Users can login to WSO2 Carbon management console by providing username/password. Also external system can access admin services of Carbon server by providing username/password. Is there any ways to extend the default authentication mechanism ? Yes. WSO2 Carbon product provides an authentication framework that can be used to extend the different authentication mechanism. By default WSO2 Carbon product is shipped with several authenticators. Some authenitcators only use for access the admin service APIs. Some are only for access management console login….. You can find more details about WSO2 Authentication framework from here
Following are currently available authenticators
IWA Authenticator : Once user is login in to the windows server machine using windows authentication, User can seamlessly login to the WSO2 Carbon management console. WSO2 Carbon product must be configured with AD
SAML2 SSO Authenticator : Once user tries to access WSO2 Carbon management console, user would be redirected to configured IDP. User only provides credentials to the IDP and would be able to login to Carbon management console seamlessly. But here, IDP and WSO2 Carbon product must have the same user for authorization purpose. Therefore sometime, same user store can be shared with IDP and Carbon products.
WebSeal Authenticator : User has already login to WebSeal server, when user tried to login to Carbon management console. User can login seamlessly. But here, IDP and WSO2 Carbon product must have the same user for authorization purpose
Mutual SSL : This is not used to login to management console. But this is used to access Admin service APIs of Carbon server.
Also You can write your own authenticator and plug it with WSO2 carbon product. Sometime you may need to modify the existing authenticators according to your requirement. As an example, SAML2 SSO authenticator has not been implemented to support all optional requirements in SAML2 SSO profile. But if your IDP consider some of these optional requirements as mandatory requirements, then you may need to modify them. Let see how we can achieve those.
Modifying the current authenticators
1. You may need to modify the source and build the source and patch the Carbon server. You need to find out the correct version of the source that you need to patch. Please check the version in the Carbon distribution and the you can SVN checkout the source corresponding to exact version.
2. Modify the source and Build it using Maven 3.0
3. Copy and Replace the default jar file which can be found at <CARBON_HOME>/repository/components/plugins directory.
Or less, You can install the modified jar file as a patch
3. Create a directory called “patchXXXX” under <CARBON_HOME>/repository/components/patches directory. ( X is an integer which is such that -1 < X < 10 But XXXX value can not be the 0000) And Copy modified jar file in to this directory.
4. Restart the server.
Configure new Authenticator
There can be two reasons to configure new authenitcator…
- You can implement a new authenticator from scratch.
- You can modify the available authenticators and configure it as new authenticator. You can fork the source of current authenticator and can create new authenticator… Here It is importance this you need to configure a new name for your authenticator to avoid the confusion.
You can deploy and configure authenticator in following manner…
1. Copy authenticator related bundles in to <CARBON_HOME>/repository/components/dropins directory
2. Configure new authenticator using authenticators.xml file which can be found at <CARBON_HOME>/repository/conf/security directory.
<Authenticator name="CustomAuthenticator" disabled="false"> <Priority>20</Priority> <Config> <Parameter name="param1">value1</Parameter> <Parameter name="param2">value2</Parameter> </Config> </Authenticator>
3. Restart the Server.
Hope this would help you….