Hosting Authentication Endpoint on a Different Server

The authenticationendpoint contains the authentication URLs used in authentication flow. You can either host the authenticationendpoint webapp on the WSO2 Identity Server, or choose to host it on a separate server. You may want to host it separately for the purpose of having custom theming and branding. This section describes how you can host the authentication endpoint on a different server outside the WSO2 Identity Server (e.g., in a different Tomcat Server).

1 Moving the authenticationendpoint from WSO2IS and hosting it on a separate web server
2 Moving the accountrecoveryendpoint from WSO2IS and hosting it on a separate web server
3 Running the sample

Moving the authenticationendpoint from WSO2IS and hosting it on a separate web server

Before you begin:

First, get a copy of <IS_HOME>/repository/deployment/server/webapps/authenticationendpoin.war to <WebApp_HOME>/ and unzip it. Make sure to get the authenticationendpoin.war after the WUM update and NOT the extracted authenticationendpoint in <IS_HOME>/repository/deployment/server/webapps/

Copy the following .jar files from the <IS_HOME>/repository/components/plugins/ directory to the <WebApp_HOME>/authenticationendpoint/WEB-INF/lib directory.
- abdera_1.0.0.wso2v3.jar
- ant_1.7.0.wso2v1.jar
- axiom_1.2.11.wso2v13.jar
- axis2_1.6.1.wso2v34.jar
- bcprov-jdk15on_1.60.0.wso2v1.jar
- commons-cli_1.2.0.wso2v1.jar
- commons-collections_3.2.2.wso2v1.jar
- commons-dbcp_1.4.0.wso2v1.jar
- commons-fileupload_1.3.3.wso2v1.jar
- commons-httpclient_3.1.0.wso2v6.jar
- commons-io_2.4.0.wso2v1.jar
- commons-lang_2.6.0.wso2v1.jar
- commons-pool_1.5.6.wso2v1.jar
- compass_2.0.1.wso2v2.jar
- encoder_1.2.0.wso2v1.jar
- com.google.gson_2.8.5.jar
- hazelcast_3.5.4.wso2v2.jar
- httpclient_4.3.6.wso2v2.jar
- httpcore_4.3.3.wso2v1.jar
- javax.cache.wso2_4.4.38.jar
- jdbc-pool_7.0.81.wso2v2.jar
- joda-time_2.9.4.wso2v1.jar
- json_3.0.0.wso2v1.jar
- neethi_2.0.4.wso2v5.jar
- opensaml_2.6.4.wso2v5.jar
- org.eclipse.equinox.http.helper_1.1.0.wso2v1.jar
- org.eclipse.osgi_3.9.1.v20130814-1242.jar
- org.eclipse.osgi.services_3.3.100.v20130513-1956.jar
- org.wso2.carbon.base_4.4.38.jar
- org.wso2.carbon.core_4.4.38.jar
- org.wso2.carbon.crypto.api_1.0.3.jar
- org.wso2.carbon.database.utils_2.0.9.jar
- org.wso2.carbon.identity.application.common_5.12.332.jar
- org.wso2.carbon.identity.base_5.12.332.jar
- org.wso2.carbon.identity.template.mgt_5.12.332.jar
- org.wso2.carbon.logging_4.4.38.jar
- org.wso2.carbon.queuing_4.4.38.jar
- org.wso2.carbon.registry.api_4.4.38.jar
- org.wso2.carbon.registry.core_4.4.38.jar
- org.wso2.carbon.securevault_4.4.38.jar
- org.wso2.carbon.user.api_4.4.38.jar
- org.wso2.carbon.user.core_4.4.38.jar
- org.wso2.carbon.utils_4.4.38.jar
- org.wso2.securevault_1.0.0.wso2v2.jar
- rampart-core_1.6.1.wso2v28.jar
- slf4j.api_1.7.21.jar
- tomcat-catalina-ha_7.0.93.wso2v1.jar
- tomcat-servlet-api_7.0.93.wso2v1.jar
- wsdl4j_1.6.2.wso2v4.jar
- XmlSchema_1.4.7.wso2v6.jar
- org.wso2.carbon.ui_4.4.38.jar
- org.wso2.carbon.identity.application.authentication.endpoint.util_5.12.332.jar
- org.wso2.carbon.identity.core_5.12.332.jar
- org.wso2.carbon.identity.user.registration.stub_5.12.332.jar
- jettison_1.3.4.wso2v1.jar
Copy the following .jar files from the <IS_HOME>/lib/runtimes/cxf3/ directory to the <WebApp_HOME>/authenticationendpoint/WEB-INF/lib directory.
- javax.ws.rs-api-2.1.1.jar
- cxf-core-3.2.8.jar
- cxf-rt-frontend-jaxrs-3.2.8.jar
- cxf-rt-rs-client-3.2.8.jar
- cxf-rt-rs-extension-providers-3.2.8.jar
- cxf-rt-rs-extension-search-3.2.8.jar
- cxf-rt-rs-service-description-3.2.8.jar
- cxf-rt-transports-http-3.2.8.jar
Copy the following .jar files from the <IS_HOME>/bin/ directory to the <WebApp_HOME>/authenticationendpoint/WEB-INF/lib directory.
- org.wso2.carbon.bootstrap-4.4.38.jar
- tomcat-juli-7.0.93.jar
Copy the following .jar file from the <IS_HOME>/lib/ directory to the <WebApp_HOME>/authenticationendpoint/WEB-INF/lib directory.
- xercesImpl-2.8.1.wso2v2.jar
Copy the following .jar files from the <IS_HOME>/lib/endorsed/ directory to the <WebApp_HOME>/authenticationendpoint/WEB-INF/lib directory.
- geronimo-jta_1.1_spec-1.1.jar
- stax2-api-3.1.4.jar
- woodstox-core-asl-4.4.1.jar
Copy the following .jar files from the <IS_HOME>/repository/components/tools/forget-me/lib/ directory to the <WebApp_HOME>/authenticationendpoint/WEB-INF/lib directory.
- log4j-1.2.17.jar
Uncomment following section in <WebApp_HOME>/authenticationendpoint/WEB-INF/web.xml and point to identity server URLs.
... <context-param> <param-name>IdentityManagementEndpointContextURL</param-name> <param-value>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/accountrecoveryendpoint</param-value> </context-param> <context-param> <param-name>AccountRecoveryRESTEndpointURL</param-name> <param-value>https://localhost:9443/t/tenant-domain/api/identity/user/v0.9/</param-value> </context-param> ... <context-param> <param-name>IdentityServerEndpointContextURL</param-name> <param-value>https://localhost:9443</param-value> </context-param> ...
Change the following configuration in <IS_HOME>/repository/conf/identity/application-authentication.xml file
<AuthenticationEndpointURL>/authenticationendpoint/login.do</AuthenticationEndpointURL> <AuthenticationEndpointRetryURL>/authenticationendpoint/retry.do</AuthenticationEndpointRetryURL> <AuthenticationEndpointMissingClaimsURL>/authenticationendpoint/claims.do</AuthenticationEndpointMissingClaimsURL>
as follows:
<AuthenticationEndpointURL>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/login.do</AuthenticationEndpointURL> <AuthenticationEndpointRetryURL>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/retry.do</AuthenticationEndpointRetryURL> <AuthenticationEndpointMissingClaimsURL>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/claims.do</AuthenticationEndpointMissingClaimsURL>
You will need to add AuthenticationEndpointMissingClaimsURL configuration, as it is not already available in this configuration file.
Change the following configuration in <IS_HOME>/repository/conf/identity/identity.xml file to point to the authentication endpoint hosted outside the wso2 server.
... <OpenID> ... <OpenIDLoginUrl>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/openid_login.do</OpenIDLoginUrl> ... </OpenID> ... <OAuth> ... <OAuth2ConsentPage>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/oauth2_authz.do</OAuth2ConsentPage> <OAuth2ErrorPage>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/oauth2_error.do</OAuth2ErrorPage> <OIDCConsentPage>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/oauth2_consent.do</OIDCConsentPage> <OIDCLogoutConsentPage>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/oauth2_logout_consent.do</OIDCLogoutConsentPage> <OIDCLogoutPage>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/oauth2_logout.do</OIDCLogoutPage> ... </OAuth> ... <SSOService> ... <DefaultLogoutEndpoint>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/samlsso_logout.do</DefaultLogoutEndpoint> <NotificationEndpoint>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/samlsso_notification.do</NotificationEndpoint> ... </SSOService> ... <PassiveSTS> ... <RetryURL>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/retry.do</RetryUR> ... <PassiveSTS> ...
Import the public certificate of the identity server to the javaca certs (or web-serverstruststore) of the JVM that the authenticationendpoint is running.
keytool -export -keystore $IS_HOME/repository/resources/security/wso2carbon.jks -alias wso2carbon -file wso2carbon.cer
keytool -import -alias wso2carbon -keystore $WEB_APP_TRUSTSTORE -file wso2carbon.cer
Import the public certificate of the Web_server’s keystore to the Identity Server truststore.

keytool -export -keystore $WEB_APP_KEYSTORE -alias wso2carbon -file webserver.cer
keytool -import -alias <alias> -keystore $IS_HOME/repository/resources/security/client-trustore.jks -file webserver.cer