This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Configuring Default Authenticators

Owned by Former user (Deleted)
Last updated: Aug 23, 2021Version comment
5 min read

An authenticator is an instrument that confirms the identity of a user when performing digital authentication. The WSO2 Open Banking solution contains two authenticators by default.

  • Basic Authenticator
  • SMS OTP Authenticator

The Basic Authenticator is configured as the first factor of authentication. You can further strengthen the security of this authentication by adding additional authentication steps, such as SMS OTP to implement SCA.

If you need to configure SMS OTP as a second authentication factor, you need to configure the SMS OTP Authenticator.

Configuring SMS OTP Authenticator

Follow the steps below to configure SMS OTP Authenticator.

  1. Start the WSO2 Open Banking Identity and Access Management (WSO2 OB IAM) server. Sign in to the Management Console (https://<WSO2_OB_IAM_HOST>:9446/carbon) as an administrator.
  2. Navigate to the Main menu to access the Identity menu. Click Add under Identity Providers.
  3. Fill the Basic Information section and name this identity provider SMSAuthentication .
  4. Expand the Federated Authenticators > SMS OTP Configuration section.

  5. Select both the Enable and Default checkboxes. This is to enable and make the SMSAuthentication authenticator the default one.

    Based on your SMS provider, fill out the SMS OTP configurations.

    If Twilio is used as the SMS provider,

    • Go to https://www.twilio.com/try-twilio and create an account.

    • While registering the account, verify your mobile number and click on console home https://www.twilio.com/console to get free credits (Account SID and Auth Token).

    • Twilio uses a POST method with headers and the text message and phone number are sent as the payload. So the fields would be as follows.

      If you pass the text message and the phone number in any field, you have to replace them with $ctx.num and $ctx.msg respectively.
      E.g., Body=$ctx.msg&To=$ctx.num&From=+12345678

    Currently, the WSO2 Open Banking Identity and Access Management module supports only the following SMS providers.

  6. Click Register to add the Identity Provider. 

  7. Open the <WSO2_OB_APIM_HOME>/repository/conf/deployment.toml file.  Update the value of the idp_name parameter with the name of the identity provider.

    [open_banking.sca]
idp_name = "SMSAuthentication"

    To verify the SMSAuthentication authenticator:

     Click here to see how to verify the SMSAuthentication authenticator configurations...

    Follow the steps below to verify whether the SMSAuthentication authenticator is properly configured.

    1. Create an application in the WSO2 Open Banking API Management module.

    2. Generate Access Tokens and Security Keys.

    3. Log in to the Management Console as the super admin.

    4. In the Main menu under the Identity section, click List under Service Providers. The list of service providers created appears.

    5. Select the service provider with the application name you created in step A. The service provider name is in the following format:

      <WSO2_OB_APIM_ USERNAME>_<APPLICATION_NAME>_<ENVIRONMENT>

    6. Click on the corresponding Edit link.

    7. Expand Local & Outbound Authentication Configuration. Select Advanced Configuration. You can configure additional authentication steps and additional authentication options.

    8. If you have successfully configured the SMSAuthentication authenticator, you will see how it’s configured as the Federated Authenticator under Authentication Step Configuration > Step 2.

  8. Add a Local Claim. 

     Click here to see how to add a Local Claim...
    1. In the Main menu under the Identity section, click Add under Claims
    2. Select Add Local Claim

    3. Use the following configurations:

      Parameter NameTest Configuration
      Claim URI

      http://wso2.org/claims/identity/failedSmsOtpAttempts

      Display Name

      Failed SMS OTP Attempts

      DescriptionFailed SMS OTP Attempts
      Mapped Attribute 

      User Store Domain Name

      		PRIMARY
       Mapped AttributefailedSmsOtpAttempts
    4. Click Add.

  9. Configure a Login Policy:

     Click here to see how to configure a Login Policy...
    1. In the Main menu under the Identity section, click Resident under Identity Providers.

    2. Expand Login Policies > Account Locking.

    3. Select the Account Lock Enabled checkbox to enable the account locking.
    4. Set the value of Maximum Failed Login Attempts to 5.
    5. Click Update.

  10. Add mobile phone as a mandatory claim:

     Click here to see how to add mobile phone as a mandatory claim...
    1. In the Main menu under the Identity section, click List under Claims
    2. Select  http://wso2.org/claims  from the list.
    3. Scroll down the available claims for http://wso2.org/claims and locate the Mobile claim.
    4. Click Edit.
    5. Select the Required checkbox to make mobile a mandatory claim. 
    6. Click Update.

    When you log in using the admin username in the authentication flow, a notification will pop up asking for the mobile number in the first attempt to log in. Enter your mobile in the format of 94123456789.

For more information, see Configuring Multi-factor Authentication using SMS OTP

If you want to configure a different authentication factor:

  1. Open the <WSO2_OB_IAM_HOME>/repository/conf/deployment.toml file.

  2. By default, two factors (basic, and smsotp) are configured to engage when a TPP creates an application and generates keys. If you want to configure a different authentication factor as the second authentication factor, configure that authenticator as a federated authentication in the Identity Server and configure the name here. 

    [open_banking.sca]
idp_name = SMSAuthentication

  3. Using a federated authenticator:

    This is available only as WSO2 Updates and is effective from wso2-obiam-2.0.0.68 and wso2-obam-2.0.0.61 onwards. For more information on updating WSO2 Open Banking, see Updating WSO2 Products.