Configuring SMS OTP Authenticator

This document provides step by step instructions to set up SMS OTP configurations.

Note

According to the Australian Consumer Data Standard, Data Holders must provide a one-time password (OTP) to the customer through an existing channel or mechanism that the customer can then enter into the redirected page for authentication purposes. For more information, see Consumer Data Standards - OIDC Hybrid Flow.

Configuring deployment.toml

  1. Open <IS_HOME>/repository/conf/deployment.toml file and configure the authenticator configurations as follows.

    [authentication.custom_authenticator]
name = "IdentifierExecutor"
parameters.ValidateUsername = true
parameters.throttleLimit = 3
parameters.throttleTimePeriod = 300
parameters.authRequestURL = "https://<IS_HOST>:9446/api/identity/auth/v1.1/data/AuthRequestKey/"

  2. Run the following command in <IS_HOME>/bin and restart the server.

    ./wso2server.sh

Sign in to the Identity Server

  1. Sign in to the Management Console of WSO2 Identity Server at https://<IS_HOST>:9446/carbon.

  2. Use the default super admin credentials as follows:

    Note

    The above login credentials are for testing purposes only. It is recommended to change the login credentials in a production environment.

Step 1: Adding SMS OTP Identity Provider

  1. Go to the Main menu > Identity > Identity Providers > Add.

    add_identity_providers

  2. Fill the Basic Information section and name this Identity Provider as SMSAuthentication

    sms_authentication_idp

  3. Expand the Federated Authenticators > SMS OTP Configuration section

    expand_federated_authenticators

  4. Select both the Enable and Default checkboxes. This is to enable and make the SMSAuthentication authenticator the default one.

    config_sms_otp

  5. Based on your SMS provider, fill out the SMS OTP configurations.

    • If Twilio is used as the SMS provider, go to https://www.twilio.com/try-twilio and create an account.

    • While registering the account, verify your mobile number and click on console home https://www.twilio.com/console to get free credits (Account SID and Auth Token).

    • Twilio uses a POST method with headers and the text message and phone number are sent as the payload.

  6. Add the following sample configurations and click Register.

    SMS URL : https://api.twilio.com/2010-04-01/Accounts/%7BAccountSID%7D/SMS/Messages.json
HTTP Headers : Authorization: Basic base64{AccountSID:AuthToken}
HTTP Payloads : Body=$ctx.msg&To=$ctx.num&From=urlencode{TrialNumber}
HTTP Method : POST
    SMS URL : https://api.twilio.com/2010-04-01/Accounts/AC34f40df03e20fb6498b3fcee256ebd3b/SMS/Messages.json
HTTP Headers : Authorization: Basic QUMzNGY0MGRmMDNlMjBmYjY0OThiM2ZjZWUyNTZlYmQzYjo1ZmFkM2VkYzg4YWM1NTNiMmFiZjc4 NWI1MmM4MWFkYg==
HTTP Payloads : Body=$ctx.msg&To=$ctx.num&From=+1 210-880-1806
HTTP Method : POST

Step 2: Configuring Account Lock

  1. Go to the Main menu > Identity > Identity Providers > Resident > Login Attempt Security > Account Lock.

    select_resident_identity

    security_account_lock

  2. Select the Lock User Accounts checkbox.

    maximum_login_attempts

  3. Configure the Maximum Failed Login Attempts .

  4. Scroll down and click Update.

Step 3: Configure mobile as a mandatory claim

  1. On the Main menu > Identity > Claims > List.

    select_claims_lists

  2. Select http://wso2.org/claims from the list.

    claim_list

  3. Locate Mobile from the list and select Edit.

    locate_mobile

  4. Select Required and click Update.

    update_claim_details

    More on Login Information...

    In the authentication flow, if you log in as an admin user, it will prompt for the mobile number in the first attempt to log in. Mobile number should be given in the format of the following example - 94714564567.

    Note

    Test scenarios can include attempting to log in using invalid usernames more than the allowed number of times, attempting invalid OTPs more than allowed number of times, etc.

Top