WSO2 IS custom authenticator

Question

We are using WSO2 IS v5.4.1

We want to authenticate users based on external user data store. The desired steps:

1. User logins via Oauth to WSO2 IS with username and password
2. The login request is forwarded to an external service which authenticates the user by given username and password without authenticating by WSO2 IS default user store.
3. The service returns some kind of desired response to WSO2 and based on this response some kind of business logic is performed.

I saw that there are 2 options to achieve this:

1. Implement Custom Local Authenticator
2. Implement Custom Federated Authenticator

What the is the correct approach?

Thanks,

Answer 1

By the definition,

1. Local authenticators are to authenticate the user with a local user store. Presumably using username and password. You can use inbuilt login page to ask user's credentials and validate it against the local user stores.

2. Federated authenticators are to authenticate with 3rd party identity providers. Like Google or Facebook. In this case you won't ask user's credentials directly instead you'll redirect the user to 3rd party login page and after authentication 3rd party IDP will send the result.

By understanding the facts that you have provided, it seems you need a local authenticator where you can ask the user's credentials directly from them and authenticate against the user store.

PS: If you can directly communicate with the user store (Without using any API) and it's a OOTB supported user store (LDAP or JDBC), you can directly plug in that as a secondary user store (Or even as the primary user store) and authenticate against it without using any customization.