This documentation is in progress and includes all updates released after Identity Server 5.4.1. For documentation specific to a version, see About This Release.
Page Comparison - Account Locking by Failed Login Attempts (v.27 vs v.28) - WSO2 Identity Server 5.x.x - WSO2 Documentation

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

WSO2 Identity Server can be configured to lock a user account when a number of consecutive failed login attempts are exceeded. First, you need to configure WSO2 Identity Server for user account locking and disabling. The following section explains how to configure this. 

Configuring WSO2


IS for account locking
MultiExcerptNameAccount Locking & Disabling Configuration

The instructions given on this page follow the recommended approach for account locking and account disabling in WSO2 Identity Server. Prior to the WSO2 IS 5.2.0 release, this was configured in a different way. If you require documentation on the steps for the old method for backward compatibility, see the WSO2 IS 5.2.0 documentation.

  1. Ensure that the "IdentityMgtEventListener" with the orderId=50 is set to false and the "IdentityMgtEventListener" with the orderId=95 is set to true in the <IS_HOME>/repository/conf/identity/identity.xml file. 



    This is already configured this way by default. You can skip this step if you have not changed this configuration previously.

    titleClick to see the code block
    Code Block
    <EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener" name="org.wso2.carbon.identity.mgt.IdentityMgtEventListener" orderId="50" enable="false"/>
    <EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener" name="org.wso2.carbon.identity.governance.listener.IdentityMgtEventListener" orderId="95" enable="true" />
  2. Start the Identity Server and log into the management console using your tenant credentials. 


    Alternatively, you can also use the IdentityGovernanceAdminService SOAP service to do this instead of using the management console UI. See Calling Admin Services for more information on how to invoke this SOAP service. If you are using the SOAP service to configure this, you do not need to follow the steps given below this note.

  3. Click Resident under Identity Providers found in the Main tab.
  4. Expand the Login Policies tab.
  5. Expand the Account Locking tab and select the Account Lock Enabled checkbox. Click Update to save changes. 

  6. To enable account locking for other tenants, log out and repeat the steps given above from step 2 onwards.