- This functionality is available with the WSO2 WUM Update released on 11/05/2018 (#2667). For more information on how to update your pack using WUM, see Updating WSO2 Products.
- You can use WUM updates only if you have a valid WSO2 subscription.
The authenticationendpoint contains the authentication URLs used in authentication flow. You can either host the authenticationendpoint webapp on the WSO2 Identity Server, or choose to host it on a separate server. You may want to host it separately for the purpose of having custom theming and branding. This section describes how you can host the authentication endpoint on a different server outside the WSO2 Identity Server (e.g., in a different Tomcat Server).
Moving the authenticationendpoint from WSO2IS and hosting it on a separate web server
Before you begin:
First, get a copy of <IS_HOME>/repository/deployment/server/webapps/authenticationendpoin.war to <WebApp_HOME>/ and unzip it. Make sure to get the authenticationendpoin.war after the WUM update and NOT the extracted authenticationendpoint in <IS_HOME>/repository/deployment/server/webapps/
Copy the following .jar files from the
<IS_HOME>/repository/components/plugins/directory to the<WebApp_HOME>/authenticationendpoint/WEB-INF/libdirectory.org.wso2.carbon.base_4.4.11.jar
org.wso2.carbon.identity.base_5.7.5.jar
org.wso2.carbon.ui_4.4.11.jar
org.wso2.carbon.identity.application.authentication.endpoint.util_5.7.5.jar
org.wso2.carbon.identity.core_5.7.5.jar
httpcore_4.3.3.wso2v1.jar
org.wso2.carbon.identity.user.registration.stub_5.7.5.jar
axis2_1.6.1.wso2v20.jar
org.wso2.carbon.user.api_4.4.11.jar
opensaml_2.6.4.wso2v3.jar
org.wso2.carbon.utils_4.4.11.jar
jettison_1.3.4.wso2v1.jar
org.wso2.carbon.user.core_4.4.11.jar
- Copy the following .jar files from the <
IS_HOME>/lib/runtimes/cxf/directory to the<WebApp_HOME>/authenticationendpoint/WEB-INF/libdirectory.javax.ws.rs-api-2.0-m10.jar- cxf
-bundle-2.7.16.wso2v1.jar - neethi
-3.0.3.jar wsdl4j-1.6.3.jar
Uncomment following section in
<WebApp_HOME>/authenticationendpoint/WEB-INF/web.xmland point to identity server URLs.... <context-param> <param-name>IdentityManagementEndpointContextURL</param-name> <param-value>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/accountrecoveryendpoint</param-value> </context-param> <context-param> <param-name>AccountRecoveryRESTEndpointURL</param-name> <param-value>https://localhost:9443/t/tenant-domain/api/identity/user/v0.9/</param-value> </context-param> ... <context-param> <param-name>IdentityServerEndpointContextURL</param-name> <param-value>https://localhost:9443</param-value> </context-param> ...Change the following configuration in
<IS_HOME>/repository/conf/identity/application-authentication.xmlfile<AuthenticationEndpointURL>/authenticationendpoint/login.do</AuthenticationEndpointURL> <AuthenticationEndpointRetryURL>/authenticationendpoint/retry.do</AuthenticationEndpointRetryURL> <AuthenticationEndpointMissingClaimsURL>/authenticationendpoint/claims.do</AuthenticationEndpointMissingClaimsURL>
as follows:
<AuthenticationEndpointURL>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/login.do</AuthenticationEndpointURL> <AuthenticationEndpointRetryURL>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/retry.do</AuthenticationEndpointRetryURL> <AuthenticationEndpointMissingClaimsURL>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/claims.do</AuthenticationEndpointMissingClaimsURL>
You will need to add AuthenticationEndpointMissingClaimsURL configuration, as it is not already available in this configuration file.
Change the following configuration in
<IS_HOME>/repository/conf/identity/identity.xmlfile to point to the authentication endpoint hosted outside the WSO2 server.... <OpenID> ... <OpenIDLoginUrl>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/openid_login.do</OpenIDLoginUrl> ... </OpenID> ... <OAuth> ... <OAuth2ConsentPage>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/oauth2_authz.do</OAuth2ConsentPage> <OAuth2ErrorPage>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/oauth2_error.do</OAuth2ErrorPage> <OIDCConsentPage>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/oauth2_consent.do</OIDCConsentPage> <OIDCLogoutConsentPage>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/oauth2_logout_consent.do</OIDCLogoutConsentPage> <OIDCLogoutPage>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/oauth2_logout.do</OIDCLogoutPage> ... </OAuth> ... <SSOService> ... <DefaultLogoutEndpoint>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/samlsso_logout.do</DefaultLogoutEndpoint> <NotificationEndpoint>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/samlsso_notification.do</NotificationEndpoint> ... </SSOService> ... <PassiveSTS> ... <RetryURL>https://$WEB_SERVER_HOST:$WEB_SERVER_PORT/authenticationendpoint/retry.do</RetryUR> ... <PassiveSTS> ...Import the public certificate of the identity server to the javaca certs (or web-serverstruststore) of the JVM that the authenticationendpoint is running.
keytool -export -keystore $IS_HOME/repository/resources/security/wso2carbon.jks -alias wso2carbon -file wso2carbon.cer
keytool -import -alias wso2carbon -keystore $WEB_APP_TRUSTSTORE -file wso2carbon.cer
Import the public certificate of the Web_server’s keystore to the Identity Server truststore.
keytool -export -keystore $WEB_APP_KEYSTORE -alias wso2carbon -file webserver.cer
keytool -import -alias <alias> -keystore $IS_HOME/repository/resources/security/client-trustore.jks -file webserver.cer
Moving the accountrecoveryendpoint from WSO2IS and hosting it on a separate web server
This is an additional improvement which enables hosting accountrecoveryendpoint.war also on a separate web server.
Before you begin:
Get a copy of <IS_HOME>/repository/deployment/server/webapps/accountrecoveryendpoint.war to <WebApp_HOME>/ and unzip it. Make sure to get the accountrecoveryendpoint.war after the WUM update and not the extracted accountrecoveryendpoint in <IS_HOME>/repository/deployment/server/webapps/
In
<WebApp_HOME>/accountrecoveryendpoint/WEB-INF/classes/RecoveryEndpointConfig.propertiesfile, uncomment and change it to identity server.identity.server.service.contextURL=https://localhost:9443/services/
Uncomment and change the user portal reference in
<WebApp_HOME>/accountrecoveryendpoint/WEB-INF/web.xml<context-param> <param-name>UserPortalUrl</param-name> <param-value>https://localhost:9443/dashboard/index.jag</param-value> </context-param>Copy the following dependencies to
<WebApp_HOME>/authenticationendpoint/WEB-INF/lib$IS_HOME/repository/components/plugins/org.wso2.carbon.base_4.4.11.jar $IS_HOME/repository/components/plugins/org.wso2.carbon.identity.base_5.7.5.jar $IS_HOME/repository/components/plugins/org.wso2.carbon.ui_4.4.11.jar $IS_HOME/repository/components/plugins/org.wso2.carbon.identity.application.authentication.endpoint.util_5.7.5.jar $IS_HOME/repository/components/plugins/org.wso2.carbon.identity.core_5.7.5.jar $IS_HOME/repository/components/plugins/org.wso2.carbon.identity.user.registration.stub_5.7.5.jar $IS_HOME/repository/components/plugins/org.wso2.carbon.utils_4.4.11.jar $IS_HOME/repository/components/plugins/org.wso2.carbon.user.core_4.4.11.jar $IS_HOME/repository/components/plugins/org.wso2.carbon.user.api_4.4.11.jar $IS_HOME/repository/components/plugins/org.wso2.carbon.logging_4.4.11.jar $IS_HOME/repository/components/plugins/httpcore_4.3.3.wso2v1.jar $IS_HOME/repository/components/plugins/axis2_1.6.1.wso2v20.jar $IS_HOME/repository/components/plugins/opensaml_2.6.4.wso2v3.jar $IS_HOME/repository/components/plugins/jettison_1.3.4.wso2v1.jar $IS_HOME/lib/runtimes/cxf/javax.ws.rs-api-2.0-m10.jar $IS_HOME/lib/runtimes/cxf/cxf-bundle-2.7.16.wso2v1.jar $IS_HOME/lib/runtimes/cxf/neethi-3.0.3.jar $IS_HOME/lib/runtimes/cxf/wsdl4j-1.6.3.jar $IS_HOME/repository/components/plugins/commons-codec_1.4.0.wso2v1.jar $IS_HOME/repository/components/plugins/commons-collections_3.2.2.wso2v1.jar
Note: Make sure the WebApp container server (of endpoint apps) is running with SSL enabled.
e.g., if tomcat enabled the https connector, add the following to
catalina.sh.JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStore=$WEB_SERVER_KEYSTORE -Djavax.net.ssl.keyStorePassword=$password" JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=$WEBSERVER_TRUSTORE -Djavax.net.ssl.trustStorePassword=$password"
Running the sample
Download and install WSO2 IS and apache-tomcat into your local machine. Let’s consider IS installation as <IS_HOME> and tomcat installation as <TOMCAT_HOME>
- Get the sample setup scripts from the following location:
https://github.com/ayshsandu/samples/tree/master/is_samples/is_5.3.0/hosting-endpoints. Open
<TOMCAT_HOME>/conf/server.xmlfile and enable the https connector on 8443 port.<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="want" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" keystoreFile="$IS_HOME/repository/resources/security/wso2carbon.jks" keystorePass="wso2carbon" truststoreFile="$IS_HOME/repository/resources/security/client-truststore.jks" truststorePass="wso2carbon"/>For this sample, we configured the same keystore and truststore in WSO2IS as the keystore and truststore in tomcat. In an actual environment, you may create a new keystore and truststore for tomcat and point to it. When using separate keystores and truststores, you need to import tomcat keystore’s public cert in to:
<IS_HOME>/repository/resources/security/client-truststore.jksand, public cert of<IS_HOME>/repository/resources/security/wso2carbon.jksinto tomcat’s truststoreOpen
<TOMCAT_HOME>/bin/catalina.shand add following JAVA_OPTS.JAVA_OPTS="$JAVA_OPTS --Djavax.net.ssl.keyStore=$IS_HOME/repository/resources/security/wso2carbon.jks -Djavax.net.ssl.keyStorePassword=wso2carbon" JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=$IS_HOME/repository/resources/security/client-truststore.jks -Djavax.net.ssl.trustStorePassword=wso2carbon"
- Run
setup-authentication.shobtained from step 2 and follow the instructions. - Once the script is complete, then the authentication endpoint is set up in the given
<TOMCAT_HOME>/webappslocation. Uncomment following section in
<TOMCAT_HOME>/webapps/authenticationendpoint/WEB-INF/web.xmlfile and point to identity server URLs.…... <context-param> <param-name>IdentityManagementEndpointContextURL</param-name> <param-value>https://localhost:9443/accountrecoveryendpoint</param-value> </context-param> <context-param> <param-name>AccountRecoveryRESTEndpointURL</param-name> <param-value>https://localhost:9443/t/tenant-domain/api/identity/user/v0.9/</param-value> </context-param> ….. <context-param> <param-name>IdentityServerEndpointContextURL</param-name> <param-value>https://localhost:9443</param-value> </context-param> …...Change the following configuration in
<IS_HOME>/repository/conf/identity/application-authentication.xmlfile.<AuthenticationEndpointURL>https://localhost:8443/authenticationendpoint/login.do</AuthenticationEndpointURL> <AuthenticationEndpointRetryURL>https://localhost:8443/authenticationendpoint/retry.do</AuthenticationEndpointRetryURL> <AuthenticationEndpointMissingClaimsURL>https://localhost:8443/authenticationendpoint/claims.do</AuthenticationEndpointMissingClaimsURL>
Change the following configuration in
<IS_HOME>/repository/conf/identity/identity.xmlfile to point to the authentication endpoint hosted outside the WSO2 server... <OpenID> ... <OpenIDLoginUrl>https://localhost:8443/authenticationendpoint/openid_login.do</OpenIDLoginUrl> … </OpenID> … <OAuth> …. <OAuth2ConsentPage>https://localhost:8443/authenticationendpoint/oauth2_authz.do</OAuth2ConsentPage> <OAuth2ErrorPage>https://localhost:8443/authenticationendpoint/oauth2_error.do</OAuth2ErrorPage> <OIDCConsentPage>https://localhost:8443/authenticationendpoint/oauth2_consent.do</OIDCConsentPage> <OIDCLogoutConsentPage>https://localhost:8443/authenticationendpoint/oauth2_logout_consent.do</OIDCLogoutConsentPage> <OIDCLogoutPage>https://localhost:8443/authenticationendpoint/oauth2_logout.do</OIDCLogoutPage> …. </OAuth> ... <SSOService> ... <DefaultLogoutEndpoint>https://localhost:8443/authenticationendpoint/samlsso_logout.do</DefaultLogoutEndpoint> <NotificationEndpoint>https://localhost:8443/authenticationendpoint/samlsso_notification.do</NotificationEndpoint> … </SSOService> …. <PassiveSTS> ... <RetryURL>https://localhost:8443/authenticationendpoint/retry.do</RetryUR> ... <PassiveSTS> ….
Start both Identity Server and Tomcat and access
https://localhost:9443/dashboard. Now you can see that the authentication is redirected to:https://localhost:8443/authenticationendpoint/login.doNow let’s take out account recovery endpoint into the external Tomcat server as well.
- Run
setup-accountrecovery.shobtained from step 2 and follow the instructions. Change the following section in
<TOMCAT_HOME>/webapps/authenticationendpoint/WEB-INF/web.xmlfile and point toIdentityManagementEndpointContextURLinto tomcat URL.… <context-param> <param-name>IdentityManagementEndpointContextURL</param-name> <param-value>https://localhost:8443/accountrecoveryendpoint</param-value> </context-param> …In
<TOMCAT_HOME>/accountrecoveryendpoint/WEB-INF/classes/RecoveryEndpointConfig.propertiesfile, uncomment and change it to identity server.identity.server.service.contextURL=https://localhost:9443/services/
Uncomment and change the user portal reference in
<TOMCAT_HOME>/accountrecoveryendpoint/WEB-INF/web.xml… <context-param> <param-name>UserPortalUrl</param-name> <param-value>https://localhost:9443/dashboard/index.jag</param-value> </context-param> ...