Authenticate using multiple attributes in WSO2 Identity Server

A user store contains users and possibly a set of attributes that defines that user and it’s capabilities. Some of these attributes are unique to the user such as; uid and the email address.

This sets a perfect background for allowing these users to authenticate themselves using either attribute which they prefer.

For this article we’ll be configuring a WSO2 Identity Server (IS) 5.2.0.

  1. Configuring the user store
  2. Configuring the carbon.xml

Configuring the user store

The built-in default user store of Identity Server is LDAP. We can change its configurations by modifying the user-mgt.xml found at <IS_HOME>/repository/conf directory.

Modify the property “UserNameSearchFilter” to accomodate both the uid and the email. The modified UserNameSearchFilter would be similar to the following configuration.

If the property “UserDNPattern” has been enabled (which is not the default setting) please make sure to disable it.

In order to use multiple attributes for authentication, add the following property in the user store, which is in this case the LDAP configurations.

Configuring the carbon.xml

Since we are trying to use the email address of the user for authentication, it is required to have the email authentication to be enabled.

Note: Please refer Enabling email authentication with WSO2 Identity Server on how to configure email as username.

Once the above configurations are in place, restart Identity Server by running the following script files found inIS_HOME>/bin/.
Linux: sh wso2server.sh
Windows: wso2server.bat

To test these configs, attempt to sign in to the Management Console separately using the email and the username (uid) with the same password.

There you have it. We’ve got our selves an Identity Server which allows authentication using email and the uid :)

Common issues faced when authenticate using multiple attributes is enabled:

  1. Failing to add a service provider

References: