Customizing the Authentication Endpoint

The authentication endpoint is the authentication URL used in authentication requests. The following sections discuss methods of customizing this endpoint for various scenarios.

The authentication endpoint URL is the location in your web application that contains authentication related pages.

Follow the steps below to customize the authentication endpoint URL:

1. Edit the <IS_HOME>/repository/conf/identity/application-authentication.xml file, and change the value of the following parameter depending on the URL that the web application should run.

   <AuthenticationEndpointURL>/sso/login</AuthenticationEndpointURL>

   For example, If you specify the value as /sso/login, the web application runs on https://<host_name>:port_number>/sso/login.

2. Run the web application on the new authentication endpoint URL.

Additional request parameters can be added and customized for the request sent to the authentication endpoint. To customize this, uncomment the following configurations in the <IS_HOME>/repository/conf/identity/application-authentication.xml file, under the ApplicationAuthentication element (which is the root element).

This section is useful in scenarios where there are multiple tenants used, where users can login to web applications with their credentials for their specified tenants. For instance, for a user in the test.com tenant with the username test1, the user would have to enter the full username as test1@test.com in order to login. Enabling this feature will load all the available active tenants onto a dropdown list on the login page of the web application that the authentication endpoint points to. This means that the test1 user mentioned above can simply select the tenant he/she belongs to (test.com) from the dropdown list and only needs to enter the username (i.e., test1) in the username textbox on the login page, without having to type it with "@tenant-domain".  

Do the following configurations to enable this feature.  

1. Open the <IS_HOME>/repository/conf/tomcat/catalina-server.xml file and ensure that the clientAuth attribute in the Connector tag is set to “want” as shown below. This is done to disable the certificate authentication on certain occasions (like when working on mobile apps). This makes two-way SSL authentication optional.

   clientAuth="want"

   
   
   

2. Open the <IS_HOME>/repository/conf/security/authenticators.xml file and add the disabled="false" attribute within the <Authenticator> tag for the MutualSSLAuthenticator to enable the Mutual SSL Authenticator. 

   <!-- Authenticator Configurations for MutualSSLAuthenticator--> <Authenticator name="MutualSSLAuthenticator" disabled="false"> <Priority>5</Priority> <Config> <Parameter name="UsernameHeader">UserName</Parameter> <Parameter name="WhiteListEnabled">false</Parameter> <Parameter name="WhiteList"/> </Config> </Authenticator>

3. If the SAML2SSOAuthenticator is enabled (disabled="false") in the <IS_HOME>/repository/conf/security/authenticators.xml file, set its priority to 0. Otherwise ignore this step.

   <Authenticator name="SAML2SSOAuthenticator" disabled="false"> <Priority>0</Priority> ... </Authenticator>

4. Add the following configuration into the <IS_HOME>/repository/conf/identity/application-authentication.xml file under the ApplicationAuthentication tag.

   <TenantDomainDropDownEnabled>true</TenantDomainDropDownEnabled> <TenantDataListenerURLs> <TenantDataListenerURL> /authenticationendpoint/tenantlistrefresher.do </TenantDataListenerURL> </TenantDataListenerURLs>

   
   
   

5. Restart the server using one of the following commands.

   • Windows: wso2server.bat

   • Linux/Unix: sh wso2server.sh

6. Once the server is restarted, the authenticationendpoint.war file is deployed. The <IS_HOME>/repository/conf/identity/EndpointConfig.properties file has to be changed with the required values for properties. The following are the default values for the properties to be used in this file.

   tenantListEnabled=false hostname.verification.enabled=true mutual.ssl.username=admin client.keyStore=./repository/resources/security/wso2carbon.jks Carbon.Security.KeyStore.Password=wso2carbon client.trustStore=./repository/resources/security/client-truststore.jks Carbon.Security.TrustStore.Password=wso2carbon #identity.server.serviceURL=https://localhost:9443/services/ username.header=UserName

   Do the following updates to this configuration.

   1. Set tenantListEnabled to true in order to enable the tenants to display as a list.

   2. For the mutual.ssl.username property, set the username that is to be used for mutual SSL authentication. This user needs to have permission to list down tenants. You can add a new username here provided that you create a user with that username and grant the following permissions to the role of the user.

   3. Paths for client keystore and truststore can be relative paths or absolute paths. The default paths point to the keystore and truststore of the Identity Server itself. A new keystore can be created and used for the client if necessary, however, you must set the passwords for client.keyStore.password and client.trustStore.password appropriately.

7. For mutual SSL authentication, the public certificate of the Identity Server has to be imported to the truststore of the client and the public certificate of the client has to be imported to the client-truststore of Identity Server.

If it is required to remove the tenant domain dropdown list in SSO Login page, follow the steps below.

1. Shutdown the server if it is already started.

2. Set the property tenantListEnabled=false in the EndpointConfig.properties file.

3. Set TenantDomainDropDownEnabled parameter to false in the <IS_HOME>/repository/conf/identity/application-authentication.xml file.

   <TenantDomainDropDownEnabled>false</TenantDomainDropDownEnabled>

4. If the MutualSSLAuthenticator is only used for the purpose of listing tenant domains in the drop down, disable it in the <IS_HOME>/repository/conf/security/authenticators.xml file.

   <Authenticator name="MutualSSLAuthenticator" disabled="true">

5. Restart the server.

This section describes how to enhance the usability of authentication endpoint webapp with different user behavioral patterns. One such behavioral pattern is that the user may click the back button from authenticated application or keep the endpoint login page URL bookmarked. In such situations, the user should be directed to the appropriate page.

Let's see how this can be achieved.

First, you need to add a registry resource that will contain the redirect URLs of different service providers. To do that, follow the below steps:  

1. Start the Identity Server and log in to the Admin Console.

2. Click on Main Menu, under Registry, click Browse to see the registry browser.
   

3. Browse the registry and go to /_system/config/identity/config.
   
   

   Open

   

    
   Once you navigate to /_system/config/identity/config, follow the steps below to add a registry resource.

4. Click Add Resource.
   

5. Fill the form with following information.

   • Method : Select Create text content from the dropdown. 

   • Name : Enter relyingPartyRedirectUrls as Name.

   Open

   

6. Click in Add button. The created registry resource can be seen once you click on Add button. 
   
   

   Open

   

7. Click on the added resource (relyingPartyRedirectUrls). You can see the Properties section.
   
   

   Open

   

8. Click the “+” sign at the right hand corner of Properties section. This allows you to add a property to the resource. 

9. Click Add New Property.
   
   

   Open

   

10. Enter the relying party name for name and the redirect URL for value. 
    

    
    
    

11. Once you fill name and the value, click the Add button. 

12. Now try out the back button and book marking scenarios.