WSO2 Identity Server & Federated Authenticators

The main purpose of the blog post is to explain about the federated authenticators.

The main functionality of the federated authenticators is to authenticate the user with an external system like Facebook, Google, Yahoo, LinkedIn, Twitter, etc.

The below-given diagram shows the high-level architecture of the WSO2 Identity Server. Let us discuss how the federated authenticators work in the authentication flow.

The user of the service provider attempts to log in to the service provider. The service provider sends an authentication request to the IS. The Inbound authentication component of the IS receives the authentication request from the service provider. The inbound authentication sends the authentication request to in channel of the Authentication Framework. The federated authenticators are decoupled with inbound authenticators. The In-channel of the authentication framework sends the authentication request to Federated authenticators. The federated authenticator performs the authentication process by verifying the authentication request in the specified authenticator.

The authentication request from the federated authenticator reaches the relevant external identity provider and once the authentication process is over and the user is logged in to external IDP the response is sent back to out the channel of the authentication framework.

Each identity provider configuration maintains a claim mapping to map the identity provider’s own set of claims to the Identity Server’s claims. When the response from an external identity provider is received by the response processor component of the federated authenticator, before it hands over the control to the authentication framework, the response processor will create a name/value pair of user claims received in the response from the identity provider. These claims are specific to the to the external identity provider.

Next, we will focus on writing a custom federated authenticator.
Extension points of the WSO2 identity server can be used to create custom federated authenticators. When writing custom federated authenticators two main parts needs to be considered they are:

  1. request builder
  2. response processor

The below given API can be used to implement a custom Federated authenticator for Facebook. Custom federated authenticators can be implemented by extending the AbstractApplicationAuthenticator class and implementing the FederatedApplicationAuthenticator class. The main methods that need to be considered while writing are as follows.

  • public String getName()
  • public String getFriendlyName()
  • public String getContextIdentifier(HttpServletRequest request) — Returns a unique identifier that will map the authentication request and the response. The value returned by the invocation of authentication request and the response should be the same.
  • public boolean canHandle(HttpServletRequest request) - When Facebook sends the authentication response, it sends the parameters OAUTH2_GRANT_TYPE_CODE and OAUTH2_PARAM_STATE in the request. This is a notification to identify that this response can be handled by the authenticator.
  • protected void initiateAuthenticationRequest(HttpServletRequest request,HttpServletResponse response, AuthenticationContext context)
  • protected void processAuthenticationResponse(HttpServletRequest request,HttpServletResponse response, AuthenticationContext context)

To learn more about writing custom federated authenticators you may refer this and for the configuration of federated authentication, you may prefer this.

References

  1. https://medium.com/@isurakarunaratne/wso2-identity-server-high-level-architecture-ee995ae47385
  2. https://docs.wso2.com/display/IS540/Architecture
  3. https://docs.wso2.com/display/IS530/Adding+and+Configuring+an+Identity+Provider

Thank you for reading …

Former Software Engineering intern @ WSO2 | Undergraduate | Computer Science and Engineering | University Of Moratuwa