Configuring MFA for File-based SP in WSO2 Identity Server

Please read the following two documents to understand the basics of Multifactor Authentication (MFA) and File-based Service Provider (SP) & Identity Provider (IdP) configurations in WSO2 Identity Server

Configuring Multi-factor Authentication for WSO2 IS

Configuring a SP and IdP Using Configuration Files - Identity Server 5.3.0 - WSO2 Documentation

Now let’s have a look on what are the things we need know when enabling MFA using the file-based service providers which are stored in the directory,<IS_HOME>/repository/conf/identity/ service-providers.

The authentication steps are defined with <AuthenticationStep> elements inside <AuthenticationSteps> element of the service provider configurations file

<AuthenticationStep>

Please find the following example on defining an <AuthenticationStep>.

<AuthenticationStep>
        <StepOrder>1</StepOrder>
        <LocalAuthenticatorConfigs/> or <FederatedIdentityProviders/>
        <SubjectStep>true</SubjectStep>
        <AttributeStep>true</AttributeStep>
</AuthenticationStep>

The <StepOrder> indicates the order in which authentication steps should be taken place. It should start from 1 and the <StepOrder> of the next steps should have to be in sequential order without omitting numbers in between.

<SubjectStep>true</SubjectStep>

<SubjectStep> element define whether to use the subject identifier from this step. In the case of multiple steps, you can have only one step as the subject step.

<AttributeStep>true</AttributeStep>

<AttributeStep> element define whether to use attributes from this step. In the case of multiple steps, you can have only one step as the attribute step.

<LocalAuthenticatorConfigs> and <FederatedIdentityProviders>
The following block can be used to define local basic authentication for a given authentication step (inside the <AuthenticationStep> element)

<LocalAuthenticatorConfigs>
        <LocalAuthenticatorConfig>
                <Name>BasicAuthenticator</Name>
                <DisplayName>basicauth</DisplayName>
                <IsEnabled>true</IsEnabled>
        </LocalAuthenticatorConfig>
</LocalAuthenticatorConfigs>

To add federated authenticators to the authentication steps, you can add the following block into your <AuthenticationStep> element.

<FederatedIdentityProviders>
    <IdentityProvider>
           <IdentityProviderName>FederatedIdP1</IdentityProviderName>
           <IsEnabled>true</IsEnabled>
            <DefaultAuthenticatorConfig>
                    <FederatedAuthenticatorConfig>
                         <Name>SAMLSSOAuthenticator</Name>
                         <IsEnabled>true</IsEnabled>
                    </FederatedAuthenticatorConfig>
            </DefaultAuthenticatorConfig>
    </IdentityProvider>
</FederatedIdentityProviders>

Here, <IdentityProviderName> means the identity provider name which we have added in the identity provider configurations.

Inside the <FederatedAuthenticatorConfig>, the <Name> element defines the name of the federated authenticator. Here I have added the SAML authenticator’s name, we can add the authenticator name accordingly. Please find some possible authenticator names below.

• OAuthRequestPathAuthenticator
• BasicAuthRequestPathAuthenticator
• SAMLSSOAuthenticator
• OpenIDConnectAuthenticator
• GoogleOIDCAuthenticator
• MicrosoftWindowsLive
• FacebookAuthenticator
• YahooOAuth2Authenticator
• EmailOTP
• SMSOTP

Please do comment on any issues regarding this ; )