• Home
  • XACML
    • XACML Policy Editors
    • XACML Samples
    • XACML Performance
    • XACML Discussions
    • Balana
  • SAML2
  • OAuth2
  • OpenID-Connect
  • SCIM
  • WS-Security
  • User Management
  • KeyStore Management
  • Patterns
  • WSO2
    • WSO2IS
    • WSO2APIM
    • WSO2ESB
    • WSO2 Extension
    • Load Balance
    • Clustering
    • Multitenancy
  • Shibboleth
  • Contact Us

Custom authenticator for WSO2 Identity Server (WSO2IS) SSO login

In SSO login, you can plug different custom authenticators in to the WSO2IS. There are two major types. One is local authenticators and other one is Federated Authenticators. Federated authenticators are needed when you need to provide browser based redirections to another IDP. As an example Salesforce, Google, Facebook IDPs. (More details from here) In other cases, we can implement a local authenticator.

Default authenticator of WSO2IS, is the Basic authenticator and it is also a local authenticator which authenticates the end user with connected user store using provided username and password.

In this post, lets try to implement a local authenticator for WSO2IS by extending the basic authenticator.
Lets take following two sample requirements.

1. Users who are login using “OpenId Connect” must be authenticated with user store and must be authorized. In authorization, user must be verified that user is assigned to the specific role called “openidConnectRole”

2. Users who are from application (service provider) “soasecurity.org” must be authenticated with user store and must be authorized. In authorization, user must be verified that user contains a specific attribute. As an example, user contains a mail with domain “soasecurity.org”

 

Step 1. Extend the Basic Authenticator and implement a new authenticator.

As we are only worry about authorization, Authentication can be happened as in the Basic Authenticator level. We need to add authorization logic after the authentication. Therefore we only need to extend an one method in the Basic Authenticator which is “processAuthenticationResponse()”

Also, we need to modify the authenticator name by extending “getFriendlyName()” and “getName()” methods.

You can fine the extend authenticator source from here.

Step 2. Create OSGI bundle out of your extended authenticator. Sample project can be found from here.  You can build the project using maven3

Step 3. Deploy OSGI bundle in WSO2 Identity Server (or APIM) by copying in to /repository/components/dropins directory.

Step 4. You need to edit the /repository/deployment/server/webapps/authenticationendpoint/login.jsp page with your new authenticator name.

Because currently it is set to “BasicAuthenticator”. You can modify it as following by adding check for “BasicCustomAuthenticator”

if(localAuthenticatorNames.contains("BasicAuthenticator") | localAuthenticatorNames.contains("BasicCustomAuthenticator")){
 if(localAuthenticatorNames.size()>0 && (localAuthenticatorNames.contains("BasicAuthenticator") || } else if(localAuthenticatorNames.size()>0 && (localAuthenticatorNames.contains("BasicAuthenticator") || localAuthenticatorNames.contains("BasicCustomAuthenticator"))) {localAuthenticatorNames.contains("BasicCustomAuthenticator"))) {

Step 5. (Optional) If you need to make this as the default authenticator for all service providers, you can configure it using /repository/conf/identity/service-providers/default.xml file.

This file is configured to “BasicAuthenticator” by default.. You can modify it to “BasicCustomAuthenticator” by changing following two properties.

<Name>BasicAuthenticator</Name>
 <DisplayName>basicauth</DisplayName>

in to

<Name>BasicCustomAuthenticator</Name>
 <DisplayName>BasicCustom</DisplayName>

Step 6. Restart the server.

Step 7. You can login to management console and configure new authenticator for each service provider using “Local & Outbound Authentication Configuration”

Step 8. Try out.

You can debug the custom authenticator source by starting server in debug mode.

>sh wso2server.sh -debug 5005

Thanks for reading…!!!

Related posts:

  1. Custom notification module for account management in WSO2 Identity Server (WSO2IS)
  2. Configure Multiple Federated Identity Providers with WSO2 Identity Server (WSO2IS).
  3. SSO without Identity Provider login page ?
  4. [Federated Authentication] : Integrating Shibboleth with WSO2 Identity Server
Discuss this article on Stack Overflow
Tags: Custom Authenticator, Login, SSO
◀ How to configure session time out in WSO2 Identity Server (WSO2IS)
Service provider grouping with WSO2 Identity Server ▶

Related Posts (YARPP)

  1. SSL profiles in WSO2 ESB
  2. How Install PostgreSQL database in Ubuntu
  3. How to Deploy Axis2 services in WSO2 BPS
  4. Configure WSO2 Identity Server as SAML2 SSO IDP

Recent Posts

  • Exchanging An OAuth2 Access token for An OpenAM Cookie (Cookie base OAuth2 grant)
  • How to renew self signed certificate keeping old private key
  • JIT provisioning & user association with WSO2IS
  • Mutual SSL (X.509 Certificate) grant type for OAuth2
  • Service provider grouping with WSO2 Identity Server
  • Custom authenticator for WSO2 Identity Server (WSO2IS) SSO login
  • How to configure session time out in WSO2 Identity Server (WSO2IS)
  • Deployment pattern of WSO2 Identity Server in production
  • Resolving ERR_SSL_WEAK_EPHEMERAL_DH_KEY error in WSO2 Products (Server has a weak ephemeral Dillie-Heffman public key).
  • Custom notification module for account management in WSO2 Identity Server (WSO2IS)
  • Configure Multiple Federated Identity Providers with WSO2 Identity Server (WSO2IS).
  • Configure KeyStore (JKS) files in WSO2 products in Production
  • Secure WSO2 ESB proxy service with HTTP Basic Authentication.
  • How to enable Hash Passwords in OpenLDAP
  • How to Install OpenLDAP server
  • User Password Hashing with WSO2 Identity Server (WSO2IS)
  • Securing APIs using Mutual SSL with WSO2 API Manager.
  • Federated authenticators in WSO2 API Manager - WSO2APIM
  • [Federated Authentication] Integration OpenAM with WSO2IS using Openid-Connect
  • Openid-connect support with OpenAM
  • Granting different access tokens for each APIs in WSO2 APIM using OAuth2 Scopes
  • Federated Authentication for granting OAuth2 Access token with WSO2 API Manager (APIM)
  • SAML2 Signature validation tool for SAML2 Response and Assertion
  • Validate and Process JWT tokens with Java
  • Customizing SAML2 Response and SAML2 Assertion in WSO2

Like SOA Security

Like SOA Security

Tags

Admin Services Balana Cluster Clustering Custom Customizing Entitlement Federated Authentication Federation Pattern grant_type Hash Password Identity Server JKS KeyStore LDAP Load balance Load Balancer Login MDF Mutual SSL OAuth2 OpenAM Openid-Connent Open source PAP PDP PEP PIP Policy Editor Proxy Server SAML SAML2 SSL SSO User Management Username Token WS-Security WSO2 WSO2 Extension WSO2APIM WSO2ESB WSO2IS XACML XACML 3.0 XACML Sample

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 53 other subscribers

Asteroid Theme