The authentication endpoint is the authentication URL used in authentication requests. The following sections discuss methods of customizing this endpoint for various scenarios.
Customizing the authentication endpoint URL
The authentication endpoint URL is the location in your web application that contains authentication related pages.
Follow the steps below to customize the authentication endpoint URL:
<IS_HOME>/repository/conf/identity/file, and change the value of the following parameter depending on the URL that the web application should run.
For example, If you specify the value as
/sso/login, the web application runs on
If you do not change the default value of the
<AuthenticationEndpointURL>parameter, accessing the dashboard redirects you to the WSO2 Identity Server management console.
Run the web application on the new authentication endpoint URL.
Controlling the request parameters going to the authentication endpoint
Additional request parameters can be added and customized for the request sent to the authentication endpoint. To customize this, uncomment the following configurations in the
<IS_HOME>/repository/conf/identity/application-authentication.xml file, under the
ApplicationAuthentication element (which is the root element).
Note: In the above configuration, username and password are just given as examples. You can configure any query parameter here for your request and customize it according to your specifications.
Loading tenants into the dropdown in the login page of the authentication endpoint web application
This section is useful in scenarios where there are multiple tenants used, where users can login to web applications with their credentials for their specified tenants. For instance, for a user in the test.com tenant with the username test1, the user would have to enter the full username as [email protected] in order to login. Enabling this feature will load all the available active tenants onto a dropdown list on the login page of the web application that the authentication endpoint points to. This means that the test1 user mentioned above can simply select the tenant he/she belongs to (test.com) from the dropdown list and only needs to enter the username (i.e., test1) in the username textbox on the login page, without having to type it with "@tenant-domain".
Do the following configurations to enable this feature.
<IS_HOME>/repository/conf/tomcat/catalina-server.xmlfile and ensure that the
clientAuthattribute in the
Connectortag is set to “
want” as shown below. This is done to disable the certificate authentication on certain occasions (like when working on mobile apps). This makes two-way SSL authentication optional.
.jarfile enabling usage of Mutual SSL is shipped with IS by default from IS versions 5.1.0 and upwards. The
org.wso2.carbon.identity.authenticator.mutualssl_5.0.7.jarfile can be found in the
<IS_HOME>/repository/conf/security/authenticators.xmlfile and add the
disabled="false"attribute within the
<Authenticator>tag for the
MutualSSLAuthenticatorto enable the Mutual SSL Authenticator.
SAML2SSOAuthenticatoris enabled (
disabled="false") in the
<IS_HOME>/repository/conf/security/authenticators.xmlfile, set its priority to 0. Otherwise ignore this step.
Add the following configuration into the
<IS_HOME>/repository/conf/identity/application-authentication.xmlfile under the
Note: When configuring the
TenantDataListenerURLtag, note the following.
In a clustered setup that has multiple authentication endpoint web applications hosted, list all of them under the
For authentication endpoint web applications hosted outside the WSO2 Identity Server or in other nodes of a cluster, add the absolute URL within the
Restart the server using one of the following commands.
Once the server is restarted, the authenticationendpoint.war file is deployed. The
<IS_HOME>/repository/conf/identity/EndpointConfig.propertiesfile has to be changed with the required values for properties. The following are the default values for the properties to be used in this file.
Do the following updates to this configuration.
truein order to enable the tenants to display as a list.
mutual.ssl.usernameproperty, set the username that is to be used for mutual SSL authentication. This user needs to have permission to list down tenants. You can add a new username here provided that you create a user with that username and grant the following permissions to the role of the user.
Paths for client keystore and truststore can be relative paths or absolute paths. The default paths point to the keystore and truststore of the Identity Server itself. A new keystore can be created and used for the client if necessary, however, you must set the passwords for
Note:If you are hosting the
autheticationendpoint.warwebapp outside the Identity Server (i.e in a different Tomcat or WSO2 Application Server), then you cannot use the
<IS_HOME>/repository/conf/identity/EndpointConfig.propertiesfile because the webapp does not have access to this file. Instead, the same property file can be found at
In this scenario, do the following:
authenticationendpoint/WEB-INF/classes/EndpointConfig.propertiesfile and provide the full URL to WSO2 Identity Server’s admin services endpoint in the
identity.server.serviceURLproperty following the format below.
- Copy the following .jar files and paste it in the
.jar File Location org.wso2.carbon.base_4.4.3.jar <
- If you have applied the
WSO2-CARBON-PATCH-4.4.0-0073security patch, copy the
.jarfile found in the
- If you have not applied the
WSO2-CARBON-PATCH, copy the
.jarfile found in the <
- If you have applied the
For mutual SSL authentication, the public certificate of the Identity Server has to be imported to the truststore of the client and the public certificate of the client has to be imported to the client-truststore of Identity Server.
Removing the tenant list from the login page
If it is required to remove the tenant domain dropdown list in SSO Login page, follow the steps below.
- Shutdown the server if it is already started.
Set the property
If you are hosting the
authenticationendpoint.warwebapp within WSO2 Identity Server, set this property in the
- If you are hosting it outside the WSO2 Identity Server (i.e., external Tomcat or WSO2 Application Server), set this property in the
MutualSSLAuthenticatoris only used for the purpose of listing tenant domains in the drop down, disable it in the
- Restart the server.