Configuring Tenant-Based Adaptive Authentication¶
This tutorial demonstrates tenant-based adaptive authentication with WSO2 Identity Server using sample authenticators. This is useful if you want to add security for users logging in from external tenant domains. Using the tenant-based adaptive authentication template, you can allowlist certain tenant domains so that users from the allowlisted domains are prompted to perform an additional level of authentication, while users from any other tenant domain can simply provide their credentials (basic authentication) to access a resource.
Before you begin
- Set up the service provider and sample application for adaptive authentication. For instructions on how to do this, see Configuring a Service Provider for Adaptive Authentication.
- For more information about adaptive authentication with WSO2 Identity Server, see Adaptive Authentication.
Configuring the sample scenario¶
- Log in to the management console.
- Click Add New Tenant under Multitenancy on the Configure tab.
- Enter tenant details as shown below to register a new tenant for the domain " abc.com ".
- Select Demo as the Usage Plan for Tenant and enter user
details for the tenant admin.
Similarly, register a new tenant for the domain "123.com" with a different tenant admin.
Navigate to the Main tab of the management console and click List under Service Providers.
- Edit the saml2-web-app-pickup-dispatch.com service provider and select
Saas application. This enables users from other tenant domains
such as abc.com or 123.com to log in to the application.
- Expand the Local and Outbound Configuration section and click Advanced Authentication.
- Click on Templates on the right side of the Script Based
Conditional Authentication field and then click Tenant-Based.
- Click Ok. The authentication script and authentication steps
are configured. The authentication script prompts the second step of
authentication for users that belong to the tenant domains named "
abc.com" and "
- The second authentication step that is added is
totpis an authentication step that you would normally use in production. To try out this scenario sample authenticators with the sample application, delete the
totpauthenticator and add the following sample authenticator instead.
- Click Delete to remove the
totpauthenticator from Step 2 (the second authentication step).
- Select Demo Hardware Key Authenticator and click Add.
- Click Delete to remove the
- Click Update.
Trying out the sample scenario¶
- Log out of the management console and log in with the abc.com
tenant admin's credentials (firstname.lastname@example.org).
- Create a new user in the abc.com tenant named "Alex" and ensure that Alex has login permissions.
- Access the following sample PickUp application URL: http://localhost.com:8080/saml2-web-app-pickup-dispatch.com
- Click Login and enter Alex's credentials. Enter the username
with the appended tenant domain (i.e., email@example.com).
Note that you are prompted for harware key authentication because abc.com is a domain that belongs to the allowlist.
- Enter the 4 digit key and click Sign In. You are successfully
logged in to the application.
- Log out and log in with Kim's credentials. Kim is the admin of the 123.com tenant domain, which is not a part of the allowlist.
- Provide consent.
Note that you are successfully logged in to the application after going through the basic authentication step only.