A custom federated authenticator can be written to authenticate a user with an external system. The external system can be any Identity provider including Facebook, Twitter, Google, Yahoo, etc. You can use the extension points available in WSO2 Identity Server to create custom federated authenticators.
The following is the API used to implement a custom federated authenticator.
This API can be used to configure a custom authenticator.
Writing a custom federated authenticator
- First create a maven project for the custom federated authenticator. Refer the pom.xml file used for the sample custom federated authenticator.
- Refer the service component class as well since the authenticator is written as an OSGI service to deploy in WSO2 Identity Server and register it as a federated authenticator.
- The custom federated authenticator should be written by extending the AbstractApplicationAuthenticator class and implementing the FederatedApplicationAuthenticator class.
The important methods in the
AbstractApplicationAuthenticator class, and the
FederatedApplicationAuthenticator interface are listed as follows.
Returns the name of the authenticator.
Returns the display name for the custom federated authenticator. In this sample we are using custom-federated-authenticator.
Returns a unique identifier that will map the authentication request and the response. The value returned by the invocation of authentication request and the response should be the same.
Specifies whether this authenticator can handle the authentication response.
Redirects the user to the login page in order to authenticate and in this sample, the user is redirected to the login page of the application which is configured in the partner identity server which acts as the external service.
Implements the logic of the custom federated authenticator.
You can find a custom federated authenticator here for your reference.
Deploy the custom federated authenticator in WSO2 IS
Once the implementation is done, navigate to the root of your project and run the following command to compile the service.
/targetfolder to the
Configure the partner identity server
In this sample the partner identity server acts as the external system. Therefore, that partner identity server will be running on the same machine in a different port by changing the port offset to 1 in the
<PARTNER_ file as given below.
After starting that partner identity server, it will run on localhost:9444
Register a service provider
In the Management Console of the partner identity server, navigate to Main > Identity > Service Providers > Add.
Enter a Service Provider Name. Optionally, enter a Description.
Expand Inbound Authentication Configuration > OAuth/OpenID Connect Configuration.
https://localhost:9443/commonauthas the Callback Url.
Add a user
In the Management Console of the partner identity server, navigate to Main > Identity > Users and Roles > Add.
Click Add New User and create a new user by providing username and password.
Configure the identity server
Configure the federated authenticator
In the Management Console of the identity server, navigate to Main > Identity > Identity Providers > Add.
Enter the Identity Provider Name as
In the registered identity providers view, click Edit on the created identity provider.
Click Federated Authenticators and expand Custom-federated-authenticator Configuration.
Configure it as follows.
- Select Enable.
- Client Id - The Client Id generated by the external service provider of the partner identity server.
- Client Secret - The Client Secret generated by the external service provider of the partner identity server.
- Callback URL -
- Authorization Endpoint URL -
- Token Endpoint URL -
Configure an application with the custom federated authenticator
Let’s use the playground app. Refer this to configure playground app.
In the created service provider, expand Local & Outbound Authentication Configuration. For the Authentication Type,
select Federated Authentication. Select the configured federated authenticator from the dropdown.
Click Update to save the configurations.
Try the scenario
Access the playground app by using http://wso2is.local:8080/playground2/.
This will redirect to the login page of the application which is configured in the partner identity server which acts as the external service.
Enter the username and password of the earlier created user in the partner identity server.
Now the user is authenticated by the partner identity server.
Similarly, you can write a federated authenticator to authenticate the users using an external system.