Multi Attribute Login — WSO2 Identity Server
The purpose of this blog post is to explain the Multi Attribute Login feature in the Identity Server and how it is implemented.
Is it possible to use user claims other than the username to log in?
Yes, it is possible
Restricting user login to only username was a major issue with previous wso2-is versions. Some web applications such as facebook, google provides support to use different login identifiers. For example telephone-number, email addresses and so on.
And also the WSO2 identity server has provided this feature since version 5.12.
How does it work on IS?
Administrators can enable this feature on IS with providing a set of allowed login identifier claims. Then users can login with any login identifiers which are allowed by the admin.
When a user enters a login identifier, IS will map it into the relevant claim according to the regex pattern of the login identifier. Then IS will search the user through userstores by the claim uri and claim value. Finally, if the user enters the correct claim value and that claim was enabled for login by admin, the user can be able to login their account.
Configuring WSO2 IS for Multi Attribute Login
Setp 1 : Login to the identity server
Start the Identity Server and log into the management console using your tenant credentials.
Info: If you use multiple tenant domains, you need to configure multi attribute login in tenant-wise.
Step 2 : Enable multi attribute login feature
Click Resident under Identity Providers found in the Main tab. Expand the Account Management tab. Then expand the Multi Attribute Login tab and select the Enable Multi Attribute Login checkbox.
Then add comma separated clam URIs which allow for multi attribute login in the given text box.
Click Update to save changes.
Step 3 : Add Regular Expression for Allowed Claims
Once you have configured WSO2 Identity Server for multi attribute login, you need to provide regular expression for multi attribute allowed claims. Some claims already have a default regex, if not, you need to provide it under the claim edit window.
Select claim from claim list and open the Edit window. Then enter the Regex pattern under Regular Expression field.
Here are a few examples for regex patterns.
http://wso2.org/claims/emailaddress
^([a-zA-Z0–9_\.\-])+\@(([a-zA-Z0–9\-])+\.)+([a-zA-Z0–9]{2,4})+$
http://wso2.org/claims/telephone
^(\+\d{1,2}\s?)?1?\-?\.?\s?\(?\d{3}\)?[\s.-]?\d{3}[\s.-]?\d{4}$
http://wso2.org/claims/username
^[a-zA-Z0–9._-]{3,}$
Let’s try it…
Ok. You have now successfully set up WSO2 Identity Server to enable multi attribute login.
But we need a user to test it. We can easily create a user with the self-registration option.
This feature is supported via the following flows.
- Basic authenticator
- Identifier first authenticator
- Request path authenticator
- Authentication REST APIs
- Oauth Password grant
- Password recovery flow
What happens if two users have the same value for a claim?
Mmmm…
What happens if two users use the same value for the same claim?
Let’s take an example:
John has two accounts in the same app and he used his mobile phone number for both accounts. John’s administrators have allowed the mobile number claim for user login. (login with mobile phone number)
When he tries to login with a mobile number, the application finds two accounts and couldn’t identify John trying to login for which account.
Because of this issue wso2 identity server will ignore all accounts that have the same value for the same claim in the user searching process.
If we can keep user claim values (which are allowed for login) as a unique value we can avoid the above issue.
Can we keep claim value as unique value?
Yes we can.
You can follow this article written by me to configure wso2 identity server to manage user claim uniqueness.