Open in app

Sign in

Write

Sign in

Adaptive Authentication using WSO2 Identity Server and WSO2 Stream Processor

Minudika Malshan
4 min readJul 29, 2019

--

In this article I am going to briefly discuss how to implement adaptive authentication solutions using WSO2 IS and SP.

What is adaptive authentication?

Simply, adaptive authentication is an approach we can use to configure and enable multi factor authentication. Here, the number of the authentication factors and the types of the authentication factors are decided on the user’s risk score.

For example, if a user tries to login to an web application, we can decide whether we need to enable finger print authentication along with the basic authentication or whether only basic authentication is enough for that particular user depending on the nature of his login attempt.

Why SP?

WSO2 IS is capable of providing adaptive authentication support on its own. You can refer to the WSO2 IS documentation for more information about this[1]. However, by connecting WSO2 SP to WSO2 IS more advanced methods can be used to calculate the risk score.

WS02 SP is powered by Siddhi Complex Event Processing Engine which provides a rich set of streaming data processing capabilities including,

  • Static rule processing.
  • Adaptive stateful rule processing.
  • Query state from tables, windows and aggregations.
  • Static and online machine learning based decision making.
  • Calculate aggregations over windows such as time, length, and session.
  • Long duration time series aggregations with granularities from seconds to years.
  • Analyze trends (rise, fall, turn, tipple bottom).
  • Real time predictions with pre-trained machine learning models (PMML, Tensorflow).
  • Learn and predict at run time using online machine learning models.

Calculating the Risk Score Using Stream Processor

First, let’s have a look at the data flow.

Data flow of an adaptive authentication use-case
  1. User initiates a login request.
  2. Service provider sends an authentication request to WSO2 Identity Server.
  3. WSO2 IS sends an HTTP request to WSO2 IS Analytics / SP to compute the user’s risk score based on the user’s login details.
  4. SP analyzes the received data and calculates the risk.
  5. SP publishes the calculated risk score and related results back to IS.
  6. IS decides the types and number of authentication factors considering the received risk score.
  7. User is provided the authentication steps to login, based on his risk score.

In order to calculate the risk score for a particular user activity, there should be some set of rules deployed on SP. These rules are defined in a Siddhi app.

In a such Siddhi application, we can define a Siddhi HTTP source to receive HTTP requests from IS. In that way, IS can share the details related to user’s activity to SP. Eg: Username and IP for a login attempt.

A sample siddhi HTTP source configuration

After receiving the data, Siddhi will process them and calculate the risk score according to the the logic written in the Siddhi app. Then that risk score will be sent as the response for the request sent by IS.

For more information about Siddhi applications, HTTP source refer to the documentation of Siddhi[3] and siddhi-io-http extension[4].

Enabling Authentication Factors for the User

We can write a script in IS to decide how to enable authentication factors depending on the risk score.

Let’s have a look at a sample script we define in IS.

A sample service provider script

We can call the Stream Processor using the in-built callAnalytics() function. In WSO2 SP, there should be a stream defined with an HTTP source with the same name we define here. (In this example stream name is ‘InputStream’)

Using executeStep() function, we can define which authentication factor(s) should be enabled for the user. These authentication factors can be configured in the service provider. [2]

We have used some demo authenticator for above example. There, if the risk score is 0.0 only the basic authentication will be provided. If risk score is between 0.0 and 0.5 finger print authenticator will be enabled along with basic authenticator. If risk score is higher than 0.5, face id authenticator will also be enabled with basic and fingerprint authenticator.

Hope this article gives you some idea about how WSO2 IS and SP can be configured and used for adaptive authentication scenarios. My idea was to give an overall idea about how SP and IS works together to facilitate adaptive authentication.

If you need to learn more about how to configure and use SP and IS, refer to the official documentation of WSO2 Identity server[5] and Stream Processor[6].

Thanks!

References:

[1] https://docs.wso2.com/display/IS570/Adaptive+Authentication

[2] https://docs.wso2.com/display/IS570/Configuring+a+Service+Provider+for+Adaptive+Authentication

[3] https://siddhi-io.github.io/siddhi/

[4] https://siddhi-io.github.io/siddhi-io-http/

[5] https://docs.wso2.com/display/IS570/WSO2+Identity+Server+Documentation

[6] https://docs.wso2.com/display/SP440/Stream+Processor+Documentation

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Wso2
Wso2is
Wso2 Sp
Adaptive Authentication

--

--

Minudika Malshan
Minudika Malshan

Written by Minudika Malshan

115 Followers
118 Following

Software Engineer | Blockchain Enthusiast | Photographer | Gamer

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams