WSO2 Identity Server Q&A: Episode 1

Answering the most common questions about WSO2 Identity Server by its users

How to configure MFA and/or adaptive authentication for a group of service providers, instead of at an individual service provider level?

Configuring MFA and/or adaptive authentication for a group of service providers is not possible with WSO2 Identity Server as of version 5.11.0.

However, configuring MFA on a global (tenant) level is possible by configuring the ‘default’ sequence in:

<IS_HOME>/repository/identity/service-providers/default.xml

The ‘default’ sequence can then be selected from ‘Local and Outbound Authentication’.

How to configure what MFA methods are made available for a specific user?

Configuring MFA methods that are available for a specific user is not an out-of-the-box feature provided by WSO2 Identity Server as of its latest version 5.11.0.

However, this scenario can be implemented using adaptive authentication as follows:

  1. Store the available MFA methods for a user as a user profile attribute. Who decides the available MFA methods and how is beyond the scope of WSO2 Identity Server.
  2. Design the log-in journey with all possible MFA options for a service provider.
  3. During the log-in journey of a user read the above attribute of that user to decide which MFA options are available for that user and render only those options for that user.

Which points in the user’s lifecycle can the user enrol for MFA? Can MFA enrolment be forced at any point?

A user could register for MFA typically at 3 points in the user’s lifecycle.

  1. Onboarding
  2. During log-in
  3. At any point through the user portal

If MFA enrolments needs to be forced for a user, it could be either forced while onboarding or during log-in (typically first log-in).

Email-OTP and SMS-OTP enrolment coincides with email address verification and mobile number verification which is already supported with the WSO2 Identity Server v5.11.0 during onboarding and through the user portal. Out-of-the-box it comes with onboarding verification support for either email address or mobile number. Mandating both verifications requires a little bit of customization. Customization can also help with email address and/or mobile number verification during log-in.

Currently WSO2 Identity Server doesn’t support any other MFA method enrolment during onboarding. E.g. TOTP, FIDO 2.0, etc. Therefore you are left with only enrolment during log-in and enrolment through user portal for these. If MFA enrolment needs to be forced for one of these methods then it can be done only during log-in.

How to configure MFA for the ‘My Account’ portal?

The ‘My Account’ portal comes pre-registered as an OpenID Connect service provider named ‘My Account’. You are free to reconfigure the authentication sequence of this service provider from the management console.

How to enforce elevated authentication for changing a credential or MFA settings?

This process need to be designed as an elevated authentication process by requesting a higher ‘acr’ value from the service provider application.

If this needs to be implemented in the ‘My Account’ portal then you need customization in the portal to request for an elevated authentication from the residentidentity provider.

If a user has problems with MFA, how can a help-desk administrator support the user?

Option 1

Use multi-option authentication so that the user will always have an alternative method of authenticating.

Option 2

Use backup codes for SMS or email.

How to avoid showing “carbon.super” in TOTP authenticators?

This is a known limitation in WSO2 Identity Server and the issue is currently being tracked here.

How to control which applications a user can access?

This can be accomplished with role-based access control (RBAC).

There are two ways of achieving this in WSO2 Identity Server.

  1. XACML based access control [1,2]
  2. Adaptive authentication with Roles [3,4]

[1] https://is.docs.wso2.com/en/latest/learn/configuring-access-control-policy-for-a-service-provider/

[2] https://www.yenlo.com/blogs/enforce-authorization-for-service-provider-with-wso2-identity-server/

[3] https://is.docs.wso2.com/en/latest/learn/configuring-role-based-adaptive-authentication/

[4] https://www.youtube.com/watch?v=ZaoVsI6yj0Y

What can be customized in WSO2 Identity Server and how do customizations work? What can be customized in the management console and what kind of customizations need to be done in the code?

As of WSO2 Identity Server version 5.11.0 there are 3 levels of customizations users can do.

  1. Adaptive access control
  2. UI customizations. Also see customizing error messages and customizing the management console.
  3. Backend customizations

Adaptive access control is a programmatic way of customizing the default log-in journey of a service provider. This customization is done using JavaScript and is done in the management console of WSO2 Identity Server. Adaptive access control comes with a standard set of JavaScript functions. However, if you need to add custom functions in order to achieve your use case you can do that as well.

UI customizations depend on the exact portal you are trying to customize. The log-in portal and account recovery portal use JSP/Servlets. The error messages in these portals can also be customized. The ‘My Account’ portal uses React.js. The branding and look and feel of the management console can also be customized.

Backend customizations are done primarily in Java. These customizations are needed either as means of adding new/improved functionality to the product or as means of extending the standard functionality to meet your business needs. Since these customizations are predominantly done as plug-ins using extension points in the core product, these plug-ins don’t affect the patching or upgrading of the core product.

Can the ‘My Account’ portal be internationalized or localized?

This is supported as of WSO2 Identity Server 5.11.0. However documentation is yet to be updated on this. The documentation is still in progress and it is currently being tracked here.

Can the messages and descriptions of the popup notifications appearing on the screen in the ‘My Account’ portal be adjusted?

The popup messages and descriptions can be customized by changing them in the below location.

https://github.com/wso2/identity-apps/blob/master/modules/i18n/src/translations/en-US/portals/user-portal.ts

Can the duration of popup notifications appearing on the screen in the ‘My Account’ portal be adjusted?

Currently this can only be changed in the code. To change this, modify the ‘dismissInterval’ attribute of the ‘Alert’ tag.

https://github.com/wso2/identity-apps/blob/master/apps/myaccount/src/layouts/inner.tsx#L130

Please note that this is a global setting and this change will affect all the popup notifications in the ‘my account’ portal.

IAM Enthusiast, Solutions Architect @ WSO2