Skip to content

WSO2 IS: Custom Federated Authenticator using same form as basic authenticator

We are in the process of introducing WSO2 Identity Server in our infrastructure and there is the need to have two authentication methods but – if possible – using the same login form, without redirecting to external forms (like facebook login).

The idea is that we have “normal” and “power” users where normal users will authenticate using the basic authenticator provided by WSO2 IS (using email as username), while power users have a specific type of username (let’s say “Power User XXXX”) and their authentication is being handled and approved on a specific resource from an existing API.

So, what I would like to do is have the basic authentication form shown from WSO2 and when I identity the power user username format, delegate authentication to the aforementioned API.

I know that in order to delegate to an external service, I need to introduce a federated authenticator – which is not the problem here. My problem is how to do the following:

  • reuse the same form and handle the different cases behind the scenes
  • assign responsibility to the custom and federated authenticator based on the username pattern

Has anyone managed to do something similar? Is it even possible do achieve what I’m trying to do?


For your use case, you can write a local authenticator extending the default BasicAuthenticator.

In processAuthenticationResponse, you can check the username pattern and call the external API and authenticate the user else you can call the super

There is another option where we can implement a dedicated authenticator and page to authenticate with the external API.

In the SP configuration set up an identifier first as the first step and default basic and custom authenticator as a second step. Then from the username provided in the identifier first select second step authenticator. This can be done by ‘authenticationOptions’ in authentication script