Multi-Factor Authentication and Adaptive Authentication using WSO2 Identity and Access Management System

WSO2 Identity and Access Management System (WSO2 IAM)

WSO2 IAM is a flexible, fully open source Identity and access management system which will provide the capabilities of Single sign-on(SSO), multi-factor authentication, access control, inbound and outbound provisioning and so on.

I say it is a flexible product because of its unique componentized architecture which will allow users to easily extend rewrite any component upon their need.

Authentication Sequence, Step and Option

Authentication sequence

The full process of authentication between two parties (In our case authentication between user and service provider) is known as the authentication sequence. This sequence may contain multiple authentication steps or can have only one step.

Authentication step

This is a single factor in authentication. All the authentication steps need to be successful for an authentication sequence to be successful.

Authentication Option

An authentication step may contain multiple authentication options, where you only need one option to be successful for a successful authentication step.

Multi-factor authentication vs Adaptive authentication

Multi-factor authentication

In simple words multi-factor authentication means, using multiple factors/ multiple steps to provide authentication between two parties.

Adaptive authentication

Adaptive authentication means, using a different amount of factors/steps in authentication sequence based on the use case or based on the environment.

Let’s think you have a banking application, and you want to view balance. I know it is confidential, but it does not need the security of unlocking too many steps. but if you are doing a fund transfer you dont mind unlocking several authentications steps.

In this scenario, we can use adaptive authentication, so that depending on the use case, the number of authentication factors differs.

For example, you only have to provide username and password to view balance whereas you need username-password authentication and SMS OTP to do a fund transfer.

So adaptive authentication means implementing such conditional scenarios.

Local authenticators vs Federated authenticators

The local authenticator is an authentication factor that can be provided by WSO2 IAM itself, whereas the Federated authenticator means authentication factor, which is authenticated against an external system.

Defining authentication sequence in WSO2 IAM

Accessing management console

Log in to the IAM management console. When you have a running IAM instance, you will also have a management console that can be accessed by the below URL.

https://<hostname>:9443+<port_offset>/carbon/admin/login.jsp

For example below is my management console URL.

https://localhost:9443/carbon/admin/login.jsp

You can log in to the management console by giving default admin credentials

Username: admin

Password: admin

Deploying a sample application

This is the application, the WSO2 Identity Server is providing security. We can define this as the service provider in this scenario.

Download and Install apache tomcat if you dont have a tomcat installation.

Download the Travelocity app sample as mentioned here.

Build it as a maven application using the below command.

mvn clean install

Deploy the .war file inside target directory to <TOMCAT_HOME>/webapps folder

Start the tomcat server.

Refer here for more information

As we are providing authentication between the user and the Service Provider, authentication steps need to configured for the service provider.

Implementing multi-factor authentication

Let’s take an example to implement multi-factor authentication. So first I am going to provide my application, password authentication and then SMS OTP authentication.

Password authentication is a local authenticator that can be validated against WSO2 IAM. Whereas SMS OTP is a federated authenticator which means it needs an external Identity provider to do the authentication.

So following are the steps to be done

1. Configure identity providers for all the federated authenticators. In this case, need to configure identity provider for SMS API. ( If you are not using federated authenticators no need to configure identity providers)
2. Configure service provider.
3. Add authentication steps to the service provider.

Configure SMS API

In this example, I am taking Nexmo as an SMS provider. First, sign up using your mobile number and get an app key and secret. you may need this app key and secret when configuring the identity provider.

Configure Identity Provider to use SMS API

1. Go to the management console and add an identity provider. By clicking Main>Identity Providers> Add.
2. Give a name for the identity provider ( ex. Sms_Otp_Provider) under the Basic Information section
3. Go to federated authenticators > SMS OTP configuration
4. Enable SMS OTP configuration and make it default, by ticking checkboxes near Enable and Default
5. Specify other SMS OTP configuration information according to your SMS API provider. Since our SMS API provider is Nexmo, I have to specify the HTTP method and SMS URL.

Here my HTTP method is POST and I had to generate SMS URL as below by assigning app key and app secret obtained earlier

https://rest.nexmo.com/sms/json?api_key=<API_KEY>&api_secret=<API_SECRET>&from=NEXMO&to=$ctx.num&text=$ctx.msg

6. Register the identity provider

Configure Service Provider

1. Go to the management console and add a service provider. By clicking Main>Service Providers> Add.
2. Give an appropriate name (ex. travelocity.com) and register.
3. Go to Inbound Authentication Configuration > SAML2 Web SSO Configuration > Configure.
4. Give issuer name and assertion consumer URL

issuer: travelocity.com

assertion consumer URL: http://wso2is.local:8080/travelocity.com/home.jsp

Assertion consumer URL is the URL of the service provider.

5. Check the following checkboxes. Enable response signing, Enable single logout, Enable attribute profile, Include attributes in response always

6. Go to Claim configuration. And set subject claim to email address.

7. Click update.

Add authentication steps

Again edit the above service provider to add authentication steps.

1. Go to Local and Outbound authentication configuration > Advance configuration > Add authentication step. Now you have added an authentication step. As per our scenario, our first authentication step is basic authentication. This is a local authenticator.
2. So under step 1, Local authenticators, select basic and click on Add authenticator.
3. Again add another authentication step. Now, this is for SMS OTP which is a federated authenticator. So under step 2, Federated authenticators, select Sms_otp_provier or whatever identity provider you defined and then click on Add authenticator.
4. Click update.

Test

Add a user, register him to the service provider domain when assigning roles. give him an email address ( subject claim you provided when creating the service provider), of an existing user of the service provider.

Here Service provider identifies the user by the subject claim. So there must be a user in the SP as well as IAM with the same email address.

1. Creating user. Click on Main > Users and Roles > Add, then specify a user name password and go to the next step. assign the role of admin and Application/Travelocity.com. Click on the finish.
2. Go to the user profile, edit the first name and email address and click on update.

Now go to the assertion consumer URL of the service provider.

http://wso2is.local:8080/travelocity.com/home.jsp

Click on Login with SAML (Redirect binding) from the WSO2 Identity Server.

Now proceed with the authentication process by providing username and password and then specifying SMS OTP.

Now you have successfully set up multi-factor authentication using two steps.

Refer below link for full example in WSO2 documentation https://docs.wso2.com/display/IS550/Configuring+SMS+OTP#ConfiguringSMSOTP-Configuringtheidentityprovider

Implementing Adaptive Authentication

Now let’s say you want to add an additional authentication step depending on the user role. For example, the user with the manager role only has to go through basic authentication and the intern has to go through basic authentication and SMS OTP.

In this case, configure SMS API, Configure Identity provider, Configure Service Provider steps won’t change.

In adding authentication steps section, after adding authentication steps, click on Script-based authentication

And edit the script based on your conditions in Javascript.

For the above scenario you can edit it as follows:

Click update

Test

Create roles called intern and manager. Now create two users, one with manager role, and others with the intern role. Make sure to edit their profiles to specify the Mobile number and an Email address. This mobile number should be registered in the SMS API provider. you can use the same mobile number and email address for both for testing.

Now try to log in to the system as an intern user. You will get both SMS OTP and password authentication steps. But manager user only has to go through the password authentication.

Click here to refer a full example from WSO2 documentation.

Summary

So In this article, I demonstrated how to implement adaptive authentication and multi-factor authentication using two factors. You can specify any number of factors. and any federated authenticators, any SMS API provider, any adaptive authentication conditions based on your requirement.

Please refer WSO2 IAM documentation for more information: https://docs.wso2.com/display/IS580

Thank You

Happy Coding :)