The WSO2 Identity Server can be configured to lock a user account when configurable number of login attempts are exceeded. Also there are two configurations that can be used to unlock a user account.
- By using the unlockUserAccount service in
- By configuring lock time in the
<IS_HOME>/repository/conf/security/identity-mgt.propertiesfile (this can be specified using the Authentication.Policy.Account.Lock.Time parameter).
Also an Admin user can directly lock a user account using the lockUserAccount service in
Configuring the account lock time
This section of this topic expands on how we can configure the WSO2 Identity Server to lock or unlock a user account using the
Configure the following parameters in the
See the following table for descriptions of these configurations.
This enables the identity listener.
This enables the email sending function when the password account is unlocked.
The time specified here is in minutes. In this case, the notification expires after 7200 minutes.
This enables the internal email sending module. If
false, the email sending data is available to the application via a Web service. Thus the application can send the email using its own email sender.
This enables the authentication flow level checks for the account lock and one time password features. You must enable this to make the account lock feature work.
This enables locking the account when authentication fails.
This indicates the number of consecutive attempts that a user can have to log in without the account getting locked. In this case, if the authentication fails twice, the account is locked.
The time specified here is in minutes. In this case, the account is locked only for two minutes and authentication can be attempted once this time passes.
- Configure the following claims and correctly map the attributes with the existing underlying user store. See Claim Management for more information on how to do this.
Make sure the following email template is defined in the
<IS_HOME>/repository/conf/email/email-admin-config.xmlfile. This is the format in which the email is sent to the user when the account is unlocked.