This section provides the instructions to configure multi-factor authentication (MFA) using Email One Time Password (Email OTP) in WSO2 Identity Server (WSO2 IS). The Email OTP enables a one-time password (OTP) to be used at the second step of MFA.
Let's take a look at the tasks you need to follow to configure MFA using Email OTP:
Before you begin!
- To ensure you get the full understanding of configuring Email OTP with WSO2 IS, the sample Travelocity application is used in this use case. Therefore, make sure to download the samples before you begin.
- The samples run on the Apache Tomcat server and are written based on Servlet 3.0. Therefore, download Tomcat 7.x from here.
- Install Apache Maven to build the samples. For more information, see Installation Prerequisites.
Enabling email configuration on WSO2 IS
Follow the steps below to configure WSO2 IS to send emails once the Email OTP is enabled.
- Shut down the server if it is running.
Open the
<IS_HOME>/repository/conf/axis2/axis2.xml
file, uncomment thetransportSender name =
"mailto"
configurations, and update the following properties:
mail.smtp.from
Provide the email address of the SMTP account. mail.smtp.user
Provide the username of the SMTP account. mail.smtp.password
Provide the password of the SMTP account. <transportSender name="mailto" class="org.apache.axis2.transport.mail.MailTransportSender"> <parameter name="mail.smtp.from">{SENDER'S_EMAIL_ID}</parameter> <parameter name="mail.smtp.user">{USERNAME}</parameter> <parameter name="mail.smtp.password">{PASSWORD}</parameter> <parameter name="mail.smtp.host">smtp.gmail.com</parameter> <parameter name="mail.smtp.port">587</parameter> <parameter name="mail.smtp.starttls.enable">true</parameter> <parameter name="mail.smtp.auth">true</parameter> </transportSender>
If you are using Gmail account you have to on "Allow less secure apps" in your account.
Comment out the
<module ref="addressing"/>
property to avoid syntax errors.<!-- <module ref="addressing"/> -->
Add the following email template to the
<IS_HOME>/repository/conf/email/email-admin-config.xml.
<configuration type="EmailOTP" display="idleAccountReminder" locale="en_US" emailContentType="text/html"> <targetEpr></targetEpr> <subject>WSO2 IS Email OTP</subject> <body> Hi, Please use this one time password {OTPCode} to sign in to your application. </body> <footer> Best Regards, WSO2 Identity Server Team http://www.wso2.com </footer> <redirectPath></redirectPath> </configuration>
Configure the following properties in the
<PRODUCT_HOME>/repository/conf/identity/identity-mgt.properties
file totrue
.Authentication.Policy.Enable=true Authentication.Policy.Check.OneTime.Password=true
Add the following configuration to the
application-authentication.xml
file in the<IS_HOME>/repository/conf/identity
directory.<AuthenticatorConfig name="EmailOTP" enabled="true"> <Parameter name="EMAILOTPAuthenticationEndpointURL">https://localhost:9443/emailotpauthenticationendpoint/emailotp.jsp</Parameter> <Parameter name="EmailOTPAuthenticationEndpointErrorPage">https://localhost:9443/emailotpauthenticationendpoint/emailotpError.jsp</Parameter> <Parameter name="EmailAddressRequestPage">https://localhost:9443/emailotpauthenticationendpoint/emailAddress.jsp</Parameter> <Parameter name="usecase">association</Parameter> <Parameter name="useEventHandlerBasedEmailSender">true</Parameter> <Parameter name="secondaryUserstore">primary</Parameter> <Parameter name="EMAILOTPMandatory">false</Parameter> <Parameter name="sendOTPToFederatedEmailAttribute">false</Parameter> <Parameter name="federatedEmailAttributeKey">email</Parameter> <Parameter name="EmailOTPEnableByUserClaim">true</Parameter> <Parameter name="useEventHandlerBasedEmailSender">true</Parameter> <Parameter name="CaptureAndUpdateEmailAddress">true</Parameter> <Parameter name="showEmailAddressInUI">true</Parameter> </AuthenticatorConfig>
- Start WSO2 IS.
Configure the Email OTP provider
You can send the One Time Password (OTP) using Gmail APIs or using SendGrid. Follow the steps given below to configure Gmail APIs as the mechanisam to send the OTP.
- Create a Google account at https://gmail.com.
- Got to https://console.developers.google.com and click ENABLE APIS AND SERVICES.
- Search for Gmail API and click on it.
Click Enable to enable the Gmail APIs.
Why is this needed?
If you do not enable the Gmail APIs, you run in to a 401 error when trying out step13.
- Click Credentials and click Create to create a new project.
Click Credentials and click the Create credentials drop-down.
Select OAuth client ID option.
- Click Configure consent screen.
- Enter the Product name that needs to be shown to users, enter values to any other fields you prefer to update, and click Save.
Select the Web application option.
Enterhttps://localhost:9443/commonauth
as the Authorize redirect URIs text-box, and click Create.
The
client ID
and theclient secret
are displayed.
Copy the client ID and secret and keep it in a safe place as you require it for the next step.
Copy the URL below and replace the
<ENTER_CLIENT_ID>
tag with the generatedClient ID
. This is required to generate the authorization code.Paste the updated URL into your browser.
Select the preferred Gmail account with which you wish to proceed.
- Click Allow.
Obtain the
authorization code
using a SAML tracer on your browser.
To generate the access token, copy the following cURL command and replace the following place holders:
<CLIENT-ID>
: Replace this with theclient ID
obtained in Step 10 above.<CLIENT_SECRET>
: Replace this with theclient secret
obtained in Step 10 above.<AUTHORIZATION_CODE>
: Replace this with the authorization code obtained in Step 12 above.
Paste the updated cURL command in your terminal to generate the OAuth2 access token, token validity period, and the refresh token.
Update the following configurations under the
<AuthenticatorConfigs>
section in the<IS_HOME>/repository/conf/identity/application-authentication.xml
file.- If you need to send the content in a payload, you can introduce a property in a format <API> Payload and define the value. Similarly, you can define the Form Data.FormdataforSendgridAPIisgivenasan example.
- You can use <API> URLParams, <API>AuthTokenType, <API>Failure and <API>TokenEndpoint property formats to specify the URL parameters, Authorization token type, Message to identify failure and Endpoint to get access token from refresh token respectively.
- Value of <API> URLParams should be like; api_user=<API_USER>&api_key=<API_KEY>&data=<DATA>&list<LIST>
Property Description GmailClientId
Enter the Client ID you got in step 10.
Example:501390351749-ftjrp3ld9da4ohd1rulogejscpln646s.apps.googleusercontent.com
GmailClientSecret
Enter the client secret you got in step 10.
Example:dj4st7_m3AclenZR1weFNo1V
SendgridAPIKey
This property is only required if you are using the Sengrid method. Since you are using Gmail APIs, keep the default value. GmailRefreshToken
Enter the refresh token that you got as the response in step 12. Example: 1/YgNiepY107SyzJdgpynmf-eMYP4qYTPNG_L73MXfcbv
GmailEmailEndpoint
Enter your username of your Gmail account in place of the [userId]
place holder. Example:https://www.googleapis.com/gmail/v1/users/alex@gmail.com/messages/send
SendgridEmailEndpoint
This property is only required if you are using the Sengrid method. Since you are using Gmail APIs, keep the default value. accessTokenRequiredAPIs
Use the default value.
apiKeyHeaderRequiredAPIs
This property is only required if you are using the Sengrid method. Since you are using Gmail APIs, keep the default value.
SendgridFormData=to
This property is only required if you are using the Sengrid method. Since you are using Gmail APIs, keep the default value. SendgridURLParams
This property is only required if you are using the Sengrid method. Since you are using Gmail APIs, keep the default value. GmailAuthTokenType
Use the default value. GmailTokenEndpoint
Use the the deafult value. SendgridAuthTokenType
This property is only required if you are using the Sengrid method. Since you are using Gmail APIs, keep the default value.
Deploy the travelocity.com sample
Follow the steps below to deploy the travelocity.com sample application:
To obtain and configure the single sign-on travelocity sample, follow the steps below.
Add the following entry to the
/etc/hosts
file of your machine to configure the hostname.Why is this step needed?
Some browsers do not allow you to create cookies for a naked hostname, such as
localhost
. Cookies are required when working with SSO. Therefore, to ensure that the SSO capabilities work as expected in this tutorial, you need to configure theetc/host
file as explained in this step.The
etc/host
file is a read-only file. Therefore, you won't be able to edit it by opening the file via a text editor. To avoid this, edit the file using the terminal commands.
For example, use the following command if you are working on a Mac/Linux environment.sudo nano /etc/hosts
127.0.0.1 wso2is.local
Open the
travelocity.properties
file found in theis-samples/modules/samples/sso/sso-agent-sample/src/main/resources
directory of the samples folder you just checked out. Configure the following property with the hostname (wso2is.local
) that you configured above.#The URL of the SAML 2.0 Assertion Consumer SAML2.AssertionConsumerURL=http://wso2is.local:8080/travelocity.com/home.jsp
In your terminal, navigate to
is-samples/modules/samples/sso/sso-agent-sample
folder and build the sample using the following command. You must have Apache Maven installed to do thismvn clean install
After successfully building the sample, a
.war
file named travelocity.com can be found inside theis-samples/sso/sso-agent-sample/
target
directory. Deploy this sample web app on a web container. To do this, use the Apache Tomcat server.Since this sample is written based on Servlet 3.0 it needs to be deployed on Tomcat 7.x.
Use the following steps to deploy the web app in the web container:
- Stop the Apache Tomcat server if it is already running.
- Copy the
travelocity.com.war
file to the<TOMCAT_HOME>/webapps
directory. - Start the Apache Tomcat server.
Tip: If you wish to change properties like the issuer ID, consumer URL, and IdP URL, you can edit the travelocity.properties file found in the travelocity.com/WEB-INF/classes
directory. If the service provider is configured in a tenant you can use the QueryParams
property to send the tenant domain. For example, QueryParams=tenantDomain=wso2.com
.
This sample uses the following default values.
Properties | Description |
---|---|
SAML2.SPEntityId=travelocity.com | A unique identifier for this SAML 2.0 Service Provider application. |
| The URL of the SAML 2.0 Assertion Consumer. |
| The URL of the SAML 2.0 Identity Provider. |
If you edit the
travelocity.properties
file, you must restart the Apache Tomcat server for the changes to take effect.
Now the web application is successfully deployed on a web container.
Configure the Identity Provider
Follow the steps below to add an identity provider:
- Click Add under Main > Identity > Identity Providers.
- Provide a suitable name for the identity provider.
- Expand the EmailOTPAuthenticator Configuration under Federated Authenticators.
Select the Enable and Default check boxes.
Click Register.
You have now added the identity provider.
Configure the Service Provider
Follow the steps below add a service provider:
Return to the Management Console home screen.
Click Add under Add under Main > Identity > Service Providers .
Enter
travelocity.com
as the Service Provider Name.
Click Register.
Expand SAML2 Web SSO Configuration under Inbound Authentication Configuration.
Click Configure.
Now set the configuration as follows:
Issuer:
travelocity.com
Assertion Consumer URL:
http://localhost:8080/travelocity.com/home.jsp
Select the following check-boxes: Enable Response Signing, Enable Single Logout, Enable Attribute Profile, and Include Attributes in the Response Always.
Click Update to save the changes. Now you will be sent back to the Service Providers page.
Go to Claim Configuration and select the http://wso2.org/claims/emailaddress claim.
Go to Local and Outbound Authentication Configuration section.
Select the Advanced configuration radio button option.
Creating the first authentication step:
Click Add Authentication Step.
- Click Add Authenticator that is under Local Authenticators of Step 1 to add the basic authentication as the first step.
Adding basic authentication as a first step ensures that the first step of authentication will be done using the user's credentials that are configured with the WSO2 Identity Server
Creating the second authentication step:
Click Add Authentication Step.
Click Add Authenticator that is under Federated Authenticators of Step 2 to add the SMSOTP identity provider you created as the second step.
SMSOTP is a second step that adds another layer of authentication and security.
Click Update.
You have now added and configured the service provider.
For more information on service provider configuration, see Configuring Single Sign-On.
Update the email address of the user
Follow the steps given below to update the user's email address.
- Return to the WSO2 Identity Server Management Console home screen.
- Click List under Add under Main > Identity > Users and Roles.
- Click Users.
- Click User Profile under Admin.
- Update the email address.
- Click Update.
- Click Users.
Configure the user claims
Follow the steps below to map the user claims:
For more information about claims, see Adding Claim Mapping.
- Click Add under Main > Identity > Claims.
- Click Add Local Claim.
- Select the Dialect from the drop down provided and enter the required information.
Add the following:
- Claim URI:
http://wso2.org/claims/identity/emailotp_disabled
- Display Name:
DisableEmailOTP
- Description:
DisableEmailOTP
- Mapped Attribute (s):
title
Supported by Default: checked
- Claim URI:
Click Add.
To disable this claim for the admin user, navigate to Users and Roles > List and click Users. Click on the User Profile link corresponding to admin account and then click Disable EmailOTP. This will disable the second factor authentication for the admin user.
- Click Add Local Claim.
Test the sample
To test the sample, go to the following URL: http://localhost:8080/travelocity.com
Click the link to log in with SAML from WSO2 Identity Server.
The basic authentication page appears. Use your WSO2 Identity Server credentials.
You receive a token to your email account. Enter the code to authenticate. If the authentication is successful, you are taken to the home page of the travelocity.com app.
What's next?
- Want to see more federated authenticators? See, Configuring Federated Authentication
- Try out enabling multi factor authentication using the SMSOTP feature of WSO2 IS.