Skip to content

Configuring a Service Provider for Adaptive Authentication

Adaptive authentication enables an identity provider to prompt multi-factor authentication steps based on a user's risk profile or user behavior, i.e., the authentication adapts to the situation or the user during the authentication process.


For instance, high-risk logins such as a user attempting to log in from an unusual location causes the adaptive authentication mechanism to prompt an extra authentication in order to increase security.

For more information on adaptive authentication with WSO2 IS, see Adaptive Authentication.

This tutorial guides you through setting up a sample application to try out adaptive authentication and configuring it as a service provider in WSO2 IS.

Step 01: Set Up the Samples

Follow the steps below to set up the sample application to try out adaptive authentication using a sample application.

  1. PickUp sample web application (SAML).

    1. Deploy and configure saml2-web-app-pickup-dispatch sample application.

    2. Access the PickUp application URL at http://localhost:8080/

      Note that a login screen appears.


  2. Deploy the sample authenticator dependency and web application in WSO2 IS.

    1. Download the org.wso2.carbon.identity.sample.extension.authenticators-5.9.0.jar file and paste it inside the <IS_HOME>/repository/components/dropins directory.


      The org.wso2.carbon.identity.sample.extension.authenticators-5.9.0.jar contains implementation of the sample authenticators (Demo HardwareKey authenticator, Demo Fingerprint authenticator, Demo FaceID authenticator) used in this tutorial.

    2. Download the sample-auth.war file and paste it inside the <IS_HOME>/repository/deployment/server/webapps folder.


      This sample-auth.war file contains the WEB UI for the sample authenticators used in this tutorial.

    3. Start the WSO2 IS server and test whether all the samples are configured successfully.

      1. Sign in to the WSO2 IS Management Console with one of the following URLs using admin as the username and password.

        For HTTP  --> http://<HTTP_HOST>:9776/carbon
        For HTTPS --> https://<HTTPS_HOST>:9443/carbon
      2. On the Main tab, click Service Providers > Add .
        Add Service Providers

      3. Enter test as the Service Provider Name and click Register.
        Register New Service Provider
      4. Expand the Local and Outbound Configuration section.
        The following authenticators should be available in the local authenticators list.

        • Demo Fingerprint Authenticator
        • Demo Hardware-Key Authenticator
        • Demo Face ID Authenticator

        Demo Authenticators

        Remain in the Management Console.


      These Demo Authenticators are provided as a way of learning and experimenting the adaptive authentication templates in realtime. These authenticators perform no real function and should not be used for any production or QA purposes.

Step 02: Configure the Service Provider

In this step, let's configure a service provider for the sample application by setting up inbound authentication.


This tutorial guides you through setting up a service provider for a SAML application. To configure a service provider with other protocols such as OAuth and WS-Federation, see Configuring Inbound Authentication for a Service Provider.

Before you proceed

In the previous step, you have deployed and registered the webapp. If you complete that you can skip steps 1 to 4 below and directly jump to step 5.

  1. On the Main tab, click Service Providers > Add and add a new service provider called .

    For more information about configuring a service provider, see Adding and Configuring a Service Provider.

  2. Expand the Inbound Authentication configuration> SAML2 Web SSO configuration section, and click Configure.
    Configure a Service Provider

  3. Fill in the following fields.
    • Issuer:
    • Assertion Consumer URL:
  4. Leave the rest of the default configurations as it is and click Register.
    Register a New Service Provider
  5. Expand Local and Outbound Authentication Configuration and click Advanced Configuration.
    Advanced Authentication Configuration
  6. You can add authentication steps or use a template to configure adaptive authentication depending on your requirement. For example, add Demo HardwareKey Authenticator.
    Adaptive Authentication Templates
  7. Add the following configuration to the <IS_HOME>/repository/conf/deployment.toml file.

context = "/sample-auth(.*)"
secure = false
http_method = "all"
8. Restart the server

What's Next?

Now that you have set up the service provider, the sample application, and the demo authenticators, you can try out the scenarios that use pre-defined templates for different adaptive authentication use cases.