This topic provides instructions on how to configure the Mobile Connect as a federated authenticator with WSO2 Identity Server. This scenario is illustrated using a sample application.
Before you begin
Look through the following prior to configuring the Mobile Connect authenticator.
- For a high-level overview of Mobile Connect and its use cases with WSO2 Identity Server, see Mobile Connect Authenticator.
Download the WSO2 Identity Server from the WSO2 Identity Server product page and extract the .zip file. That folder is referred to as
<IS_HOME>
in this topic.- Ensure that you have Apache Maven installed if you want to build this authenticator from the source.
- You can also follow the webinar conducted on this topic.
The following are the various sections available in this topic.
Let's get started.
Deploying the Mobile Connect authenticator
There are two ways to deploy the Mobile Connect authenticator.
Configuring Mobile Connect
To make this scenario works, you need to create a developer account in Mobile Connect and use it to integrate with the WSO2 Identity Server.
- Navigate to https://developer.mobileconnect.io/#overlay=user/register, enter your name and email and click Register to register your Mobile Connect developer account. You will receive an email that includes a link that enables you to access your account.
- When you click the link, you are directed to a Mobile Connect page that requests a mobile number. Enter a relevant mobile number here. You will receive a confirmation from your mobile service provider. Now that this is configured, you can log in using your mobile phone.
- Once you log in, click My Apps from the left menu and click Add Application.
- Fill in the required information to create an application and click Create.
Fill in the following details.Name: Travelocity (any name you prefer)
URL: localhost:8080/travelocity.com/index.jsp (any URL that describes your application)
Description: Any description that provides information about the application
Redirect URI: https://localhost:9443/commonauth
Click My Operators and click Accept Terms and Conditions for all operators.
- Go to My Account and click My Test Numbers. Add the test numbers and sandbox operators and click Update.
Deploying the sample application
Checkout the travelocity code and build the app as mentioned here or download travelocity.com.war file from here.
Use the following steps to deploy the web app in the web container:
- Stop the Apache Tomcat server if it is already running.
- Copy the travelocity.com.war file to the apache-tomcat/webapps folder.
- Start the Apache Tomcat server.
Configuring the Identity Server
The configurations to be done in the WSO2 Identity Server involve configuring different functionality. These are listed as follows.
Configuring Mobile Connect authenticator parameters
This configuration empowers the Identity Server to enable certain parameters specific to Mobice Connect in the UI.
- Go to
<IS_HOME>/repository/conf/identity
directory and open theapplication-authentication.xml
file. Insert the following code snippet inside the
<AuthenticatorConfigs>
tag.<AuthenticatorConfig name=”MobileConnectAuthenticator” enabled=”true”> <Parameter name=”MCAuthenticationEndpointURL”>mobileconnectauthenticationendpoint/mobileconnect.jsp</Parameter> <Parameter name=”MCDiscoveryAPIURL”>https://discover.mobileconnect.io/gsma/v2/discovery/</Parameter> </AuthenticatorConfig>
Configuring the identity provider
In this scenario, the identity provider is Mobile Connect, as you are authenticating the user using the mobile. To make this work, you must add Mobile Connect as an identity provider using the configuration available in the Identity Server.
- Log in to the Management Console as an administrator. In the Identity Providers section under the Main tab of the management console, click Add.
- Under the Basic Information section of the form, fill in the following details.
Identity Provider Name: Mobile Connect (or any suitable name)
Display Name: Mobile Connect (or any suitable name)
Alias: https://localhost:9443/oauth2/token
Click and expand the Federated Authenticators section of the form and click and expand the Mobile Connect Configurations section. This section is available to you after configuring the Mobile Connect authenticator parameters.
In this section, configure the following.Field Configuration Description Enable Selected Ensure that this checkbox is selected to enable the authenticator. Mobile Connect Authentication Type on-net There are two possible configuration values here. In off-net authentication, during the federated authentication process, the Identity Server provides a UI requesting users to provide their mobile number and carries out the authentication process. In on-net authentication, the Mobile Connect servers identify the internet connection being used and identifies the MNO automatically. If it fails to identify this, Mobile Connect provide one of their UIs and obtain the necessary details. Mobile Connect Key xxxxxxxxxxxx Enter the key value provided by Mobile Connect when you create the application. Mobile Connect Secret xxxxxxxxxxxx Enter the secret value provided by Mobile Connect when you create the application. Mobile Connect Scope openid You can add multiple values with a space in between (e.g., openid profile). Mobile Connect ACR Values 2 The Level of Assurance required by the client for the use case can be used here. Default value is 2. The values accespted here are 2 and 3. According to the OpenID Connect specification, acr_values is an optional parameter. However, in the Mobile Connect specification it is a mandatory parameter. The acr_values parameter in the Mobile Connect request is an indication of what authentication methods to be used by the identity provider. The authentication methods to be used are linked to the level-of-assurance (LOA) values passed in the acr_values parameter. The level-of-assurance, as defined by the by ISO/IEC 29115 standard, describes the degree of confidence in the processes leading up to and including an authentication. It provides assurance that the entity claiming a particular identity, is the entity to which that identity was assigned. During a Mobile Connect authentication request, the service provider specifies the degree of confidence that is required in the returned (asserted) identity, via the acr_values parameter. Click Register to add the identity provider.
Configuring the service provider
The service provider is represented by a sample application called travelocity. This section involves adding a representation of this service provider to the Identity Server.
- Log in to the WSO2 Identity Server management console as an administrator. In the Service Providers section under the Main tab of the management console, click Add.
- Add the Service Provider Name and click Register. In this instance, you can use travelocity as the name as it is the name of the sample application.