This documentation is for WSO2 Identity Server 5.4.0 . View documentation for the latest release.

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Multiexcerpt
MultiExcerptNameAccount Locking & Disabling Configuration
Warning

The instructions givenon given on this page follow the recommended approach for account locking and account disabling in WSO2 Identity Server, which is to use the governance identity.mgt listener.

Prior to the WSO2 IS 5.2.0 release, this was configured in a different way. If you require documentation on the steps for the old method for backward compatibility, see the WSO2 IS 5.2.0 documentation.

  1. Ensure that the "IdentityMgtEventListener" with the orderId=50 is set to false and the "IdentityMgtEventListener" with the orderId=95 is set to true in the <IS_HOME>/repository/conf/identity/identity.xml file. 

    Anchor
    step2
    step2

    Info

    This is already configured this way by default. You can skip this step if you have not changed this configuration previously.

    Expand
    titleClick to see the code block
    Code Block
    languagexml
    <EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener" name="org.wso2.carbon.identity.mgt.IdentityMgtEventListener" orderId="50" enable="false"/>
    <EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener" name="org.wso2.carbon.identity.governance.listener.IdentityMgtEventListener" orderId="95" enable="true" />
    Tip
    titleTip

    The properties that you configure in the <IS_HOME>/repository/conf/identity/identity-event.properties file are applied at the time of WSO2 Identity Server startup.

    Once you start the server, any consecutive changes that you do in the <IS_HOME>/repository/conf/identity/identity-event.properties file, will not be picked up.

  2. Start the Identity Server and log into the management console using your tenant credentials. 

    Tip

    Alternatively, you can also use the IdentityGovernanceAdminService SOAP service to do this instead of using the management console UI. See Calling Admin Services for more information on how to invoke this SOAP service. If you are using the SOAP service to configure this, you do not need to follow the steps given below this note.

  3. Click Resident under Identity Providers found in the Main tab.

  4. Expand the Login Policies tab.
  5. Expand the Account Locking tab and select the Account Lock Enabled checkbox. Click Update to save changes. 

  6. To enable account locking for other tenants, log out and repeat the steps given above from step 2 onwards. 

...

Configuration

Description

Maximum Failed Login Attempts

This indicates the number of consecutive attempts that a user can try to log in without the account getting locked. If the value you entered is 2, the account is locked if the login attempt fails twice.

Lock Timeout Increment Factor

When

This indicates how much the account unlock timeout is incremented by after each failed login attempt. For example, according to the values configured in the above screen, when a user exceeds the specified limit

specified for

of 4 Maximum Failed Login Attempts, the account is locked for

5 minutes, which is the time specified in Account Unlock Time.

10 minutes. This account unlock timeout is calculated as follows.

Panel

Account unlock timeout = Configured Account Unlock Time * (Lock Timeout Increment Factor ^ failed login attempt cycles)

i.e.,

10 minutes = 5 * ( 2 ^ 1 )

Tip
titleTip

If you want to configure the Lock Timeout Increment Factor property via the file based configuration, the parameter you need to configure is account.lock.handler.login.fail.timeout.ratio found in the <IS_HOME>/repository/conf/identity/identity-event.properties file.

If the user attempts to log in

again

with invalid credentials

,

again after the wait time has elapsed and the account

gets locked

is unlocked, the

wait time is 7 minutes (i.e., the Account Unlock Time in addition to the Lock Timeout increment Factor). In the event that the account gets locked again, the wait time is 9 minutes as this is incremented by the Lock Timeout Increment Factor again

number of login attempt cycles is now 2 and the wait time is 20 minutes.

Account Unlock Time

The time specified here is in minutes. According to the values in the screenshot above, the account is locked for 5 minutes after the user's second failed attempt and authentication can be attempted once this time has passed.

Account Lock Enabled

This enables locking the account when authentication fails.

...

Multiexcerpt
MultiExcerptNameEmail configuration
  1. Open the output-event-adapters.xml file found in the <IS_HOME>/repository/conf directory. 
  2. Configure the relevant property values for the email server under the <adapterConfig type="email"> tag.

    Code Block
    languagexml
    <adapterConfig type="email">
        <!-- Comment mail.smtp.user and mail.smtp.password properties to support connecting SMTP servers which use trust
        based authentication rather username/password authentication -->
       	<property key="mail.smtp.from">abcd@gmail.com</property>
       	<property key="mail.smtp.user">abcd</property>
       	<property key="mail.smtp.password">xxxx</property>
       	<property key="mail.smtp.host">smtp.gmail.com</property>
       	<property key="mail.smtp.port">587</property>
       	<property key="mail.smtp.starttls.enable">true</property>
       	<property key="mail.smtp.auth">true</property>
       	<!-- Thread Pool Related Properties -->
       	<property key="minThread">8</property>
       	<property key="maxThread">100</property>
       	<property key="keepAliveTimeInMillis">20000</property>
       	<property key="jobQueueSize">10000</property>
    </adapterConfig>
  3. Restart the Server.

    Tip

    Tip: The email template used to send the email notification for account locking is the AccountLock template and the template used for account disabling is the AccountDisable template. You can edit and customize the email template. For more information on how to do this, see Customizing Automated Emails.