The authenticationendpoint contains the authentication URLs used in authentication flow. You can either host the authenticationendpoint webapp on the WSO2 Identity Server, or choose to host it on a separate server. You may want to host it separately for the purpose of having custom theming and branding. This section describes how you can host the authentication endpoint on a different server outside the WSO2 Identity Server (e.g., in a different Tomcat Server).
Table of Contents |
---|
Moving the authenticationendpoint from WSO2IS and hosting it on a separate web server
Note | ||
---|---|---|
| ||
First, get a copy of |
Copy the following .jar files from the
<IS_HOME>/repository/components/plugins/
directory to the<WebApp_HOME>/authenticationendpoint/WEB-INF/lib
directory.org.wso2.carbon.base_4.4.35.jar
org.wso2.carbon.identity.base_5.12.153.jar
org.wso2.carbon.ui_4.4.35.jar
org.wso2.carbon.identity.application.authentication.endpoint.util_5.12.153.jar
org.wso2.carbon.identity.core_5.12.153.jar
httpcore_4.3.3.wso2v1.jar
org.wso2.carbon.identity.user.registration.stub_5.12.153.jar
axis2_1.6.1.wso2v28.jar
org.wso2.carbon.user.api_4.4.35.jar
opensaml_2.6.4.wso2v3.jar
org.wso2.carbon.utils_4.4.35.jar
jettison_1.3.4.wso2v1.jar
org.wso2.carbon.user.core_4.4.35.jar
org.wso2.carbon.logging_4.4.35.jar
com.google.gson_2.7.0.jar
commons-collections_3.2.2.wso2v1.jar
- Copy the following .jar files from the <
IS_HOME>/lib/runtimes/cxf/
directory to the<WebApp_HOME>/authenticationendpoint/WEB-INF/lib
directory.javax.ws.rs-
api-2.0-m10.jar
- cxf
-bundle-2.7.16.wso2v1.jar
- neethi
-3.0.3.jar
wsdl4j-1.6.3.jar
Uncomment the following section in the
<WebApp_HOME>/authenticationendpoint/WEB-INF/web.xml
file and point to the WSO2 Identity Server URLs.Code Block language xml ... <context-param> <param-name>IdentityManagementEndpointContextURL</param-name> <param-value>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/accountrecoveryendpoint</param-value> </context-param> <context-param> <param-name>AccountRecoveryRESTEndpointURL</param-name> <param-value>https://localhost:9443/t/tenant-domain/api/identity/user/v1.0/</param-value> </context-param> ... <context-param> <param-name>IdentityServerEndpointContextURL</param-name> <param-value>https://localhost:9443</param-value> </context-param> ...
Add the following servlet to the
<WebApp_HOME>/authenticationendpoint/WEB-INF/web.xml
file.Code Block <servlet> <servlet-name>jsp</servlet-name> <servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class> <init-param> <param-name>fork</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>xpoweredBy</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>compilerSourceVM</param-name> <param-value>1.8</param-value> </init-param> <init-param> <param-name>compilerTargetVM</param-name> <param-value>1.8</param-value> </init-param> <load-on-startup>3</load-on-startup> </servlet>
Change the following configuration in
<IS_HOME>/repository/conf/identity/application-authentication.xml
fileCode Block language xml <AuthenticationEndpointURL>/authenticationendpoint/login.do</AuthenticationEndpointURL> <AuthenticationEndpointRetryURL>/authenticationendpoint/retry.do</AuthenticationEndpointRetryURL> <AuthenticationEndpointMissingClaimsURL>/authenticationendpoint/claims.do</AuthenticationEndpointMissingClaimsURL>
as follows:
Code Block language xml <AuthenticationEndpointURL>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/login.do</AuthenticationEndpointURL> <AuthenticationEndpointRetryURL>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/retry.do</AuthenticationEndpointRetryURL> <AuthenticationEndpointMissingClaimsURL>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/claims.do</AuthenticationEndpointMissingClaimsURL>
You will need to add AuthenticationEndpointMissingClaimsURL configuration, as it is not already available in this configuration file.
Change the following configuration in
<IS_HOME>/repository/conf/identity/identity.xml
file to point to the authentication endpoint hosted outside the wso2 server.Code Block language xml ... <OpenID> ... <OpenIDLoginUrl>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/openid_login.do</OpenIDLoginUrl> ... </OpenID> ... <OAuth> ... <OAuth2ConsentPage>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/oauth2_authz.do</OAuth2ConsentPage> <OAuth2ErrorPage>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/oauth2_error.do</OAuth2ErrorPage> <OIDCConsentPage>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/oauth2_consent.do</OIDCConsentPage> <OIDCLogoutConsentPage>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/oauth2_logout_consent.do</OIDCLogoutConsentPage> <OIDCLogoutPage>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/oauth2_logout.do</OIDCLogoutPage> ... </OAuth> ... <SSOService> ... <DefaultLogoutEndpoint>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/samlsso_logout.do</DefaultLogoutEndpoint> <NotificationEndpoint>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/samlsso_notification.do</NotificationEndpoint> ... </SSOService> ... <PassiveSTS> ... <RetryURL>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/retry.do</RetryUR> ... <PassiveSTS> ...
Import the public certificate of the identity server to the javaca certs (or web-serverstruststore) of the JVM that the authenticationendpoint is running.
Code Block language xml keytool -export -keystore $IS_HOME/repository/resources/security/wso2carbon.jks -alias wso2carbon -file wso2carbon.cer
Code Block language xml keytool -import -alias wso2carbon -keystore $WEB_APP_TRUSTSTORE -file wso2carbon.cer
Import the public certificate of the Web_server’s keystore to the Identity Server truststore.
Code Block language xml keytool -export -keystore $WEB_APP_KEYSTORE -alias wso2carbon -file webserver.cer
Code Block language xml keytool -import -alias <alias> -keystore $IS_HOME/repository/resources/security/client-trustore.jks -file webserver.cer
...