Hi Jing, A) You can use next pattern to store custom values need to render page: def authenticate(self, configurationAttributes, requestParameters, step): context = Contexts.getEventContext() ... elif (step == 2): session_attributes = context.get("sessionAttributes") page_parameter_1 = session_attributes.get("page_parameter_1") ... return True def prepareForStep(self, configurationAttributes, requestParameters, step): context = Contexts.getEventContext() ... elif step == 2: page_parameter_1 = "parameter 1 value" context.set("page_parameter_1", page_parameter_1) ... return True def getExtraParametersForStep(self, configurationAttributes, step): # Notify authenticator to store this even context parameter in session to allow us use it in authenticate method return Arrays.asList("page_parameter_1") In xhtml you can simply access it in next way var param_1 = '${page_parameter_1}'

In order to send request to MFA system you can use next pattern: httpService = HttpService.instance(); http_client = httpService.getHttpsClient(); http_client_params = http_client.getParams(); http_client_params.setIntParameter(CoreConnectionPNames.CONNECTION_TIMEOUT, cas_validation_timeout); try: http_service_response = httpService.executeGet(http_client, cas_validation_uri) http_response = http_service_response.getHttpResponse() except: print "CAS2. Rest API authenticate isValidAuthenticationMethod. Exception: ", sys.exc_info()[1] return False The full example is here: https://github.com/GluuFederation/oxAuth/blob/master/Server/integrations/cas2/Cas2ExternalAuthenticator.py#L55 It's not limitation. Also you can use any other methods to send requests to MFA server.

Yes, it's not user friendly to put custom page into oxauth now. During development I put them to exploded war... We planned to start work on this issue at the end of this week or on start of next week to find out more elegant approach to store custom login pages and web resources.

Thanks for the reply, they are really helpful. Do you think it would be a bad idea if we upload custom pages in /opt/tomcat/webapps/oxauth/auth/my_custom_page/*.xhtml after the oxauth.war installed by tomcat? Will our custom folder be overriden/deleted by any other processes?

Right now there is no applications in CE that can remove /opt/tomcat/webapps/oxauth/auth/my_custom_page/*.xhtml By default tomcat not remove exploded folder at shutdown/restart

that's good to know, then we can easily replace the content with existing configuration management tools. Thanks for your time and valuable help.

I'm going to close this ticket out for now, Jing. Let me know if it needs to be re-opened, or feel free to open a new one. Thanks, Will