Monday, September 14, 2015

How to add 2 step authentication flow to WSO2 APP Manager.

WSO2 App Manager provides a unique one-stop store app management solution where users can pick and choose apps required for them to do their jobs efficiently. Businesses can leverage its single-sign-on (SSO) functionality, which can reduce help desk and administrative costs with no long lists of passwords to memorise. It automatically applies a security layer on top of the web apps published in the store, which eliminates the need to embed security rules at the application layer.

In this article we will discuss how we can add two step authentication when we register service provider.

When you create application in app manager it will call to SSOConfigurator class we defined in app-manager.xml to create service providers.
So i implemented custom class to do it. Class name is TESTIS500SAMLSSOConfigurator and it implemented SSOConfigurator.


Within this class we will create SP and store it. So when we create SP we will add 2 authentication steps.
1. Authentication step to redirect users to Dictao to login system.
2. Then add local authentication step to validate subscriptions and let user to accept terms and conditions if he haven't already done.

We have added few parameters to app-manager.xml to make this configurable. With that new configuration would be something like this. Actually if you need you can add more parameters according to your requirement.

        <Configurators>
            <Configurator>
                <name>wso2is</name>
                <version>5.0.0</version>
        <!--class name of new sso configurator class-->                
        <providerClass>com.test.identity.sso.configurator.customauth.TESTIS500SAMLSSOConfigurator</providerClass>
                <parameters>
                <providerURL>https://is.test.com:9447</providerURL>
                <username>admin</username>
                <password>admin</password>
        <!--IDP name which need to be engage in authentication step 01. You have to create IDP with this name-->    
                <idpName>IDP1</idpName>
        <!--The name of authenticator we should used in step 02. This authenticator is another custom implementation -->    
                <idpStepTwo>TEST-customAuthenticator</idpStepTwo>
            <!--Authentication mechanism of step one--> 
                <authenticationStep>federated</authenticationStep>
                </parameters>
           </Configurator> 




Following code block will be use to add 2 step authentication and engage IDP, Authenticators to authentication flow. You can modify TESTIS500SAMLSSOConfigurator class by adding following.

   if (idpName != null && authenticationStep != null && authenticationStep.equalsIgnoreCase("federated")) {
            if (log.isDebugEnabled()) {
                log.debug("Adding federated authentication step. Added IDP named: " + idpName);
            }
            //Following code will set external IDP as authentication EP
            serviceProvider.getLocalAndOutBoundAuthenticationConfig().setAuthenticationType("flow");
            InboundProvisioningConfig inBoundProConfig = new InboundProvisioningConfig();
            inBoundProConfig.setProvisioningUserStore("");
            serviceProvider.setInboundProvisioningConfig(inBoundProConfig);
            serviceProvider.setOutboundProvisioningConfig(new OutboundProvisioningConfig());
            serviceProvider.setRequestPathAuthenticatorConfigs(null);
            AuthenticationStep[] steps = new AuthenticationStep[2];

            //Add local authenticator
            AuthenticationStep step1 = new AuthenticationStep();
            List<LocalAuthenticatorConfig> localAuthList = new ArrayList<LocalAuthenticatorConfig>();
            LocalAuthenticatorConfig localAuth = new LocalAuthenticatorConfig();
            localAuth.setName(idpStepTwo);
            localAuth.setDisplayName(idpStepTwo);
            localAuth.setEnabled(true);
            localAuthList.add(localAuth);
            step1.setLocalAuthenticatorConfigs(localAuthList.toArray(new LocalAuthenticatorConfig[localAuthList.size()]));
            step1.setStepOrder(2);

            //Add federated authenticator
            AuthenticationStep step = new AuthenticationStep();
            List<IdentityProvider> federatedAuthList = new ArrayList<IdentityProvider>();
            FederatedAuthenticatorConfig federatedAuthenticatorConfig = new FederatedAuthenticatorConfig();
            IdentityProvider identityProvider = new IdentityProvider();
            federatedAuthenticatorConfig.setName("SAMLSSOAuthenticator");
            identityProvider.setIdentityProviderName(idpName);
            identityProvider.setFederatedAuthenticatorConfigs(new FederatedAuthenticatorConfig[]{federatedAuthenticatorConfig});
            identityProvider.setDefaultAuthenticatorConfig(federatedAuthenticatorConfig);
            federatedAuthList.add(identityProvider);
            step.setFederatedIdentityProviders(federatedAuthList.toArray(new IdentityProvider[federatedAuthList.size()]));
            step.setStepOrder(1);
          
             //Here federated authenticator would be added as step 01 and local authenticator would be step 02.
            steps[0] = step;
            steps[1] = step1;
            serviceProvider.setPermissionAndRoleConfig(new PermissionsAndRoleConfig());
            serviceProvider.getLocalAndOutBoundAuthenticationConfig().setAuthenticationSteps(steps);
        } 


       
      
Then once you create application it will automatically register service provider with 2 step authentication.
Once you go to service provider user interface you will see authentication steps as follows.



Complete source code.


https://drive.google.com/file/d/0B3OmQJfm2Ft8LW9TeE5JRW1HU2M/view?usp=sharing

No comments:

Post a Comment