⚠️ βœ… segment

APIs

API/ Capability iWelcome B2E Tulip Applicable on Level
Login API βœ–οΈ πŸ”† to be defined
SCIM 1.1 βœ… βœ… segment
SCIM 2.0 βœ–οΈ πŸ”† segment
Consent API βœ–οΈ βœ… segment
OAuth 2.0 βœ… βœ… segment
OIDC βœ… βœ… segment
SAML 2.0 βœ… βœ… segment
Self-Service APIs βœ–οΈ πŸ”† to be defined
OAuth Access Token revocation API βœ–οΈ βœ… to be defined
Dynamic client registration API βœ–οΈ βœ…
Session Management API ⚠️ βœ…
Reverse Look-up API βœ–οΈ βœ…