This documentation is for WSO2 Identity Server 5.6.0 . View documentation for the latest release.

All docs This doc
||
Skip to end of metadata
Go to start of metadata

An administrative user can lock and unlock a particular user's account through the management console or using the AdminService. Follow the instructions given in the following sections to set this up. 

Configure WSO2 IS for account locking

If you have not already configured WSO2 identity Server (WSO2 IS) for account locking, expand the section below for instructions. 

 Click here for instructions

The instructions given on this page follow the recommended approach for account locking and account disabling in WSO2 Identity Server, which is to use the governance identity.mgt listener.

Prior to the WSO2 IS 5.2.0 release, this was configured in a different way. If you require documentation on the steps for the old method for backward compatibility, see the WSO2 IS 5.2.0 documentation.

  1. Ensure that the "IdentityMgtEventListener" with the orderId=50 is set to false and the "IdentityMgtEventListener" with the orderId=95 is set to true in the <IS_HOME>/repository/conf/identity/identity.xml file. 

    This is already configured this way by default. You can skip this step if you have not changed this configuration previously.

     Click to see the code block
    <EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener" name="org.wso2.carbon.identity.mgt.IdentityMgtEventListener" orderId="50" enable="false"/>
    <EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener" name="org.wso2.carbon.identity.governance.listener.IdentityMgtEventListener" orderId="95" enable="true" />

    Tip

    The properties that you configure in the <IS_HOME>/repository/conf/identity/identity-event.properties file are applied at the time of WSO2 Identity Server startup.

    Once you start the server, any consecutive changes that you do in the <IS_HOME>/repository/conf/identity/identity-event.properties file, will not be picked up.

  2. Start the Identity Server and log into the management console using your tenant credentials. 

    Alternatively, you can also use the IdentityGovernanceAdminService SOAP service to do this instead of using the management console UI. See Calling Admin Services for more information on how to invoke this SOAP service. If you are using the SOAP service to configure this, you do not need to follow the steps given below this note.

  3. Click Resident under Identity Providers found in the Main tab.
  4. Expand the Login Policies tab.
  5. Expand the Account Locking tab and select the Account Lock Enabled checkbox. Click Update to save changes. 

  6. To enable account locking for other tenants, log out and repeat the steps given above from step 2 onwards. 

Enable claims for account locking

  1. Navigate to Claims>List on the Configure menu and select the http://wso2.org/claims  claim dialect. 
    For more information about claims, see Claim Management
  2. Select the Account Locked claim and click Edit.
  3. Select the Supported by Default checkbox and click Update
    This is done to make the "Account Locked" status appear in the user's profile. 

Lock a specific user account

Once you have configured account locking as instructed above, you can use one of the following methods to lock a user account.

Using the management console

An administrative user can lock a user account by editing the user’s profile in the management console. 

  1. Navigate to Users and Roles>List>Users on the Main menu and click on User Profile of the user you want to lock. 
  2. If it is the first time this particular account is being locked, a textbox will appear in front of the Account Locked field as seen below. 
    To lock the account, type true in the textbox and click Update.
    Screen Shot 2016-01-10 at 9.44.40 PM.png

If it is not the first time you are locking this user account, there will be a checkbox instead of the textbox (as shown above) in front of the Account Locked field. Select the checkbox to lock the account or unselect it to unlock the account and click Update.

Using the AdminService

An administrative user (with the permission level /permission/admin/configure/security/usermgt/users ) can lock a user account using the RemoteUserStoreManagerServiceYou can use the setUserClaimValues operation to achieve this. The following request is a sample SOAP request that can be sent to the RemoteUserStoreManagerService to lock a user account.

Lock Account SOAP Request
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.ws.um.carbon.wso2.org" xmlns:xsd="http://common.mgt.user.carbon.wso2.org/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <ser:setUserClaimValues>
         <!--Optional:-->
         <ser:userName>test</ser:userName>
         <!--Zero or more repetitions:-->
         <ser:claims>
            <!--Optional:-->
            <xsd:claimURI>http://wso2.org/claims/identity/accountLocked</xsd:claimURI>
            <!--Optional:-->
            <xsd:value>true</xsd:value>
         </ser:claims>
         <!--Optional:-->
         <ser:profileName>default</ser:profileName>
      </ser:setUserClaimValues>
   </soapenv:Body>
</soapenv:Envelope>
Unlocking a user account using the admin service

Similarly, you can use the setUserClaimValues operation RemoteUserStoreManagerService AdminService to unlock a locked user account. The following request is a sample SOAP request that can be sent to the RemoteUserStoreManagerService to unlock a user account.

Unlock Account SOAP Request
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.ws.um.carbon.wso2.org" xmlns:xsd="http://common.mgt.user.carbon.wso2.org/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <ser:setUserClaimValues>
         <!--Optional:-->
         <ser:userName>test</ser:userName>
         <!--Zero or more repetitions:-->
         <ser:claims>
            <!--Optional:-->
            <xsd:claimURI>http://wso2.org/claims/identity/accountLocked</xsd:claimURI>
            <!--Optional:-->
            <xsd:value>false</xsd:value>
         </ser:claims>
         <!--Optional:-->
         <ser:profileName>default</ser:profileName>
      </ser:setUserClaimValues>
   </soapenv:Body>
</soapenv:Envelope>

Configure email notifications for account locking

Once you have configured WSO2 Identity Server for user account locking, you can also configure the WSO2 IS to send an email to the user's email address when the user account is locked. To configure this, follow the steps below.

  1. Open the output-event-adapters.xml file found in the <IS_HOME>/repository/conf directory. 
  2. Configure the relevant property values for the email server under the <adapterConfig type="email"> tag.

    <adapterConfig type="email">
        <!-- Comment mail.smtp.user and mail.smtp.password properties to support connecting SMTP servers which use trust
        based authentication rather username/password authentication -->
       	<property key="mail.smtp.from">abcd@gmail.com</property>
       	<property key="mail.smtp.user">abcd</property>
       	<property key="mail.smtp.password">xxxx</property>
       	<property key="mail.smtp.host">smtp.gmail.com</property>
       	<property key="mail.smtp.port">587</property>
       	<property key="mail.smtp.starttls.enable">true</property>
       	<property key="mail.smtp.auth">true</property>
       	<!-- Thread Pool Related Properties -->
       	<property key="minThread">8</property>
       	<property key="maxThread">100</property>
       	<property key="keepAliveTimeInMillis">20000</property>
       	<property key="jobQueueSize">10000</property>
    </adapterConfig>
  3. Restart the Server.

    Tip: The email template used to send the email notification for account locking is the AccountLock template and the template used for account disabling is the AccountDisable template. You can edit and customize the email template. For more information on how to do this, see Customizing Automated Emails.

Configuring the email templates

To use these templates, apply the 5746 WUM update for WSO2 Identity Server 5.6.0 using the WSO2 Update Manager (WUM). To deploy a WUM update into production, you need to have a paid subscription. If you do not have a paid subscription, you can use this feature with the next version of WSO2 Identity Server when it is released. For more information on updating WSO2 Identity Server using WUM, see Getting Started with WUM.

With this WUM update, WSO2 Identity Server uses two separate email templates for notifying users of the following:

  • Account lock by execeeding the "Maximum Failed Login Attempts"

  • Account unlock by exceeding the "Account Unlock Time"

Add the following email templates using the management console. For detailed instructions, see Customizing Automated Emails.

  1. Account lock by exceeding the "Maximum Failed Login Attempts"

    Email Template Type AccountLockAdmin

    Template LanguageEnglish(United States)
    Email Content Typetext/html
    Subject

    WSO2 - Your Account has been Locked

    Email Body
     Click here to expand...
    <![CDATA[<table align="center" cellpadding="0" cellspacing="0" border="0" width="100%"bgcolor="#f0f0f0">
       <tr>
       <td style="padding: 30px 30px 20px 30px;">
           <table cellpadding="0" cellspacing="0" border="0" width="100%" bgcolor="#ffffff" style="max-width: 650px; margin: auto;">
           <tr>
               <td colspan="2" align="center" style="background-color: #333; padding: 40px;">
                   <a href="http://wso2.com/" target="_blank"><img src="http://cdn.wso2.com/wso2/newsletter/images/nl-2017/wso2-logo-transparent.png" border="0" /></a>
               </td>
           </tr>
           <tr>
               <td colspan="2" align="center" style="padding: 50px 50px 0px 50px;">
                   <h1 style="padding-right: 0em; margin: 0; line-height: 40px; font-weight:300; font-family: 'Nunito Sans', Arial, Verdana, Helvetica, sans-serif; color: #666; text-align: left; padding-bottom: 1em;">
                       Account Unlocked
                   </h1>
               </td>
           </tr>
           <tr>
               <td style="text-align: left; padding: 0px 50px;" valign="top">
                   <p style="font-size: 18px; margin: 0; line-height: 24px; font-family: 'Nunito Sans', Arial, Verdana, Helvetica, sans-serif; color: #666; text-align: left; padding-bottom: 3%;">
                       Hi {{user.claim.givenname}},
                   </p>
                   <p style="font-size: 18px; margin: 0; line-height: 24px; font-family: 'Nunito Sans', Arial, Verdana, Helvetica, sans-serif; color: #666; text-align: left; padding-bottom: 3%;">
                       Please note that the account registered with the user name <b>{{user-name}}</b> has been unlocked by administrator. <br>
                   </p>
               </td>
           </tr>
           <tr>
               <td style="text-align: left; padding: 30px 50px 50px 50px" valign="top">
                   <p style="font-size: 18px; margin: 0; line-height: 24px; font-family: 'Nunito Sans', Arial, Verdana, Helvetica, sans-serif; color: #505050; text-align: left;">
                       Thanks,<br/>WSO2 Identity Server Team
                   </p>
               </td>
           </tr>
           <tr>
               <td colspan="2" align="center" style="padding: 20px 40px 40px 40px;" bgcolor="#f0f0f0">
                   <p style="font-size: 12px; margin: 0; line-height: 24px; font-family: 'Nunito Sans', Arial, Verdana, Helvetica, sans-serif; color: #777;">
                       &copy; 2018
                       <a href="http://wso2.com/" target="_blank" style="color: #777; text-decoration: none">WSO2</a>
                       <br>
                       787 Castro Street, Mountain View, CA 94041.
                   </p>
               </td>
           </tr>
           </table>
       </td>
       </tr>
       </table>]]>
    <![CDATA[<table align="center" cellpadding="0" cellspacing="0" border="0" width="100%"bgcolor="#f0f0f0">
       <tr>
       <td style="padding: 30px 30px 20px 30px;">
           <table cellpadding="0" cellspacing="0" border="0" width="100%" bgcolor="#ffffff" style="max-width: 650px; margin: auto;">
           <tr>
               <td colspan="2" align="center" style="background-color: #333; padding: 40px;">
                   <a href="http://wso2.com/" target="_blank"><img src="http://cdn.wso2.com/wso2/newsletter/images/nl-2017/wso2-logo-transparent.png" border="0" /></a>
               </td>
           </tr>
           <tr>
               <td colspan="2" align="center" style="padding: 50px 50px 0px 50px;">
                   <h1 style="padding-right: 0em; margin: 0; line-height: 40px; font-weight:300; font-family: 'Nunito Sans', Arial, Verdana, Helvetica, sans-serif; color: #666; text-align: left; padding-bottom: 1em;">
                       Account Unlocked
                   </h1>
               </td>
           </tr>
           <tr>
               <td style="text-align: left; padding: 0px 50px;" valign="top">
                   <p style="font-size: 18px; margin: 0; line-height: 24px; font-family: 'Nunito Sans', Arial, Verdana, Helvetica, sans-serif; color: #666; text-align: left; padding-bottom: 3%;">
                       Hi {{user.claim.givenname}},
                   </p>
                   <p style="font-size: 18px; margin: 0; line-height: 24px; font-family: 'Nunito Sans', Arial, Verdana, Helvetica, sans-serif; color: #666; text-align: left; padding-bottom: 3%;">
                       Please note that the account registered with the user name <b>{{user-name}}</b> has been unlocked by administrator. <br>
                   </p>
               </td>
           </tr>
           <tr>
               <td style="text-align: left; padding: 30px 50px 50px 50px" valign="top">
                   <p style="font-size: 18px; margin: 0; line-height: 24px; font-family: 'Nunito Sans', Arial, Verdana, Helvetica, sans-serif; color: #505050; text-align: left;">
                       Thanks,<br/>WSO2 Identity Server Team
                   </p>
               </td>
           </tr>
           <tr>
               <td colspan="2" align="center" style="padding: 20px 40px 40px 40px;" bgcolor="#f0f0f0">
                   <p style="font-size: 12px; margin: 0; line-height: 24px; font-family: 'Nunito Sans', Arial, Verdana, Helvetica, sans-serif; color: #777;">
                       &copy; 2018
                       <a href="http://wso2.com/" target="_blank" style="color: #777; text-decoration: none">WSO2</a>
                       <br>
                       787 Castro Street, Mountain View, CA 94041.
                   </p>
               </td>
           </tr>
           </table>
       </td>
       </tr>
       </table>]]>
    
    Footer: ---
  2. Account unlock by exceeding the "Account Unlock Time"

    Type AccountUnlockAdmin
    Template LanguageEnglish(United States)
    Email Content Typetext/html
    Subject

    WSO2 - Your Account has been Unlocked

    Email Body
     Click here to expand...
    <![CDATA[<table align="center" cellpadding="0" cellspacing="0" border="0" width="100%"bgcolor="#f0f0f0">
                <tr>
                <td style="padding: 30px 30px 20px 30px;">
                    <table cellpadding="0" cellspacing="0" border="0" width="100%" bgcolor="#ffffff" style="max-width: 650px; margin: auto;">
                    <tr>
                        <td colspan="2" align="center" style="background-color: #333; padding: 40px;">
                            <a href="http://wso2.com/" target="_blank"><img src="http://cdn.wso2.com/wso2/newsletter/images/nl-2017/wso2-logo-transparent.png" border="0"/></a>
                        </td>
                    </tr>
                    <tr>
                        <td colspan="2" align="center" style="padding: 50px 50px 0px 50px;">
                            <h1 style="padding-right: 0em; margin: 0; line-height: 40px; font-weight:300; font-family: 'Nunito Sans', Arial, Verdana, Helvetica, sans-serif; color: #666; text-align: left; padding-bottom: 1em;">
                                Account Locked
                            </h1>
                        </td>
                    </tr>
                    <tr>
                        <td style="text-align: left; padding: 0px 50px;" valign="top">
                            <p style="font-size: 18px; margin: 0; line-height: 24px; font-family: 'Nunito Sans', Arial, Verdana, Helvetica, sans-serif; color: #666; text-align: left; padding-bottom: 3%;">
                                Hi {{user.claim.givenname}},
                            </p>
                            <p style="font-size: 18px; margin: 0; line-height: 24px; font-family: 'Nunito Sans', Arial, Verdana, Helvetica, sans-serif; color: #666; text-align: left; padding-bottom: 3%;">
                                Please note that the account registered with the user name <b>{{user-name}}</b> has been locked. Please Contact the Administrator.<br>
                            </p>
                        </td>
                    </tr>
                    <tr>
                        <td style="text-align: left; padding: 30px 50px 50px 50px" valign="top">
                            <p style="font-size: 18px; margin: 0; line-height: 24px; font-family: 'Nunito Sans', Arial, Verdana, Helvetica, sans-serif; color: #505050; text-align: left;">
                                Thanks,<br/>WSO2 Identity Server Team
                            </p>
                        </td>
                    </tr>
                    <tr>
                        <td colspan="2" align="center" style="padding: 20px 40px 40px 40px;" bgcolor="#f0f0f0">
                            <p style="font-size: 12px; margin: 0; line-height: 24px; font-family: 'Nunito Sans', Arial, Verdana, Helvetica, sans-serif; color: #777;">
                                &copy; 2018
                                <a href="http://wso2.com/" target="_blank" style="color: #777; text-decoration: none">WSO2</a>
                                <br>
                                787 Castro Street, Mountain View, CA 94041.
                            </p>
                        </td>
                    </tr>
                    </table>
                </td>
                </tr>
            </table>]]>
    
    Footer: ---
     
    
    
  • No labels