Configuring Role-Based Adaptive Authentication¶
This tutorial demonstrates how you can set up role-based adaptive authentication with WSO2 Identity Server (WSO2 IS).
To understand how to set up role-based adaptive authentication with WSO2 IS, let's consider a scenario where you want a user who has an administrator role to perform an additional level of authentication while any other user can just provide their credentials (basic authentication) to access a resource.
Here, you will use a sample application named to deploy and set up sample authenticators required to try out the scenario.
Before you begin
- Set up the service provider and sample application for adaptive authentication if you have not done so already. For instructions on how to do this, see Configuring a Service Provider for Adaptive Authentication.
- For more information about adaptive authentication with WSO2 Identity Server, see Adaptive Authentication.
Configuring the sample scenario¶
- Log in to the management console and create a new user named 'Alex'. Do not assign any roles.
- Navigate to Service Providers>List and click Edit on the saml2-web-app-pickup-dispatch.com service provider.
- Expand the Local and Outbound Configuration section and click Advanced Authentication.
- Expand Script Based Conditional Authentication.
- Click Templates on the right side of the Script Based
Conditional Authentication field and then click Role-Based.
Click Ok. The authentication script and authentication steps are configured. The authentication script defines a conditional step that executes the second authentication step (i.e., hardware key authenticator) only if the user belongs to an 'admin' or 'manager' role.
The authentication steps added are
fido. However, these are authentication steps that you would normally use in production. To try out sample authenticators with the sample application, delete the two authenticators and add the following sample authenticators instead.
Click Delete to remove the
fidoauthenticators from Step 2 (the second authentication step).
Select Demo Hardware Key Authenticator and click Add.
- Click Update.
Testing the sample scenario¶
Access the following sample PickUp application URL: http://localhost.com:8080/saml2-web-app-pickup-dispatch.com
Enter the 4 digit key given on the screen and click Sign In.
Next, log out of the application and log in again as 'Alex'. Note that this user is not assigned to any role. You will see that authentication is successful only after going through the basic authentication step.