The identifier-first login enables identifying the individuals prior to authenticating them. It is used to get the identity of the user without using authentication information, and use that identity to control the authentication flow.
The identifier-first flow handler is shipped with the product itself from IS 5.7.0 onwards.
Configuring Identifier-first handler in the login flow
This handler can be configured at any step in the authentication flow. However, it is not an authenticator by itself and needs to be configured along with another authenticator in order for the authentication process to be successful.
IS_HOME/repository/conf/identity/has the parameter,
IdentifierExecutorconfiguration. If you want your username validated first, the value of this parameter should be changed to
Log in to the WSO2 IS management console. Select a Service Provider (For details on how to create a new service provider, click here) and expand the Local & Outbound Authentication Configuration section. Click Advanced Configuration and add the identifier-first as one of the steps as shown below.
Let's try this out for a scenario!
Suppose the admin wants the user who attempts to log in, to be authenticated by a federated authenticator that is chosen based on the domain name specified. Let's also assume that the user has opted to validate the identity before proceeding to authenticate the user.
Follow the steps given below to accomplish this.
Before you begin
- Install WSO2 IS 5.7.0 by downloading the installer
<PRODUCT_HOME>/repository/confand open the
carbon.xmlfile. Uncomment the
EnableEmailUserNameconfiguration to enable email authentication. By doing this, we are configuring WSO2 IS to use the email as the username.
- Download and install Apache Tomcat version 8.*.* or above.
/etc/hostsfile and add the following entry.
- Restart you computer.
- Download the saml2-web-app-pickup-dispatch.com.war file and copy it inside the
- Start the tomcat server. Access the PickUp application URL at http://localhost.com:8080/saml2-web-app-pickup-dispatch.com.
- In the WSO2 IS management console, create a new service provider and expand the Inbound Authentication configuration. Select the SAML2 Web SSO configuration section, and click Configure.
- Provide the following details and register.
- Issuer- saml2-web-app-pickup-dispatch.com
- Assertion Consumer URL- http://localhost.com:8080/saml2-web-app-pickup-dispatch.com/consumer
- In the management console, configure the federated authenticators required. Details on how to configure these can be found here.
- Open the Service Provider you created in step 3 and proceed to the Advanced Configuration. Expand Local & Outbound Authentication Configuration, add identifier-first as the first step and, add all the other federated authenticators and the basic local authenticator as the second step.
Add the following script to Script Based Adaptive Authentication in the Advanced Configuration of the Service Provider. This extracts the domain name from the user name in the first step and uses that particular domain as the authenticator in the second step.