Page Comparison

...

1. Shut down the server if it is running.

2. Open the  <IS_HOME>/repository/conf/axis2/axis2.xml file, uncomment the  transportSender name = "mailto" configurations, and update the following properties:
   

   mail.smtp.from	Provide the email address of the SMTP account.
   mail.smtp.user	Provide the username of the SMTP account.
   mail.smtp.password	Provide the password of the SMTP account.

   Code Block

   <transportSender name="mailto" class="org.apache.axis2.transport.mail.MailTransportSender"> <parameter name="mail.smtp.from">{SENDER'S_EMAIL_ID}</parameter> <parameter name="mail.smtp.user">{USERNAME}</parameter> <parameter name="mail.smtp.password">{PASSWORD}</parameter> <parameter name="mail.smtp.host">smtp.gmail.com</parameter> <parameter name="mail.smtp.port">587</parameter> <parameter name="mail.smtp.starttls.enable">true</parameter> <parameter name="mail.smtp.auth">true</parameter> </transportSender>

3. Comment out the <module ref="addressing"/> property to avoid syntax errors.

   Code Block
   <!-- <module ref="addressing"/> -->

4. Add the following email template to the <IS_HOME>/repository/conf/email/email-admin-config.xml.

   Code Block
   language xml
   <configuration type="EmailOTP" display="idleAccountReminder" locale="en_US" emailContentType="text/html"> <targetEpr></targetEpr> <subject>WSO2 IS Email OTP</subject> <body> Hi, Please use this one time password {OTPCode} to sign in to your application. </body> <footer> Best Regards, WSO2 Identity Server Team http://www.wso2.com </footer> <redirectPath></redirectPath> </configuration>

5. Configure the following properties in the <PRODUCT_HOME>/repository/conf/identity/identity-mgt.properties file to true.

   Code Block
   language xml
   Authentication.Policy.Enable=true Authentication.Policy.Check.OneTime.Password=true

6. Add the following configuration to the application-authentication.xml file in the <IS_HOME>/repository/conf/identity directory. 

   Code Block

   <AuthenticatorConfig name="EmailOTP" enabled="true"> <Parameter name="EMAILOTPAuthenticationEndpointURL">https://localhost:9443/emailotpauthenticationendpoint/emailotp.jsp</Parameter> <Parameter name="EmailOTPAuthenticationEndpointErrorPage">https://localhost:9443/emailotpauthenticationendpoint/emailotpError.jsp</Parameter> <Parameter name="EmailAddressRequestPage">https://localhost:9443/emailotpauthenticationendpoint/emailAddress.jsp</Parameter> <Parameter name="usecase">association</Parameter> <Parameter name="useEventHandlerBasedEmailSender">true</Parameter> <Parameter name="secondaryUserstore">primary</Parameter> <Parameter name="EMAILOTPMandatory">false</Parameter> <Parameter name="sendOTPToFederatedEmailAttribute">false</Parameter> <Parameter name="federatedEmailAttributeKey">email</Parameter> <Parameter name="EmailOTPEnableByUserClaim">true</Parameter> <Parameter name="useEventHandlerBasedEmailSender">true</Parameter> <Parameter name="CaptureAndUpdateEmailAddress">true</Parameter> <Parameter name="showEmailAddressInUI">true</Parameter> </AuthenticatorConfig>

   Expand
   title To view the parameter definitions, click here
   Parameter Description Sample Values usecase This parameter defines how the email ID will be retrieved. The default value is local. Expand title Click here to view the value definitions Value Definition local This is the default value and is based on the federated username. You must set the federated username in the local userstore . The federated username must be the same as the local username. association The federated username must be associated with the local account in advance in the end user dashboard. The local username is retrieved from the association. To associate the user, log into the  end user dashboard  and go to  Associated Account  by clicking  View details . subjectUri When configuring the federated authenticator, select the attribute in the subject identifier under the service provider section in UI, this is used as the username of the  EmailOTP authenticator. userAttribute The name of the  federatedauthenticator'suserattribute. That is the local username that is contained in a federated user's attribute. When using this, add the following parameter under the <AuthenticatorConfig name="EmailOTP" enabled="true">  section in the <IS_HOME>/repository/conf/identity/application-authentication.xml file and put the value, e.g., email and screen_name, id. Code Block language xml <Parameter name="userAttribute">email</Parameter> If you use OpenID Connect supported authenticators such as LinkedIn and Foursquare or in the case of multiple social login options as the first step and EmailOTP assecondstep, you need to add similar configuration for the specific authenticator in the <IS_HOME>/repository/conf/identity/application-authentication.xml file under the <AuthenticatorConfigs> section. Examples: Fourquare Code Block language xml <AuthenticatorConfig name="Foursquare" enabled="true"> <Parameter name="EmailOTP-userAttribute">http://wso2.org/foursquare/claims/email</Parameter> <Parameter name="federatedEmailAttributeKey">http://wso2.org/foursquare/claims/email</Parameter> </AuthenticatorConfig> LinkedIn Code Block language xml <AuthenticatorConfig name="LinkedIn" enabled="true"> <Parameter name="EmailOTP-userAttribute">http://wso2.org/linkedin/claims/emailAddress</Parameter> <Parameter name="federatedEmailAttributeKey">http://wso2.org/linkedin/claims/emailAddress</Parameter> </AuthenticatorConfig> Facebook Code Block language xml <AuthenticatorConfig name="FacebookAuthenticator" enabled="true"> <Parameter name="EmailOTP-userAttribute">email</Parameter> <Parameter name="federatedEmailAttributeKey">email</Parameter> </AuthenticatorConfig> Likewise, you can add the Authenticator Config for Amazon, Google, Twitter, and Instagram with the relevant values. local association userAttribute subjectUri secondaryUserstore You can define multiple user stores per tenant as comma separated values. Example: Code Block <Parameter name="secondaryUserstore">jdbc, abc, xyz</Parameter> Info The user store configurations are maintained per tenant: If you use a super tenant, set all the parameter values into the <IS_HOME>/repository/conf/identity/application-authentication.xml file under the AuthenticatorConfigs section. If you use a tenant, Upload the same XML file (application-authentication.xml) into a specific registry location (/_system/governance/EmailOTP). Create the collection named EmailOTP, add the resource and upload the application-authentication. xml file into the registry. While doing the authentication,thesysetmfirstcheckswhetherthereisanXML file uploaded to the registry. If that is so, it reads it from the registry but does not take the local file. If there is no file in the registry, then it only takes the property values from the local file. You can use the registry or local file to get the property values. EMAILOTPMandatory Thisparmeterdefineswhtherthe EmailOTP is enforced as the second step of the 2FA/MFA or not. If the user is not found in the active directory where the parameter is set to true, the OTP is directly sent to the email address defined in the claims set. If the user is not found in the active directory where the parameter is set to false , the authentication flow terminates at the first step of the 2FA/MFA. true false sendOTPToFederatedEmailAttribute When the EMAILOTPMandatory and this parameter are set to true and the user is not found in the active directory, the OTPissetn to the mail defined in the federated authenticator claim. When the EMAILOTPMandatory is set to false, an error page gets displayed. When the EMAILOTPMandatory is set to false and the user is not found in the active directory, the authentication mechanism terminates at the first step of the 2FA/MFA. This parameter is not required in such a scenario. true false federatedEmailAttributeKey This parameter identifies the email attribute of the federated authenticator, e.g. Foursquare. Set this parameter if the sendOTPToFederatedEmailAttribute is set to true. Example: http://wso2.org/foursquare/claims/email EmailOTPEnableByUserClaim This parameter enables the user to overidethefunctionalitydefinedattheEMAILOTPMandatory parameter. If this parameter and the EMAILOTPMandatory parameters are set to true, the user can either enable or disable the EmailOTP functionality. If this parameter is set to false where the EMAILOTPMandatory parameter is set to true, the user gets redirected to an error page. If this parameter and the EMAILOTPMandatory parameters are set to false, the authentication flow terminates at the first step of the 2FA/MFA. If the user is not available in the active directory true false CaptureAndUpdateEmailAddress This parameter enables the user to update the email address that is used to send the OTP, at the first login where the email address is not previously set. true false EmailAddressRequestPage This parameter enables to display a page that requests for an email address where The user has not registered an email address. Sending OTP is defined as the second step of 2FA/MFA. The CaptureAndUpdateEmailAddress parameter is set to true. Example: https://localhost:9443/emailotpauthenticationendpoint/emailAddress.jsp showEmailAddressInUI This parameter enables to display the email address to which the OTP is sent to on the UI. true false

7. Start WSO2 IS.

Anchor
Configuring the EmailOTP provider Configuring the EmailOTP provider

Configure the Email OTP provider

...