This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, go to https://wso2.com/documentation/.
Configuring Role-Based Adaptive Authentication
This tutorial demonstrates how you can set up role-based adaptive authentication with WSO2 Identity Server (WSO2 IS).
To understand how to set up role-based adaptive authentication with WSO2 IS, let's consider a scenario where you want a user who has an administrator role to perform an additional level of authentication while any other user can just provide their credentials (basic authentication) to access a resource.
Here, you will use a sample application named to deploy and set up sample authenticators required to try out the scenario.
Before you begin
- Set up the service provider and sample application for adaptive authentication if you have not done so already. For instructions on how to do this, see Configuring a Service Provider for Adaptive Authentication.
- For more information about adaptive authentication with WSO2 Identity Server, see Adaptive Authentication.
The following topics walk you through the steps you need to follow:
Configuring the sample scenario
- Log in to the management console and create a new user named 'Alex'. Do not assign any roles.
- Navigate to Service Providers>List and click Edit on the saml2-web-app-dispatch.com service provider.
- Expand the Local and Outbound Configuration section and click Advanced Authentication.
- Expand Script Based Conditional Authentication.
- Click Templates on the right side of the Script Based Conditional Authentication field and then click Role-Based.
Click Ok. The authentication script and authentication steps are configured. The authentication script defines a conditional step that executes the second authentication step (i.e., hardware key authenticator) only if the user belongs to an 'admin' or 'manager' role.
- The authentication steps added are
totpandfido. However, these are authentication steps that you would normally use in production. To try out sample authenticators with the sample application, delete the two authenticators and add the following sample authenticators instead.- Click Delete to remove the
totpandfidoauthenticators from Step 2 (the second authentication step).
- Select Demo Hardware Key Authenticator and click Add.
- Click Delete to remove the
- Click Update.
Testing the sample scenario
- Access the following sample PickUp application URL: http://localhost.com:8080/saml2-web-app-dispatch.com
- Click Login and enter admin/admin credentials. You are prompted to use the hardware key after basic authentication according to the authentication step defined in the JavaScript above.
- Enter the 4 digit key given on the screen and click Sign In.
- Next, log out of the application and log in again as 'Alex'. Note that this user is not assigned to any role. You will see that authentication is successful only after going through the basic authentication step.
What's Next?
The following scenarios demonstrate the use of adaptive authentication templates and scripts to try out other usecases.