This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.
Configuring SMS OTP
The SMS provider is the entity that is used to send the SMS. WSO2 IS supports most of the SMS APIs. Some use the GET method with the client secret and API Key encoded in the URL, while some may use the POST method when sending the values in the headers, and the message and telephone number in the payload (e.g., Clickatell). Note that this could change significantly between different SMS providers. The configuration of the connector in the identity provider would also change based on this.
This topic provides instructions on how to configure the SMS One Time Password (SMS OTP) connector and the WSO2 Identity Server (IS) using a sample application. This is configured so that SMS OTP is a second authentication factor for the sample application. See the following sections for more information.
Before you begin!
- To ensure you get the full understanding of configuring SMS OTP with WSO2 IS, the sample travelocity application is used in this use case. Therefore, make sure to download the samples before you begin.
- The samples run on the Apache Tomcat server and are written based on Servlet 3.0. Therefore, download Tomcat 7.x from here.
- Install Apache Maven to build the samples. For more information, see Installation Prerequisites.
Deploying travelocity.com sample
Deploy the sample travelocity app in order to use it in this scenario.
To obtain and configure the single sign-on travelocity sample, follow the steps below. Add the following entry to the Why is this step needed? Some browsers do not allow creating cookies for a naked hostname, such as The Open the In your terminal, navigate to After successfully building the sample, a Since this sample is written based on Servlet 3.0 it needs to be deployed on Tomcat 7.x. Use the following steps to deploy the web app in the web container: If you wish to change properties like the issuer ID, consumer URL, and IdP URL, you can edit the travelocity.properties file found in the This sample uses the following default values. If you edit the Now the web application is successfully deployed on a web container. /etc/hosts
file of your machine to configure the hostname.localhost
. Cookies are required when working with SSO. Therefore, to ensure that the SSO capabilities work as expected in this tutorial, you need to configure the etc/host
file as explained in this step.etc/host
file is a read-only file. Therefore, you won't be able to edit it by opening the file via a text editor. To avoid this, edit the file using the terminal commands.
For example, use the following command if you are working on a Mac/Linux environment.sudo nano /etc/hosts
127.0.0.1 wso2is.local
travelocity.properties
file found in the is-samples/modules/samples/sso/sso-agent-sample/src/main/resources
directory of the samples folder you just checked out. Configure the following property with the hostname (wso2is.local
) that you configured above. #The URL of the SAML 2.0 Assertion Consumer
SAML2.AssertionConsumerURL=http://wso2is.local:8080/travelocity.com/home.jsp
is-samples/modules/samples/sso/sso-agent-sample
folder and build the sample using the following command. You must have Apache Maven installed to do thismvn clean install
.war
file named travelocity.com can be found inside the is-samples/sso/sso-agent-sample/
target
directory. Deploy this sample web app on a web container. To do this, use the Apache Tomcat server.travelocity.com.war
file to the <TOMCAT_HOME>/webapps
directory.travelocity.com/WEB-INF/classes
directory. If the service provider is configured in a tenant you can use the QueryParams
property to send the tenant domain. For example, QueryParams=tenantDomain=wso2.com
.Properties Description SAML2.SPEntityId=travelocity.com
A unique identifier for this SAML 2.0 Service Provider application. SAML2.AssertionConsumerURL=http://wso2is.local:8080/travelocity.com/home.jsp
The URL of the SAML 2.0 Assertion Consumer. SAML2.IdPURL=https://localhost:9443/samlsso
The URL of the SAML 2.0 Identity Provider.
travelocity.properties
file, you must restart the Apache Tomcat server for the changes to take effect.
Once this is done, the next step is to configure the WSO2 Identity Server by adding an identity provider and a service provider.
Configuring the identity provider
Now you have to configure WSO2 Identity Server by adding a new identity provider.
- Start WSO2 Identity Server (IS).
- Download the certificate of the SMS provider by going to the SMS providers website on your browser, and clicking the HTTPS trust icon on the address bar.
For example, navigate to https://www.nexmo.com, and click the padlock next to the URL on Chrome. Navigate to the
<IS_HOME>/repository/resources/security
directory via the terminal and import the downloaded certificate into the WSO2 IS client keystore.  Âkeytool -importcert -file <CERTIFICATE_FILE_PATH> -keystore client-truststore.jks -alias "Nexmo"
You are prompted to enter the keystore password. The default
client-truststore.jks
password iswso2carbon
.Log into the management console as an administrator.
In the Identity section under the Main tab of the management console, click Add under Identity Providers.
Give a suitable name (e.g., SMSOTP) as the Identity Provider Name.
Go to the SMS OTP Configuration under Federated Authenticators.
Select both check-boxes to Enable SMSOTP Authenticator and to make it the Default.
Enter the SMS URL, the HTTP Method used (e.g., GET or POST), and the headers and payload if the API uses any.
If the text message and the phone number are passed as parameters in any field, include them as
$ctx.num
and$ctx.msg
respectively.Â- Optionally, enter the HTTP response code the SMS service provider sends when the API is successfully called. Nexmo API and  Bulksms API sends 200 as the code, while Clickatell and Plivo send 202. If this value is unknown, leave it blank and the connector checks if the response is 200, 201 or 202.Â
- Click Register.
Configuring the service provider
The next step is to configure the service provider.
Return to the WSO2 IS management console.
In the Identity section under the Main tab, click Add under Service Providers.
Enter travelocity.com in the Service Provider Name text box, and click Register.
In the Inbound Authentication Configuration section, click Configure under the SAML2 Web SSO Configuration section.
Now set the configuration as follows:
Issuer:
travelocity.com
Assertion Consumer URL:Â
http://wso2is.local:8080/travelocity.com/home.jsp
Click Yes, in the message that appears.
- Select the following check-boxes:
Enable Response Signing
Enable Single Logout
Enable Attribute Profile
- Include Attributes in the Response Always
Click Update to save the changes.
Now you are sent back to the Service Providers page.Go to Claim configuration and select the
http://wso2.org/claims/mobile
claim for the Subject Claim URI.Go to Local and Outbound Authentication Configuration section.
Select the Advanced configuration radio button option.
Creating the first authentication step:
Click Add Authentication Step.
- Click Add Authenticator that is under Local Authenticators of Step 1 to add the basic authentication as the first step.
Adding basic authentication as a first step ensures that the first step of authentication will be done using the user's credentials that are configured with the WSO2 Identity Server
Creating the second authentication step:
Click Add Authentication Step.
Click Add Authenticator that is under Federated Authenticators of Step 2 to add the SMSOTP identity provider you created as the second step.
SMSOTP is a second step that adds another layer of authentication and security.
Click Update to save the changes.
You have now added and configured the service provider.
Updating the mobile number of the user
Follow the steps given below to update the mobile number of the users in WSO2 IS as this field is empty by default if you are creating the user using the WSO2 IS management console..
- Select List that is under Users and Roles, and click Users in the IS Management Console.
Click User Profile of the user you want to edit and update the mobile number.
The mobile number needs to be in the format given in the samples of the SMS provider. For example, 94778888888.Â
If the format is wrong you would not get the text message with the code to sign into WSO2 IS.Make sure the number is registered with an SMS provider in order to send the SMS. For this tutorial, you can use the mobile number that was used to register with the SMS provider.
- Enter the First Name for the user and click Update.
Configuring claims
- The SMS OTP extensions requires a claim to disable the SMS OTP. You need to add this claim to WSO2 IS. Else, you run into errors.
- In the Main menu, click Add under Claims.
- Click Add Local Claim.
- EnterÂ
http://wso2.org/claims/identity/smsotp_disabled
 as the value for Claim Uri. - Add a Display Name and Description. For example, Disable SMS OTP.
- Enter title as the Mapped Attribute.
- Enter 0 as the value for Display Order.
- Select Supported by Default.
- Click Add.
- Optionally, you can add a claim to allow users to use back up codes when SMS OTP is disabled.
Adding the OTP backup codes claim:- In the Main menu, click Add under Claims.
- Click Add Local Claim.
- EnterÂ
http://wso2.org/claims/otpbackupcodes
 as the value for Claim Uri. - Add a Display Name and Description. For example, Backup Code.
- Enter
postalcode
as the value for Mapped Attribute. - Select Supported by Default.
- Click Add.
  Now, click List under Users and Roles and click Users.
Click User Profile next to admin or a preferred user and update the backup codes so that the user can disable SMS OTP by selecting Disable SMS OTP if required.
A backup code can have any number of digits, and you can define many backup codes as comma seperated values.
Testing the sample
To test the sample, go to the following URL:Â http://wso2is.local:8080/travelocity.comÂ
Click the link to log in with SAML from WSO2 Identity Server.
The basic authentication page will be visible. Use your WSO2 Identity Server credentials to sign in.
You will get a token to your mobile phone.Type the code to authenticate, You will be taken to the home page of the travelocity.com app.
Note: If you do not have access to your mobile phone, you can use the backup codes defined for the user to authenticate the user and you are taken to the home page of the travelocity.com application