This documentation is for WSO2 Identity Server 5.0.0. View documentation for the latest release.
Account Lock/Unlock - Identity Server 5.0.0 - WSO2 Documentation
||
Skip to end of metadata
Go to start of metadata

The WSO2 Identity Server can be configured to lock a user account when configurable number of login attempts are exceeded. Also there are two configurations that can be used to unlock a user account.

Also an Admin user can directly lock a user account using the lockUserAccount service in https://localhost:9443/services/UserIdentityManagementAdminService?wsdl.

Configuring the account lock time

This section of this topic expands on how we can configure the WSO2 Identity Server to lock or unlock a user account using the <IS_HOME>/repository/conf/security/identity-mgt.properties file

  1. Configure the following parameters in the <IS_HOME>/repository/conf/security/identity-mgt.properties file.

    Identity.Listener.Enable=true
    Notification.Sending.Enable=true
    Notification.Expire.Time=7200
    Notification.Sending.Internally.Managed=true
    Authentication.Policy.Enable=true
    Authentication.Policy.Account.Lock.On.Failure=true
    Authentication.Policy.Account.Lock.On.Failure.Max.Attempts=2
    Authentication.Policy.Account.Lock.Time=2

    See the following table for descriptions of these configurations.

    ConfigurationDescription
    Identity.Listener.Enable=true
    This enables the identity listener.
    Notification.Sending.Enable=true

    This enables the email sending function when the password account is unlocked.

    Notification.Expire.Time=7200
    The time specified here is in minutes. In this case, the notification expires after 7200 minutes.
    Notification.Sending.Internally.Managed=true

    This enables the internal email sending module. If false, the email sending data is available to the application via a Web service. Thus the application can send the email using its own email sender.

    Authentication.Policy.Enable=true

    This enables the authentication flow level checks for the account lock and one time password features. You must enable this to make the account lock feature work.

    Authentication.Policy.Account.Lock.On.Failure=true
    This enables locking the account when authentication fails.
    Authentication.Policy.Account.Lock.On.Failure.Max.Attempts=2
    This indicates the number of consecutive attempts that a user can have to log in without the account getting locked. In this case, if the authentication fails twice, the account is locked.
    Authentication.Policy.Account.Lock.Time=2
    The time specified here is in minutes. In this case, the account is locked only for two minutes and authentication can be attempted once this time passes.
  2. Configure the following claims and correctly map the attributes with the existing underlying user store. See Claim Management for more information on how to do this.
    • http://wso2.org/claims/identity/accountLocked - This claim is used to store the status of the user's account, i.e., if it is locked or not.
    • http://wso2.org/claims/identity/unlockTime - This is used to store the timestamp that the user's account is unlocked.
    • http://wso2.org/claims/identity/failedLoginAttempts - This is used to track the number of consecutive failed login attempts. It is based on this that the account is locked.
  3. Make sure the following email template is defined in the <IS_HOME>/repository/conf/email/email-admin-config.xml file. This is the format in which the email is sent to the user when the account is unlocked.

    <configuration type="accountUnLock">
    	<targetEpr></targetEpr>
    	<subject>WSO2 Carbon - Your account unlocked</subject>
    	<body>
    		Hi {first-name},
    
    
    		Please note that the account registered with us with the user name : {user-name} has been unlocked by Admin. 
    
    
    	</body>
    	<footer>
    		Best Regards,
    		WSO2 Identity Server Team
    		http://www.wso2.com
    	</footer>
    	<redirectPath></redirectPath>
    </configuration>
  • No labels