The authenticationendpoint contains the authentication URLs used in authentication flow. You can either host the authenticationendpoint webapp on the WSO2 Identity Server, or choose to host it on a separate server. You may want to host it separately for the purpose of having custom theming and branding. This section describes how you can host the authentication endpoint on a different server outside the WSO2 Identity Server (e.g., in a different Tomcat Server).
Table of Contents |
---|
Moving the authenticationendpoint from WSO2IS and hosting it on a separate web server
Note | ||
---|---|---|
| ||
First, get a copy of |
Copy the following .jar files from the
<IS_HOME>/repository/components/plugins/
directory to the<WebApp_HOME>/authenticationendpoint/WEB-INF/lib
directory.- abdera_1.0.0.wso2v3.jar
- ant_1.7.0.wso2v1.jar
- axiom_1.2.11.wso2v13.jar
- axis2_1.6.1.wso2v34.jar
- bcprov-jdk15on_1.60.0.wso2v1.jar
- commons-cli_1.2.0.wso2v1.jar
- commons-collections_3.2.2.wso2v1.jar
- commons-dbcp_1.4.0.wso2v1.jar
- commons-fileupload_1.3.3.wso2v1.jar
- commons-httpclient_3.1.0.wso2v6.jar
- commons-io_2.4.0.wso2v1.jar
- commons-lang_2.6.0.wso2v1.jar
- commons-pool_1.5.6.wso2v1.jar
- compass_2.0.1.wso2v2.jar
- encoder_1.2.0.wso2v1.jar
- com.google.gson_2.8.5.jar
- hazelcast_3.5.4.wso2v2.jar
- httpclient_4.3.6.wso2v2.jar
- httpcore_4.3.3.wso2v1.jar
- javax.cache.wso2_4.4.38.jar
- jdbc-pool_7.0.81.wso2v2.jar
- joda-time_2.9.4.wso2v1.jar
- json_3.0.0.wso2v1.jar
- neethi_2.0.4.wso2v5.jar
- opensaml_2.6.4.wso2v5.jar
- org.eclipse.equinox.http.helper_1.1.0.wso2v1.jar
- org.eclipse.osgi_3.9.1.v20130814-1242.jar
- org.eclipse.osgi.services_3.3.100.v20130513-1956.jar
- org.wso2.carbon.base_4.4.38.jar
- org.wso2.carbon.core_4.4.38.jar
- org.wso2.carbon.crypto.api_1.0.3.jar
- org.wso2.carbon.database.utils_2.0.9.jar
- org.wso2.carbon.identity.application.common_5.12.332.jar
- org.wso2.carbon.identity.base_5.12.332.jar
- org.wso2.carbon.identity.template.mgt_5.12.332.jar
- org.wso2.carbon.logging_4.4.38.jar
- org.wso2.carbon.queuing_4.4.38.jar
- org.wso2.carbon.registry.api_4.4.38.jar
- org.wso2.carbon.registry.core_4.4.38.jar
- org.wso2.carbon.securevault_4.4.38.jar
- org.wso2.carbon.user.api_4.4.38.jar
- org.wso2.carbon.user.core_4.4.38.jar
- org.wso2.carbon.utils_4.4.38.jar
- org.wso2.securevault_1.0.0.wso2v2.jar
- rampart-core_1.6.1.wso2v28.jar
- slf4j.api_1.7.21.jar
- tomcat-catalina-ha_7.0.93.wso2v1.jar
- tomcat-servlet-api_7.0.93.wso2v1.jar
- wsdl4j_1.6.2.wso2v4.jar
- XmlSchema_1.4.7.wso2v6.jar
- org.wso2.carbon.ui_4.4.38.jar
- org.wso2.carbon.identity.application.authentication.endpoint.util_5.12.332.jar
- org.wso2.carbon.identity.core_5.12.332.jar
- org.wso2.carbon.identity.user.registration.stub_5.12.332.jar
- jettison_1.3.4.wso2v1.jar
Copy the following .jar files from the <IS_HOME>/lib/runtimes/cxf3/ directory to the <WebApp_HOME>/authenticationendpoint/WEB-INF/lib directory.
- javax.ws.rs-api-2.1.1.jar
- cxf-core-3.2.8.jar
- cxf-rt-frontend-jaxrs-3.2.8.jar
- cxf-rt-rs-client-3.2.8.jar
- cxf-rt-rs-extension-providers-3.2.8.jar
- cxf-rt-rs-extension-search-3.2.8.jar
- cxf-rt-rs-service-description-3.2.8.jar
- cxf-rt-transports-http-3.2.8.jar
Copy the following .jar files from the <IS_HOME>/bin/ directory to the <WebApp_HOME>/authenticationendpoint/WEB-INF/lib directory.
- org.wso2.carbon.bootstrap-4.4.38.jar
- tomcat-juli-7.0.93.jar
- Copy the following .jar file from the <IS_HOME>/lib/ directory to the <WebApp_HOME>/authenticationendpoint/WEB-INF/lib directory.
- xercesImpl-2.8.1.wso2v2.jar
- xercesImpl-2.8.1.wso2v2.jar
- Copy the following .jar files from the <IS_HOME>/lib/endorsed/ directory to the <WebApp_HOME>/authenticationendpoint/WEB-INF/lib directory.
- geronimo-jta_1.1_spec-1.1.jar
- stax2-api-3.1.4.jar
- woodstox-core-asl-4.4.1.jar
Copy the following .jar files from the <IS_HOME>/repository/components/tools/forget-me/lib/ directory to the <WebApp_HOME>/authenticationendpoint/WEB-INF/lib directory.
- log4j-1.2.17.jar
Uncomment following section in
<WebApp_HOME>/authenticationendpoint/WEB-INF/web.xml
and point to identity server URLs.Code Block language xml ... <context-param> <param-name>IdentityManagementEndpointContextURL</param-name> <param-value>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/accountrecoveryendpoint</param-value> </context-param> <context-param> <param-name>AccountRecoveryRESTEndpointURL</param-name> <param-value>https://localhost:9443/t/tenant-domain/api/identity/user/v0.9/</param-value> </context-param> ... <context-param> <param-name>IdentityServerEndpointContextURL</param-name> <param-value>https://localhost:9443</param-value> </context-param> ...
Change the following configuration in
<IS_HOME>/repository/conf/identity/application-authentication.xml
fileCode Block language xml <AuthenticationEndpointURL>/authenticationendpoint/login.do</AuthenticationEndpointURL> <AuthenticationEndpointRetryURL>/authenticationendpoint/retry.do</AuthenticationEndpointRetryURL> <AuthenticationEndpointMissingClaimsURL>/authenticationendpoint/claims.do</AuthenticationEndpointMissingClaimsURL>
as follows:
Code Block language xml <AuthenticationEndpointURL>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/login.do</AuthenticationEndpointURL> <AuthenticationEndpointRetryURL>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/retry.do</AuthenticationEndpointRetryURL> <AuthenticationEndpointMissingClaimsURL>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/claims.do</AuthenticationEndpointMissingClaimsURL>
You will need to add AuthenticationEndpointMissingClaimsURL configuration, as it is not already available in this configuration file.
Change the following configuration in
<IS_HOME>/repository/conf/identity/identity.xml
file to point to the authentication endpoint hosted outside the wso2 server.Code Block language xml ... <OpenID> ... <OpenIDLoginUrl>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/openid_login.do</OpenIDLoginUrl> ... </OpenID> ... <OAuth> ... <OAuth2ConsentPage>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/oauth2_authz.do</OAuth2ConsentPage> <OAuth2ErrorPage>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/oauth2_error.do</OAuth2ErrorPage> <OIDCConsentPage>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/oauth2_consent.do</OIDCConsentPage> <OIDCLogoutConsentPage>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/oauth2_logout_consent.do</OIDCLogoutConsentPage> <OIDCLogoutPage>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/oauth2_logout.do</OIDCLogoutPage> ... </OAuth> ... <SSOService> ... <DefaultLogoutEndpoint>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/samlsso_logout.do</DefaultLogoutEndpoint> <NotificationEndpoint>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/samlsso_notification.do</NotificationEndpoint> ... </SSOService> ... <PassiveSTS> ... <RetryURL>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/retry.do</RetryUR> ... <PassiveSTS> ...
Import the public certificate of the identity server to the javaca certs (or web-serverstruststore) of the JVM that the authenticationendpoint is running.
Code Block language xml keytool -export -keystore $IS_HOME/repository/resources/security/wso2carbon.jks -alias wso2carbon -file wso2carbon.cer
Code Block language xml keytool -import -alias wso2carbon -keystore $WEB_APP_TRUSTSTORE -file wso2carbon.cer
Import the public certificate of the Web_server’s keystore to the Identity Server truststore.
Code Block language xml keytool -export -keystore $WEB_APP_KEYSTORE -alias wso2carbon -file webserver.cer
Code Block language xml keytool -import -alias <alias> -keystore $IS_HOME/repository/resources/security/client-trustore.jks -file webserver.cer
...
In
<WebApp_HOME>/accountrecoveryendpoint/WEB-INF/classes/RecoveryEndpointConfig.properties
file, uncomment and change it to identity server.Code Block language xml identity.server.service.contextURL=https://localhost:9443/services
Uncomment and change the user portal reference in
<WebApp_HOME>/accountrecoveryendpoint/WEB-INF/web.xml
Code Block language xml <context-param> <param-name>UserPortalUrl</param-name> <param-value>https://localhost:9443/dashboard/index.jag</param-value> </context-param>
Export the following paths.
Code Block language xml export WEB_APP_HOME=/Users/userfoo/apache-tomcat-7.0.81/webapps export IS_HOME=/Users/userfoo/wso2is-5.6.0 export WEB_APP_LIB=${WEB_APP_HOME}/accountrecoveryendpoint/WEB-INF/lib/
Note WEB_APP_HOME
andIS_HOME
paths are given as examples. You may have to change them according to your environment.Copy the following .jar files from the <IS_HOME>/repository/components/plugins/ directory to the <WebApp_HOME>/accountrecoveryendpoint/WEB-INF/lib directory.
commons-lang_2.6.0.wso2v1.jar
encoder_1.2.0.wso2v1.jar
com.google.gson_2.8.5.jar
httpclient_4.3.6.wso2v2.jar
httpcore_4.3.3.wso2v1.jar
json_3.0.0.wso2v1.jar
org.wso2.carbon.identity.mgt.stub_5.12.332.jar
org.wso2.carbon.identity.user.registration.stub_5.12.332.jar
org.wso2.carbon.base_4.4.38.jar
org.wso2.carbon.identity.base_5.12.332.jar
org.wso2.carbon.ui_4.4.38.jar
org.wso2.carbon.identity.application.authentication.endpoint.util_5.12.332.jar
org.wso2.carbon.identity.core_5.12.332.jar
org.wso2.carbon.utils_4.4.38.jar
org.wso2.carbon.user.core_4.4.38.jar
org.wso2.carbon.user.api_4.4.38.jar
org.wso2.carbon.logging_4.4.38.jar
axis2_1.6.1.wso2v34.jar
opensaml_2.6.4.wso2v5.jar
jettison_1.3.4.wso2v1.jar
neethi_2.0.4.wso2v5.jar
wsdl4j_1.6.2.wso2v4.jar
org.apache.commons.commons-codec_1.12.0.jar
commons-collections_3.2.2.wso2v1.jar
org.wso2.carbon.identity.mgt_5.12.332.jar
org.wso2.carbon.tomcat.ext_4.4.38.jar
Copy the following .jar files from the <IS_HOME>/lib/runtimes/cxf3/ directory to the <WebApp_HOME>/accountrecoveryendpoint/WEB-INF/lib directory.
javax.ws.rs-api-2.1.1.jar
cxf-core-3.2.8.jar
cxf-rt-frontend-jaxrs-3.2.8.jar
cxf-rt-rs-client-3.2.8.jar
cxf-rt-rs-extension-providers-3.2.8.jar
cxf-rt-rs-extension-search-3.2.8.jar
cxf-rt-rs-service-description-3.2.8.jar
cxf-rt-transports-http-3.2.8.jar
jackson-annotations-2.9.7.jar
jackson-core-2.9.7.jar
jackson-databind-2.9.7.jar
jackson-jaxrs-base-2.9.7.jar
jackson-jaxrs-json-provider-2.9.7.jar
jackson-module-jaxb-annotations-2.9.7.jar
Note Make sure the WebApp container server (of endpoint apps) is running with SSL enabled.
e.g., if tomcat enabled the https connector, add the following to
catalina.sh
.Code Block language xml JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStore=$WEB_SERVER_KEYSTORE -Djavax.net.ssl.keyStorePassword=$password" JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=$WEBSERVER_TRUSTORE -Djavax.net.ssl.trustStorePassword=$password"
...
Download and install WSO2 IS and apache-tomcat into your local machine. Let’s consider IS installation as
<IS_HOME>
and tomcat installation as<TOMCAT_HOME>
- Get the sample setup scripts from the following location:
https://github.com/ayshsandu/samples/tree/master/is_samples/is_5.68.0/hosting-endpoints
. Open
<TOMCAT_HOME>/conf/server.xml
file and enable the https connector on 8443 port.Code Block language xml <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="want" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" keystoreFile="$IS_HOME/repository/resources/security/wso2carbon.jks" keystorePass="wso2carbon" truststoreFile="$IS_HOME/repository/resources/security/client-truststore.jks" truststorePass="wso2carbon"/>
Note For this sample, we configured the same keystore and truststore in WSO2IS as the keystore and truststore in tomcat. In an actual environment, you may create a new keystore and truststore for tomcat and point to it. When using separate keystores and truststores, you need to import tomcat keystore’s public cert in to:
<
IS_HOME>/repository/resources/security/client-truststore.jks
and, public cert of<
IS_HOME>/repository/resources/security/wso2carbon.jks
into tomcat’s truststore.Open
<TOMCAT_HOME>/bin/catalina.sh
and add following JAVA_OPTS.Code Block language xml JAVA_OPTS="$JAVA_OPTS --Djavax.net.ssl.keyStore=$IS_HOME/repository/resources/security/wso2carbon.jks -Djavax.net.ssl.keyStorePassword=wso2carbon" JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=$IS_HOME/repository/resources/security/client-truststore.jks -Djavax.net.ssl.trustStorePassword=wso2carbon"
- Run
setup-authentication.sh
obtained from step 2 and follow the instructions. - Once the script is complete, then the authentication endpoint is set up in the given
<TOMCAT_HOME>/webapps
location. Uncomment following section in
<TOMCAT_HOME>/webapps/authenticationendpoint/WEB-INF/web.xml
file and point to identity server URLs.Code Block language xml …... <context-param> <param-name>IdentityManagementEndpointContextURL</param-name> <param-value>https://localhost:9443/accountrecoveryendpoint</param-value> </context-param> <context-param> <param-name>AccountRecoveryRESTEndpointURL</param-name> <param-value>https://localhost:9443/t/tenant-domain/api/identity/user/v0.9/</param-value> </context-param> ….. <context-param> <param-name>IdentityServerEndpointContextURL</param-name> <param-value>https://localhost:9443</param-value> </context-param> …...
Change the following configuration in
<IS_HOME>/repository/conf/identity/application-authentication.xml
file.Code Block language xml <AuthenticationEndpointURL>https://localhost:8443/authenticationendpoint/login.do</AuthenticationEndpointURL> <AuthenticationEndpointRetryURL>https://localhost:8443/authenticationendpoint/retry.do</AuthenticationEndpointRetryURL> <AuthenticationEndpointMissingClaimsURL>https://localhost:8443/authenticationendpoint/claims.do</AuthenticationEndpointMissingClaimsURL>
Change the following configuration in
<IS_HOME>/repository/conf/identity/identity.xml
file to point to the authentication endpoint hosted outside the wso2 server.Code Block language xml .. <OpenID> ... <OpenIDLoginUrl>https://localhost:8443/authenticationendpoint/openid_login.do</OpenIDLoginUrl> … </OpenID> … <OAuth> …. <OAuth2ConsentPage>https://localhost:8443/authenticationendpoint/oauth2_authz.do</OAuth2ConsentPage> <OAuth2ErrorPage>https://localhost:8443/authenticationendpoint/oauth2_error.do</OAuth2ErrorPage> <OIDCConsentPage>https://localhost:8443/authenticationendpoint/oauth2_consent.do</OIDCConsentPage> <OIDCLogoutConsentPage>https://localhost:8443/authenticationendpoint/oauth2_logout_consent.do</OIDCLogoutConsentPage> <OIDCLogoutPage>https://localhost:8443/authenticationendpoint/oauth2_logout.do</OIDCLogoutPage> …. </OAuth> ... <SSOService> ... <DefaultLogoutEndpoint>https://localhost:8443/authenticationendpoint/samlsso_logout.do</DefaultLogoutEndpoint> <NotificationEndpoint>https://localhost:8443/authenticationendpoint/samlsso_notification.do</NotificationEndpoint> … </SSOService> …. <PassiveSTS> ... <RetryURL>https://localhost:8443/authenticationendpoint/retry.do</RetryUR> ... <PassiveSTS> ….
Start both Identity Server and tomcat and access
https://localhost:9443/dashboard
. Now you can see that the authentication is redirected to:https://localhost:8443/authenticationendpoint/login.do
Now let’s take out account recovery endpoint into the external Tomcat server as well.
- Run
setup-accountrecovery.sh
obtained from step 2 and follow the instructions. Change the following section in
<TOMCAT_HOME>/webapps/authenticationendpoint/WEB-INF/web.xml
file and point toIdentityManagementEndpointContextURL
into tomcat URL.Code Block language xml … <context-param> <param-name>IdentityManagementEndpointContextURL</param-name> <param-value>https://localhost:8443/accountrecoveryendpoint</param-value> </context-param> …
In
<TOMCAT_HOME>/accountrecoveryendpoint/WEB-INF/classes/RecoveryEndpointConfig.properties
file, uncomment and change it to identity server.Code Block language xml identity.server.service.contextURL=https://localhost:9443/services/
Uncomment and change the user portal reference in
<TOMCAT_HOME>/account
recovery
endpoint/WEB-INF/web.xml
Code Block language xml … <context-param> <param-name>UserPortalUrl</param-name> <param-value>https://localhost:9443/dashboard/index.jag</param-value> </context-param> ...