In this post, I will explain how to use SMS OTP multifactor authenticator through WSO2 Identity server. In this demonstration, I am using Twilio SMS Provider which was used to send the OTP code via SMS at the time authentication happens.
The SMS OTP authenticator of WSO2 Identity Server allows to authenticate the system using multifactor authentication. This authenticator authenticates with user name and password as a first step, then sending the one time password to the mobile via SMS as a second step. WSO2 IS will validate the code and let the user sign in accordingly
Add the authenticator configuration <IS_HOME>/repository/conf/identity/application-authentication.xml file under the <AuthenticatorConfigs> section.
Configure the Service Provider and Identity Provider Configuration as we normally configure for Two factor authentication. Now we will configure SMS OTP Identity provider for Twilio specific SMS Provider.
Go to https://www.twilio.com/trytwilio and create a twilio account.
While registering the account, verify your mobile number and click on console home
https://www.twilio.com/console to get free credits (Account SID and Auth Token).
Twilio uses a POST method with headers and the text message and phone number are sent asthe payload. So the fields would be as follows.
SMS URL https://api.twilio.com/20100401/Accounts/{AccountSID}/SMS/Messages.json
HTTP Method POST
HTTP Headers Authorization: Basic base64{AccountSID:AuthToken}
HTTP Payload Body=$ctx.msg&To=$ctx.num&From={FROM_NUM}
You can go to SMS OTP Identity Provider and configure to send the SMS using Twilio SMS Provider.
When authentication is happening in second step, the code will be sent to mobile no which is saved in mobile claim of user's user profile.
If the user apply the code, WSO2 IS will validate the code and let the user sign in accordingly.
 |
| SMS OTP Authentication Flow |
The SMS OTP authenticator of WSO2 Identity Server allows to authenticate the system using multifactor authentication. This authenticator authenticates with user name and password as a first step, then sending the one time password to the mobile via SMS as a second step. WSO2 IS will validate the code and let the user sign in accordingly
Add the authenticator configuration <IS_HOME>/repository/conf/identity/application-authentication.xml file under the <AuthenticatorConfigs> section.
<AuthenticatorConfig name="SMSOTP" enabled="true"> <Parameter name="SMSOTPAuthenticationEndpointURL">https://localhost:9443/smsotpauthenticationendpoint/smsotp.jsp</Parameter> <Parameter name="SMSOTPAuthenticationEndpointErrorPage">https://localhost:9443/smsotpauthenticationendpoint/smsotpError.jsp</Parameter> <Parameter name="MobileNumberRegPage">https://localhost:9443/smsotpauthenticationendpoint/mobile.jsp</Parameter> <Parameter name="RetryEnable">true</Parameter> <Parameter name="ResendEnable">true</Parameter> <Parameter name="BackupCode">true</Parameter> <Parameter name="SMSOTPEnableByUserClaim">false</Parameter> <Parameter name="SMSOTPMandatory">false</Parameter> <Parameter name="usecase">association</Parameter> <Parameter name="secondaryUserstore">primary</Parameter> <Parameter name="CaptureAndUpdateMobileNumber">true</Parameter> <Parameter name="SendOTPDirectlyToMobile">false</Parameter></AuthenticatorConfig> |
Configure the Service Provider and Identity Provider Configuration as we normally configure for Two factor authentication. Now we will configure SMS OTP Identity provider for Twilio specific SMS Provider.
Go to https://www.twilio.com/trytwilio and create a twilio account.
While registering the account, verify your mobile number and click on console home
https://www.twilio.com/console to get free credits (Account SID and Auth Token).
Twilio uses a POST method with headers and the text message and phone number are sent asthe payload. So the fields would be as follows.
SMS URL https://api.twilio.com/20100401/Accounts/{AccountSID}/SMS/Messages.json
HTTP Method POST
HTTP Headers Authorization: Basic base64{AccountSID:AuthToken}
HTTP Payload Body=$ctx.msg&To=$ctx.num&From={FROM_NUM}
You can go to SMS OTP Identity Provider and configure to send the SMS using Twilio SMS Provider.
 |
| Twilio SMS Provider Config |
When authentication is happening in second step, the code will be sent to mobile no which is saved in mobile claim of user's user profile.
If the user apply the code, WSO2 IS will validate the code and let the user sign in accordingly.
Hi Could you please expain the step where you are configuring SMS OTP? I am using WSO2 IS 5.0.2. with resident identity provider and I can not see any place "SMSOTP Configuration."
ReplyDeleteThanks
Agam
You need to create a identity provider for SMS OTP authenticator then add first step basic or any federated authenticator and second step SMS OTP authenticator in Service Provider. You can use wso2 store [1] and the documentation [2] to setup SMS OTP authenticator.
Delete[1] - https://store.wso2.com/store/assets/isconnector/details/ec6a18ae-4763-4958-bc61-8e12f5b441ac
[2] - https://docs.wso2.com/display/ISCONNECTORS/Configuring+SMSOTP+Authenticator
Thanks,
Kathees
Were you able to setup SMS OTP authenticator with WSO2 Identity Server?
DeleteHi Rajendram Kathees,
ReplyDeleteI am using wso2is 5.4.0 and want to sent the smsotp which must get invalid after certain time and user cannot be able to send the smsotp more than 3 times. Does wso2 is support such fearures.
Hi Kathees,
ReplyDeleteI am using wso2 IdentityServer version 5.5.0.I have configured the steps for SMS OTP using the below link
https://docs.wso2.com/display/IS550/Configuring+SMS+OTP but not getting OTP, HElP me to proceed further please.
Hi, SMPP is the most immediate method for correspondence with your clients, so for it one must need SMPP SMS Gateway to run the SMS crusades easily..
ReplyDeleteThanks for sharing this information.
ReplyDeleteIf you looking for OTP sms service provider, Visit our website www.nrtsms.com . We also provide six month free sms service for startup business...
Thanks for sharing Multi Factor Authentication tips. for more info i rfer cion systems Multi Factor Authentication in USA.
ReplyDeleteHey There. I found your blog using msn. This is a very well written article. I’ll be sure to bookmark it and come back to read more of your useful info. Thanks for the post. I’ll definitely return. verification sms
ReplyDeleteWonderful blog. If you want to promote your business just check sms gateway price india, we provide entire service related bulk sms, Ratsms is the top leading promotional sms provider.
ReplyDeleteCheck out sms api pricing, we provides different kind of Bulk SMS services Without DLT | Free SMS API | Free Registration
sms api pricing
dlt registration india
otp sms provider
bulk sms aggregator
smpp provider
smpp gateway
Thank You for Sharing your words. Mobile marketing is quite popular among companies as it gives maximum return on investment. Another good thing about this advertising is that it is relatively cheaper than traditional forms of marketing. You searchbulk sms service in coimbatore there are a lot of companies that provide this service. They spend millions of dollars in advertising and they won't hesitate in investing a few hundred dollars in SMS marketing if they find merit in it. The reality is that mobile advertising is beneficial for every business whether it is a manufacturing unit or a service group. In short, you won't have to struggle to get customers for your reseller work as clients will come to you as soon as they come to know about your SMS reseller service.
ReplyDeleteBulk SMS Service Coimbatore |
OTP SMS Coimbatore | Service Implicit Coimbatore