This documentation is for WSO2 Identity Server 5.8.0 . View documentation for the latest release.

All docs This doc
Skip to end of metadata
Go to start of metadata

The identifier-first login enables identifying the individuals prior to authenticating them. It is used to get the identity of the user without using authentication information, and use that identity to control the authentication flow.

The identifier-first flow handler is shipped with the product itself from IS 5.7.0 onwards.

Configuring Identifier-first handler in the login flow

This handler can be configured at any step in the authentication flow. However, it is not an authenticator by itself and needs to be configured along with another authenticator in order for the authentication process to be successful.

  1. The application-authentication.xml file in IS_HOME/repository/conf/identity/ has the parameter, ValidateUsername within the IdentifierExecutor configuration. If you want your username validated first, the value of this parameter should be changed to true.

    <AuthenticatorConfig name=”IdentifierExecutor” enabled=”true”>
           <Parameter name=”ValidateUsername”>false</Parameter>
  2. Log in to the WSO2 IS management console. Select a Service Provider (For details on how to create a new service provider, click here) and expand the Local & Outbound Authentication Configuration section. Click Advanced Configuration and add the identifier-first as one of the steps as shown below. 

Let's try this out for a scenario!

Suppose the admin wants the user who attempts to log in, to be authenticated by a federated authenticator that is chosen based on the domain name specified. Let's also assume that the user has opted to validate the identity before proceeding to authenticate the user. 

Follow the steps given below to accomplish this. 

Before you begin

  1. Install WSO2 IS 5.7.0 by downloading the installer
  2. Navigate to <PRODUCT_HOME>/repository/conf and open the carbon.xml file. Uncomment the EnableEmailUserName configuration to enable email authentication. By doing this, we are configuring WSO2 IS to use the email as the username.

  3. Download and install Apache Tomcat version 8.*.* or above.
  4. Open the /etc/hosts file and add the following entry.
  5. Restart you computer.
  1. Download the  file and copy it inside the  <TOMCAT_HOME>/webapps  directory.
  2. Start the tomcat server.  Access the PickUp application URL at
  3. In the WSO2 IS management console, create a new service provider and expand the Inbound Authentication configuration. Select the SAML2 Web SSO configuration section, and click Configure.
  4. Provide the following details and register.
  5. In the management console, configure the federated authenticators required. Details on how to configure these can be found here.  
  6. Open the Service Provider you created in step 3 and proceed to the Advanced Configuration. Expand  Local & Outbound Authentication Configuration, add identifier-first as the first step and, add all the other federated authenticators and the basic local authenticator as the second step.  

  7. Add the following script to Script Based Adaptive Authentication in the Advanced Configuration of the Service Provider. This extracts the domain name from the user name in the first step and uses that particular domain as the authenticator in the second step. 

    var federatedDomains = ['', '', ''];
    function onLoginRequest(context) {
     executeStep(1, {
        onSuccess: function (context) {
           var username = context.steps[1].subject.username;
           var indexOfLastAt = username.lastIndexOf("@");
           var domain = username.substring(indexOfLastAt + 1);
           if (federatedDomains.indexOf(domain) >= 0) {
              executeStep(2,{authenticationOptions:[{idp:domain}]}, {});
           } else {
              executeStep(2,{authenticationOptions [{authenticator:'basic'}]} , {});

  • No labels