In this post I am going to show you how to write your own Authenticator, which uses some custom claim to validate users and how to invoke your custom authenticator with your web app.
Create your Custom Authenticator Bundle
WSO2IS is based OSGi, so if you want to add a new authenticator you have to crate an OSGi bungle. Following is the source of the OSGi bundle you have to prepare.
This bundle will consist of three files,
CustomAuthenticatorServiceComponent is an OSGi service component it basically registers the CustomAuthenticator (service). CustomAuthenticator is an implementation of org.wso2.carbon.identity.application.authentication.framework.ApplicationAuthenticator, which actually provides our custom authentication.
This is where your actual authentication logic is implemented
This is a helper class to just to hold the constants you are using in your authenticaator
Once you are done with these files, your authenticator is ready. Now you can build you OSGi bundle and place the bundle inside <CRBON_HOME>/repository/components/dropins.
*sample pom.xml file 
Create new Claim
Now you have to create a new claim in WSO2IS. To do this, log into the management console of WSO2IS and do the steps described in . In this example, I am going to create new claim "Block SP Login".
So, goto configuration section of the management console click on "Claim Management", then select "http://wso2.org/claims" Dialect
Click on "Add New Claim Mapping", and fill the details related to your claim.
Now, your new claim is ready in WSO2IS. As you select "Supported by Default" as true, this claim will be available in your user profile. So you will see this field appear, when you try to create a user, but this field in not mandatory as you didn't specify it as "Required"
There is another configuration change you have to do, as it is going to take the claim name from the configuration file (CustomAuthenticator.java, 107-114). Add the information about the your new claim into repository/conf/security/application-authentication.xml
If you check the code CustomAuthenticator.java line,107-128. You will see in the processAuthenticationResponse, in addition to authenticating the user from the user store, it checks for the new claim,
So, this finishes the, basic steps to setup your custom authentication. Now you have to setup new Service Provider in WSO2IS and set you custom authentication to it. So that when ever your SP try to authenticate a user from WSO2IS, it will use your custom authenticator.
Create Service Provider and set the Authenticator
Follow the basic steps given in  to create a new Service Provider.
Then, goto, "Inbound Authentication Configuration"->"SAML2 Web SSO Configuration", and make the following changes,
Then goto, "Local & Outbound Authentication Configuration" section,
select "Local Authentication" as the authentication type, and select your authenticator, here "custom".
Now you have completed all the steps needed to setup your custom autheticator with your custom claims
You can now start the WSO2IS, and start using your service. Meanwhile, change the value of the "Block SP Login" of a particular user and see the effect.