The authentication endpoint is the authentication URL used in authentication requests. The following sections discuss methods of customizing this endpoint for various scenarios.
...
Open the
<IS_HOME>/repository/conf/tomcat/catalina-server.xml
file and ensure that theclientAuth
attribute in theConnector
tag is set to “want
” as shown below. This is done to disable the certificate authentication on certain occasions (like when working on mobile apps). This makes two-way SSL authentication optional.Code Block clientAuth="want"
Info The
.jar
file enabling usage of Mutual SSL is shipped with IS by default from IS versions 5.1.0 and upwards. Theorg.wso2.carbon.identity.authenticator.mutualssl_X.X.X.jar
file can be found in the<IS_HOME>/repository/components/plugins
directory.Open the
<IS_HOME>/repository/conf/security/authenticators.xml
file and add thedisabled="false"
attribute within the<Authenticator>
tag for theMutualSSLAuthenticator
to enable the Mutual SSL Authenticator.Code Block language xml <!-- Authenticator Configurations for MutualSSLAuthenticator--> <Authenticator name="MutualSSLAuthenticator" disabled="false"> <Priority>5</Priority> <Config> <Parameter name="UsernameHeader">UserName</Parameter> <Parameter name="WhiteListEnabled">false</Parameter> <Parameter name="WhiteList"/> </Config> </Authenticator>
If the
SAML2SSOAuthenticator
is enabled (disabled="false"
) in the<IS_HOME>/repository/conf/security/authenticators.xml
file, set its priority to 0. Otherwise ignore this step.Code Block language xml <Authenticator name="SAML2SSOAuthenticator" disabled="false"> <Priority>0</Priority> ... </Authenticator>
Add the following configuration into the
<IS_HOME>/repository/conf/identity/application-authentication.xml
file under theApplicationAuthentication
tag.Code Block language xml <TenantDomainDropDownEnabled>true</TenantDomainDropDownEnabled> <TenantDataListenerURLs> <TenantDataListenerURL> /authenticationendpoint/tenantlistrefresher.do </TenantDataListenerURL> </TenantDataListenerURLs>
Note Note: When configuring the
TenantDataListenerURL
tag, note the following.In a clustered setup that has multiple authentication endpoint web applications hosted, list all of them under the
TenantDataListenerURL
tag.For authentication endpoint web applications hosted outside the WSO2 Identity Server or in other nodes of a cluster, add the absolute URL within the
TenantDataListenerURL
tag.
Restart the server using one of the following commands.
Windows:
wso2server.bat
Linux/Unix:
sh wso2server.sh
Once the server is restarted, the authenticationendpoint.war file is deployed. The
<IS_HOME>/repository/conf/identity/EndpointConfig.properties
file has to be changed with the required values for properties. The following are the default values for the properties to be used in this file.Code Block tenantListEnabled=false hostname.verification.enabled=true mutual.ssl.username=admin client.keyStore=./repository/resources/security/wso2carbon.jks Carbon.Security.KeyStore.Password=wso2carbon client.trustStore=./repository/resources/security/client-truststore.jks Carbon.Security.TrustStore.Password=wso2carbon #identity.server.serviceURL=https://localhost:9443/services/ username.header=UserName
Do the following updates to this configuration.
- Set
tenantListEnabled
totrue
in order to enable the tenants to display as a list. For the
mutual.ssl.username
property, set the username that is to be used for mutual SSL authentication. This user needs to have permission to list down tenants. You can add a new username here provided that you create a user with that username and grant the following permissions to the role of the user.Panel Super Admin Permissions > Manage > Monitor > Tenants > List
Paths for client keystore and truststore can be relative paths or absolute paths. The default paths point to the keystore and truststore of the Identity Server itself. A new keystore can be created and used for the client if necessary, however, you must set the passwords for
client.keyStore.password
andclient.trustStore.password
appropriately.
Note Note: If you are hosting the
autheticationendpoint.war
webapp outside the Identity Server (i.e in a different Tomcat or WSO2 Application Server), then you cannot use the<IS_HOME>/repository/conf/identity/EndpointConfig.properties
file because the webapp does not have access to this file. Instead, the same property file can be found at<WebApp_HOME>/
authenticationendpoint/WEB-INF/classes/EndpointConfig.properties.
In this scenario, do the following:
Open the
<WebApp_HOME>/
authenticationendpoint/WEB-INF/classes/EndpointConfig.properties
file and provide the full URL to WSO2 Identity Server’s admin services endpoint in theidentity.server.serviceURL
property following the format below.Code Block language xml identity.server.serviceURL=https://<ip>:<port>/services
- Copy the
org.wso2.carbon.identity.application.authentication.endpoint.util-5.0.7.jar
file and paste it in the<WebApp_HOME>/authenticationendpoint/WEB-INF/lib
folder.Info - If you have applied the
WSO2-CARBON-PATCH-4.4.0-0073
security patch, copy the.jar
file found in the<CARBON_PATCH_HOME>/patch0073
folder. - If you have not applied the
WSO2-CARBON-PATCH
, copy the.jar
file found in the <IS_HOME>/repository/components/plugins
folder.
- If you have applied the
- Set
For mutual SSL authentication, the public certificate of the Identity Server has to be imported to the truststore of the client and the public certificate of the client has to be imported to the client-truststore of Identity Server.
Panel title Sample commands The following two commands are examples if you are using the keystore and client-truststore of the Identity Server itself for the client. This is executed from the
<IS_HOME>/repository/resources/security
directory.Code Block keytool -export -alias wso2carbon -file carbon_public2.crt -keystore wso2carbon.jks -storepass wso2carbon
Code Block keytool -import -trustcacerts -alias carbon -file carbon_public2.crt -keystore client-truststore.jks -storepass wso2carbon
Note If you are not using mutual SSL authentication, you can stop the
is disabledMutualSSLManager
from loading the keystore by disabling themutualSSLManagerEnabled
propertyin the
, the MutualSSLManager will not initialize the keystoresEndpointConfig.properties
file in<IS_HOME>/repository/conf/identity
.
This property is enabled by default.Code Block mutualSSLManagerEnabled=true
Removing the tenant list from the login page
...
- Shutdown the server if it is already started.
Set the property
tenantListEnabled=false
in theEndpointConfig.properties
file.Info If you are hosting the
authenticationendpoint.war
webapp within WSO2 Identity Server, set this property in the<IS_HOME>/repository/conf/identity/EndpointConfig.properties
file.
- If you are hosting it outside the WSO2 Identity Server (i.e., external Tomcat or WSO2 Application Server), set this property in the
<IS_HOME>/repository/deployment/server/webapps/authenticationendpoint/WEB-INF/classes/EndpointConfig.properties
file.
Set
TenantDomainDropDownEnabled
parameter tofalse
in the<IS_HOME>/repository/conf/identity/application-authentication.xml
file.Code Block language xml <TenantDomainDropDownEnabled>false</TenantDomainDropDownEnabled>
If the
MutualSSLAuthenticator
is only used for the purpose of listing tenant domains in the drop down, disable it in the<IS_HOME>/repository/conf/security/authenticators.xml
file.Code Block language xml <Authenticator name="MutualSSLAuthenticator" disabled="true">
- Restart the server.
...