This documentation is for WSO2 Identity Server 5.1.0. View documentation for the latest release.
Configuring Local and Outbound Authentication for a Service Provider - Identity Server 5.1.0 - WSO2 Documentation
||
Skip to end of metadata
Go to start of metadata

The responsibility of the local authenticators is to authenticate the user with locally available credentials. This can be either username/password or even IWA (Integrated Windows Authentication) or FIDO (Fast IDentity Online). Local authenticators are decoupled from the Inbound Authenticators. Once the initial request is handed over to the authentication framework from an inbound authenticator, the authentication framework talks to the service provider configuration component to find the set of local authenticators registered with the service provider corresponding to the current authentication request.

Once the local authentication is successfully completed, the local authenticator will notify the framework. The framework will now decide no more authentication is needed and hand over the control to the corresponding response builder of the inbound authenticator. See Architecture for more information on this.

To register a service provider, do the following.

  1. Sign in. Enter your username and password to log on to the Management Console
  2. Navigate to the Main menu to access the Identity menu. Click Add under Service Providers.
  3. Fill in the Service Provider Name and provide a brief Description of the service provider. Only Service Provider Name is a required field.
  4. Click Register to add the new service provider.

You can configure the following for local and outbound authentication.

  1. Expand Local & Outbound Authentication Configuration.

    • Assert identity using mapped local subject identifier : This option will use the local subject identifier when asserting the identity.
    • Always send back the authenticated list of identity providers : This option will send back the list of Identity Providers that the current user is authenticated by.
    • Use tenant domain in local subject identifier : This option will append the tenant domain to the local subject identifier.
    • Use user store domain in local subject identifier : This option will append the user store domain that the user resides in the local subject identifier.
  2. Select the Authentication Type you require from the available options. This is a required field.
    • If you choose Local Authentication, you need to select the local authentication option from the dropdown list.
    • If you choose Federated Authentication, you need to select the identity provider from the dropdown list.
    • If you choose Advanced Configurations, you can configure additional authentication steps and additional authentication options.
      1. Click Add Authentication Step. Clicking this again will enable you to create another authentication step.
      2. Select whether to Use subject identifier from this step, Use attributes from this step or both. In the case of multiple steps, you can have only one step to use subject identifier from this step and one to use attributes from this step.
      3. Click the plus button to add a Local Authenticator. You can choose the type of authenticator using the dropdown. Clicking the plus button again will enable you to add a second local authenticator. Basic authentication allows you to authenticate users from the enterprise user store.
      4. Click the plus button to add a Federated Authenticator. You can choose the type of authenticator using the dropdown. Clicking the plus button again will enable you to add a second federated authenticator.
      5. Click the Update button. This will return you to the previous screen with your newly configured authentication steps.
  3. Add a local authenticator under Request Path Authentication Configuration by clicking the Add button. Clicking the Add button again enables you to add another local authenticator. The two types of local authenticators available are as follows.
    • OAuthRequestPathAuthenticator
    • BasicAuthRequestPathAuthenticator

Look through the following for more details on the various authentication types.

Authentication TypeDetails
DefaultThis is the default authentication provided by the service provider.
Local Authentication

This is the authentication enabled in the Identity Server. There are three types of local authenticators.

  • The basic authenticator is used to authenticate the user using the credentials available in the Identity Server.
  • IWA stands for Integrated Windows Authentication and involves automatically authenticating users using their Windows credentials.
  • FIDO authenticator is a local authenticator that comes with the WSO2 Identity Server. This will handle FIDO authentication requests related key validation against stored keys, the public key, keyhandler, and the counter, attestation certificate of FIDO registered users.
Federated AuthenticationThe Federated Authenticators are not within the Identity Server like local authenticators. These are external. Federated authentication is based on the identity provider that you added to the WSO2 Identity Server. In this case, the user is authenticated by checking the user credentials specified in the identity provider.
Advanced ConfigurationAdvanced configurations enable you to add multiple options or steps in authentication. When multiple authentication steps exists, the user is authenticated based on each and every one of these steps. If only one step is added then the user is only authenticated based on the local and/or federated authenticators added in a single step. However, in the case of local and/or federated authenticators, the authentication happens based on any one of the available authenticators.

Request path authenticators

This is a special type of authenticator. Request path authenticator is always a local authenticator. Once the initial request is handed over to the authentication framework from an inbound authenticator, the authentication framework talks to the service provider configuration component to find the set of request path authenticators registered with the service provider corresponding to the current authentication request. Then the framework will check whether there is any request path authenticator applicable for the initial authentication request. In other words, a request path authenticator will get executed only if the initial authentication request brings the applicable set of credentials with it.

The request path authenticators always require the user credentials to be present in the initial authentication request itself. This does not need any end-user interactions with the Identity Server.

Once the request path authentication is successfully completed, the request path authenticator will notify the authentication framework. The framework will now decide no more authentication is needed and hand over the control to the corresponding response builder of the inbound authenticator.

Do the following to configure this.

  1. Expand the Local & Outbound Authentication Configuration section.
  2. Expand the Request Path Authentication Configuration section.
  3. Select the request path authenticator from the dropdown and click the Add button.
Related Topics
  • No labels