This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, go to https://wso2.com/documentation/.
Customizing the Authentication Endpoint
This can be done only once you have installed the WSO2 Identity Server 5.0.0 along with the Service Pack. The authentication endpoint is the authentication URL used in authentication requests. The following sections discuss methods of customizing this endpoint for various scenarios.
Controlling the request parameters going to the authentication endpoint
Additional request parameters can be added and customized for the request sent to the authentication endpoint. To customize this, uncomment the following configurations in the <IS_HOME>/repository/conf/security/application-authentication.xml
file, under the ApplicationAuthentication
element (which is the root element).
<!--AuthenticationEndpointQueryParams action="exclude"--> <!--AuthenticationEndpointQueryParam name="username"/--> <!--AuthenticationEndpointQueryParam name="password"/--> <!--/AuthenticationEndpointQueryParams-->
Note: In the above configuration, username and password are just given as examples. You can configure any query parameter here for your request and customize it according to your specifications.
Loading tenants into the dropdown in the login page of the authentication endpoint web application
This section is useful in scenarios where there are multiple tenants used where users can login to web applications with their credentials for their specified tenants. Doing the following configurations will enable you to load all the available active tenants into a dropdown list in the login page of the web application that the authentication endpoint points to.
Edit the
<IS_HOME>/repository/conf/tomcat/catalina-server.xml
file and set theclientAuth
attribute in theConnector
tag to “want
” as shown below. This is done to disable the certificate authentication on certain occasions (like when working on mobile apps). This makes two-way SSL authentication optional.clientAuth="want"
- Copy the
org.wso2.carbon.identity.authenticator.mutualssl-4.2.0.jar
file in the<IS_SP_HOME>/resources/dropins
folder to the<IS_HOME>/repository/components/dropins/
directory. Copy the following into the
<IS_HOME>/repository/conf/security/authenticators.xml
file under theAuthenticators
tag.<!-- Authenticator Configurations for MutualSSLAuthenticator--> <Authenticator name="MutualSSLAuthenticator" disabled="false"> <Priority>5</Priority> <Config> <Parameter name="UsernameHeader">UserName</Parameter> <Parameter name="WhiteListEnabled">false</Parameter> <Parameter name="WhiteList"/> </Config> </Authenticator>
If the
SAML2SSOAuthenticator
is enabled (disabled="false"
) in the<IS_HOME>/repository/conf/security/authenticators.xml
file, set its priority to 0. Otherwise ignore this step.<Authenticator name="SAML2SSOAuthenticator" disabled="false"> <Priority>0</Priority> ... </Authenticator>
Add the following configuration into the
<IS_HOME>/repository/conf/security/application-authentication.xml
file under theApplicationAuthentication
tag.<TenantDomainDropDownEnabled>true</TenantDomainDropDownEnabled> <TenantDataListenerURLs> <TenantDataListenerURL> /authenticationendpoint/tenantlistrefresher.do </TenantDataListenerURL> </TenantDataListenerURLs>
When configuring the
TenantDataListenerURL
tag, note the following.In a clustered setup that has multiple authentication endpoint web applications hosted, list all of them under the
TenantDataListenerURL
tag.For authentication endpoint web applications hosted outside the WSO2 Identity Server or in other nodes of a cluster, add the absolute URL within the
TenantDataListenerURL
tag.
Restart the server using one of the following commands.
Windows:
wso2server.bat
Linux/Unix:
sh wso2server.sh
Once the server is restarted, the authenticationendpoint.war file is deployed. The
<IS_HOME>/repository/deployment/server/webapps/authenticationendpoint/WEB-INF/classes/TenantConfig.properties
file has to be changed with the required values for properties. The following are the default values for the properties to be used in this file.tenantListEnabled=false mutual.ssl.username=admin client.keyStore=./repository/resources/security/wso2carbon.jks client.keyStore.password=wso2carbon client.trustStore=./repository/resources/security/client-truststore.jks client.trustStore.password=wso2carbon identity.server.host=localhost identity.server.port=9443 username.header=UserName
Do the following updates to this configuration.
- Set
tenantListEnabled
totrue
in order to enable the tenants to display as a list. For the
mutual.ssl.username
property, set the username that is to be used for mutual SSL authentication. This user needs to have permission to list down tenants. You can add a new username here provided that you create a user with that username and grant the following permissions to the role of the user.Super Admin Permissions > Manage > Monitor > Tenants > List
- Set the Identity Server host and the port in
identity.server.host
andidentity.server.port
properties. Paths for client keystore and truststore can be relative paths or absolute paths. The default paths point to the keystore and truststore of the Identity Server itself. A new keystore can be created and used for the client if necessary, however, you must set the passwords for
client.keyStore.password
andclient.trustStore.password
appropriately.
- Set
For mutual SSL authentication, the public certificate of the Identity Server has to be imported to the truststore of the client and the public certificate of the client has to be imported to the client-truststore of Identity Server.
Sample commandsThe following two commands are examples if you are using the keystore and client-truststore of the Identity Server itself for the client. This is executed from the
<IS_HOME>/repository/resources/security
directory.keytool -export -alias wso2carbon -file carbon_public2.crt -keystore wso2carbon.jks -storepass wso2carbon
keytool -import -trustcacerts -alias carbon -file carbon_public2.crt -keystore client-truststore.jks -storepass wso2carbon
Removing the tenant list from the login page
If it is required to remove the tenant domain dropdown list in SSO Login page, follow the steps below.
- Shutdown the server if it is already started.
- Set the property
tenantListEnabled=false
in the<IS_HOME>/repository/deployment/server/webapps/authenticationendpoint/WEB-INF/classes/TenantConfig.properties
file. Set
TenantDomainDropDownEnabled
parameter tofalse
in the<IS_HOME>/repository/conf/security/application-authentication.xml
file.<TenantDomainDropDownEnabled>false</TenantDomainDropDownEnabled>
If the
MutualSSLAuthenticator
is only used for the purpose of listing tenant domains in the drop down, disable it in the<IS_HOME>/repository/conf/security/authenticators.xml
file.<Authenticator name="MutualSSLAuthenticator" disabled="true">
- Restart the server