Hi, WSO2 Identity Server is currently capable of allowing a pre-configured default authentication sequence with multi step or multi option authentication, which can be globally applied for any of the service provider.
As per the current implementation of IS, there is a file based SP which is considered as the default SP of IS (<IS_HOME>/repository/conf/identity/service-providers/default.xml). After IS 5.0.0, in order to link the protocol specific applications to service provider concept, we have introduced this default file based SP. So that, for an inbound request, if there is no SP configurations can be found, the default SP of IS will be considered. For a SP which is configured with default authentication type as follows, we use local and outbound authentication configuration of the default SP of IS. There are several drawbacks in current approach considering following business use cases. 1. Capability to have an organizational wise default authentication sequence which should be applicable for all the applications in an organization. 2. In the default authentication, apart from multi steps or multi options, have secure and flexible form of authentication where we need to validate multiple factors to determine the authenticity of a login attempt, before granting access to a resource. 3. Furthermore, have support to do modifications to the default authentication sequence in a user friendly manner, rather using file based approach. In consideration of above use cases, the suggested approach is to include following improvements to the current implementation. *Tenant specific default authentication sequence* - Local and outbound authentication configuration in default file based SP will be considered as the global default authentication sequence. - Provide support to have tenant wise default authentication sequences rather only a global sequence. So that, the global default authentication sequence can be modified and use tenant wise. - All the Service providers will be supporting new tenant specific default authentication chain. If default authentication type is selected for a SP, use the tenant specific default authentication configuration if exists, or use the global authentication configuration. *Adaptive authentication support for default authentication sequence* - Provide capability to include adaptive authentication scripts in the default authentication chain. *Update default authentication sequence from UI* - Rather managing file based default authentication configuration, include capability to do modifications from management console. - Include capability to update the default authentication configuration from resident IDP UI. - The configurations will be initially loaded to UI, from file based default SP and after a modification, those will be stored as resident IDP meta data (i.e. IDP_METADATA table). - Configuring adaptive authentication scripts from UI will be more user friendly, since we can refer adaptive authentication templates as well. Really appreciate your suggestions and comments on this approach. Thanks and Regards -- Indunil Upeksha Rathnayake Senior Software Engineer | WSO2 Inc Email [email protected] Mobile 0772182255
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
