This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Adding Custom Authenticators

There are several authenticators and connectors implemented for the WSO2 Open Banking Identity and Access Management module. See the Identity Server (IS) Connectors documentation to find the complete list of authenticators and connectors in their deployment guide. If the authenticator or connector you're looking for is not available, you can implement a one that caters your requirement.

WSO2 Open Banking solution allows admin users to add local and outbound authenticators that are used during the SCA flow. This gives the flexibility to Account Servicing Payment Service Providers (ASPSPs) to choose any number of preferred authenticators in the SCA flow.

This section will provide a guideline on how to add a custom authenticator to the Open Banking Identity and Access Management module (WSO2 OB IAM).

Step 1. Selecting a suitable authenticator
  • Custom Local Authenticator

If a user needs to be authenticated with the user store and authorized based on a specific assigned role, you can write a custom Local Authenticator. Follow Writing a Custom Local Authenticator to find how to write your own custom local authenticator.

  • Custom Federated Authenticator

The responsibility of the federated authenticators is to authenticate the user with an external system. This can be with Facebook, Google, Yahoo, LinkedIn, Twitter, Salesforce or any other identity provider. Writing a Custom Federated Authenticator documentation guides you on how to write a Custom Federated Authenticator.

Step 2. Copying the authenticator components to the WSO2 Open Banking Identity and Access Management server
  • An authenticator consists of two components.
    • Authenticator logic in a .jar file
    • Web application packed in .war file (only for local authenticators)
  • Copy the .jar file of the authenticator to <WSO2_OB_IAM_HOME>/repository/components/dropins directory and restart the Identity and Access Management server.
  • If you are using a local authenticator copy the .war file of the authenticator to <WSO2_OB_IAM_HOME>/repository/deployment/server/webapps directory. Refer the server logs and make sure the web application is successfully deployed inIdentity and Access Management.

    You can find the Identity and Access Management logs in <WSO2_OB_IAM_HOME>/repository/logs/wso2carbon.log file.

Step 3. Configuring the authenticator 

Open the <WSO2_OB_IAM_HOME>/repository/conf/deployment.toml fie and configure your authenticator. Given below is are sample configurations for sample authenticators:  

If you want to configure a Federated Authenticator you need to configure an identity provider. Follow the instructions below to add a new identity provider.

  • Sign in to the Identity and Access Management - Management Console (https://<WSO2_OB_IAM_HOST>:9446/carbon). 
  • Navigate to the Main menu to access the Identity menu. Click Add under Identity Providers.

  • Fill in the details in the Basic Information section.

  • Expand the Federated Authenticators section.

  • You can notice a configuration section added for the new authenticator. See the example from the Facebook authenticator below.


  • Expand the configuration section and fill in the property values. These values are defined during the implementation of the authenticator.

  • Click Register to add the Identity Provider.

Step 4. Verifying the authenticator

  • Sign in to the Identity and Access Management - Management Console (https://<WSO2_OB_IAM_HOST>:9446/carbon). 

  • Try adding a new service provider or editing an existing one.

  • Expand Local & Outbound Authentication Configuration.

  • Depending on the type of the authenticator (Local Authenticator/ Federated Authenticator) you will see the newly added custom authenticator in the drop-down list.