Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The authentication endpoint is the authentication URL used in authentication requests. The following sections discuss methods of customizing this endpoint for various scenarios.

...

  1. Open the <IS_HOME>/repository/conf/tomcat/catalina-server.xml file and ensure that the clientAuth attribute in the Connector tag is set to “want” as shown below. This is done to disable the certificate authentication on certain occasions (like when working on mobile apps). This makes two-way SSL authentication optional.

    Code Block
    clientAuth="want"
    Info

    The .jar file enabling usage of Mutual SSL is shipped with IS by default from IS versions 5.1.0 and upwards. The org.wso2.carbon.identity.authenticator.mutualssl_X.X.X.jar file can be found in the <IS_HOME>/repository/components/plugins directory.

  2. Open the <IS_HOME>/repository/conf/security/authenticators.xml file and add the disabled="false" attribute within the <Authenticator> tag for the MutualSSLAuthenticator to enable the Mutual SSL Authenticator. 

    Code Block
    languagexml
    <!-- Authenticator Configurations for MutualSSLAuthenticator-->
    <Authenticator name="MutualSSLAuthenticator" disabled="false">
        <Priority>5</Priority>
        <Config>
            <Parameter name="UsernameHeader">UserName</Parameter>
            <Parameter name="WhiteListEnabled">false</Parameter>
            <Parameter name="WhiteList"/>
        </Config>
    </Authenticator>
  3. If the SAML2SSOAuthenticator is enabled (disabled="false") in the <IS_HOME>/repository/conf/security/authenticators.xml file, set its priority to 0. Otherwise ignore this step.

    Code Block
    languagexml
    <Authenticator name="SAML2SSOAuthenticator" disabled="false">
    	<Priority>0</Priority>
    	...
    </Authenticator>
  4. Add the following configuration into the <IS_HOME>/repository/conf/identity/application-authentication.xml file under the ApplicationAuthentication tag.

    Code Block
    languagexml
    <TenantDomainDropDownEnabled>true</TenantDomainDropDownEnabled>
    <TenantDataListenerURLs>
    	<TenantDataListenerURL>
    		/authenticationendpoint/tenantlistrefresher.do
    	</TenantDataListenerURL>
    </TenantDataListenerURLs>
    Note

    Note: When configuring the TenantDataListenerURL tag, note the following.

    • In a clustered setup that has multiple authentication endpoint web applications hosted, list all of them under the TenantDataListenerURL tag.

    • For authentication endpoint web applications hosted outside the WSO2 Identity Server or in other nodes of a cluster, add the absolute URL within the TenantDataListenerURL tag.

  5. Restart the server using one of the following commands.

    • Windowswso2server.bat

    • Linux/Unixsh wso2server.sh

  6. Once the server is restarted, the authenticationendpoint.war file is deployed. The <IS_HOME>/repository/conf/identity/EndpointConfig.properties file has to be changed with the required values for properties. The following are the default values for the properties to be used in this file.

    Code Block
    tenantListEnabled=false
    hostname.verification.enabled=true
    mutual.ssl.username=admin
    client.keyStore=./repository/resources/security/wso2carbon.jks
    Carbon.Security.KeyStore.Password=wso2carbon
    client.trustStore=./repository/resources/security/client-truststore.jks
    Carbon.Security.TrustStore.Password=wso2carbon
    #identity.server.serviceURL=https://localhost:9443/services/
    username.header=UserName

    Do the following updates to this configuration.

    1. Set tenantListEnabled to true in order to enable the tenants to display as a list.
    2. For the mutual.ssl.username property, set the username that is to be used for mutual SSL authentication. This user needs to have permission to list down tenants. You can add a new username here provided that you create a user with that username and grant the following permissions to the role of the user.

      Panel

      Super Admin Permissions > Manage > Monitor > Tenants > List

    3. Paths for client keystore and truststore can be relative paths or absolute paths. The default paths point to the keystore and truststore of the Identity Server itself. A new keystore can be created and used for the client if necessary, however, you must set the passwords for client.keyStore.password and client.trustStore.password appropriately.

    Note

    Note: If you are hosting the  autheticationendpoint.war  webapp outside the Identity Server (i.e in a different Tomcat or WSO2 Application Server), then you cannot use the <IS_HOME>/repository/conf/identity/EndpointConfig.properties  file because the webapp does not have access to this file. Instead, the same property file can be found at <WebApp_HOME>/ authenticationendpoint/WEB-INF/classes/EndpointConfig.properties.

    In this scenario, do the following:

    • Open the <WebApp_HOME>/ authenticationendpoint/WEB-INF/classes/EndpointConfig.properties file and provide the full URL to WSO2 Identity Server’s admin services endpoint in the   identity.server.serviceURL  property following the format below.

      Code Block
      languagexml
       identity.server.serviceURL=https://<ip>:<port>/services
    • Copy the org.wso2.carbon.identity.application.authentication.endpoint.util-5.0.7.jar  file and paste it in the <WebApp_HOME>/authenticationendpoint/WEB-INF/lib  folder.


      Info
      • If you have applied the WSO2-CARBON-PATCH-4.4.0-0073 security patch, copy the .jar file found in the <CARBON_PATCH_HOME>/patch0073 folder.
      • If you have not applied the WSO2-CARBON-PATCH, copy the .jar file found in the <IS_HOME>/repository/components/plugins folder.
  7. For mutual SSL authentication, the public certificate of the Identity Server has to be imported to the truststore of the client and the public certificate of the client has to be imported to the client-truststore of Identity Server.

    Panel
    titleSample commands

    The following two commands are examples if you are using the keystore and client-truststore of the Identity Server itself for the client. This is executed from the <IS_HOME>/repository/resources/security directory.

    Code Block
    keytool -export -alias wso2carbon -file carbon_public2.crt -keystore wso2carbon.jks -storepass wso2carbon
    Code Block
    keytool -import -trustcacerts -alias carbon -file carbon_public2.crt -keystore client-truststore.jks -storepass wso2carbon
    Note
    If the mutualSSLManagerEnabled property is disabled in the EndpointConfig.properties file in <IS_HOME>/repository/conf/identity, the MutualSSLManager will not initialize the keystores. This property is enabled by default. If you do not require the keystore to be initialized, disable the following property.
    Code Block
    mutualSSLManagerEnabled=true


Removing the tenant list from the login page

...

  1. Shutdown the server if it is already started.
  2. Set the property  tenantListEnabled=false  in the  EndpointConfig.properties  file.

    Info
    • If you are hosting the authenticationendpoint.war webapp within WSO2 Identity Server, set this property in the <IS_HOME>/repository/conf/identity/EndpointConfig.properties file.
       

    • If you are hosting it outside the WSO2 Identity Server (i.e., external Tomcat or WSO2 Application Server), set this property in the <IS_HOME>/repository/deployment/server/webapps/authenticationendpoint/WEB-INF/classes/EndpointConfig.properties file.    
  3. Set TenantDomainDropDownEnabled parameter to false in the <IS_HOME>/repository/conf/identity/application-authentication.xml file.

    Code Block
    languagexml
    <TenantDomainDropDownEnabled>false</TenantDomainDropDownEnabled>
  4. If the MutualSSLAuthenticator is only used for the purpose of listing tenant domains in the drop down, disable it in the <IS_HOME>/repository/conf/security/authenticators.xml file.

    Code Block
    languagexml
    <Authenticator name="MutualSSLAuthenticator" disabled="true">
  5. Restart the server.

...