| Warning | ||
|---|---|---|
| ||
This page is currently under construction. |
...
The account Account locking is a security feature in IS allows to prevent users from authenticating using ISin Identity Server that prevents users from logging in to their account and from authenticating themselves using their IS account. A user account can be locked by in one of the following methods.
...
Account locking by failed login attempts
ways:
Table of Contents maxLevel 4 minLevel 3
Account locking by failed login attempts
The Identity Server can be configured to lock a user account when a number of consecutive failed login attempts are exceeded. Following The following section explains on configuring how to configure the Identity Server for account locking.
...
1. Enable the Identity Listener by setting the following <EventListener> property to true in the <IS_HOME>/repository/conf/identity/identity.xml file.
| Code Block | ||
|---|---|---|
| ||
<EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener" name="org.wso2.carbon.identity.mgt.IdentityMgtEventListener" orderId="50" enable="true"/> |
2. Configure the following parameters in the <IS_HOME>/repository/conf/identity/identity-mgt.properties file.
...
Configuration | Description |
|---|---|
Notification.Sending.Enable=true | This property enables the email sending function when the password account is unlocked. |
Notification.Expire.Time=7200 | The time specified here is in minutes. In this case, the notification expires after 7200 minutes. |
Notification.Sending.Internally.Managed=true | This enables the internal email sending module. If this property is set to false, the email sending data is available to the application via a Web service. Thus the application can send the email using its own email sender. |
Authentication.Policy.Enable=true |
...
This enables the authentication flow level which checks for the account lock and one time password features. This property must be enabled for the account lock feature to work. | |
Authentication.Policy.Account.Lock.On.Failure=true |
...
This enables locking the account when authentication fails. | |
Authentication.Policy.Account.Lock.On.Failure.Max.Attempts=2 |
...
| This indicates the number of consecutive attempts that a user can try to log in without the account getting locked. In this case, if the login fails twice, the account is locked. | |
Authentication.Policy.Account.Lock.Time=5 |
...
The time specified here is in minutes. In this case, the account is locked for five minutes and authentication can be attempted once this time has passed. |
| Code Block | ||
|---|---|---|
| ||
Authentication.Policy.Enable=true
Authentication.Policy.Account.Lock.On.Failure=true
Authentication.Policy.Account.Lock.On.Failure.Max.Attempts=2
Authentication.Policy.Account.Lock.Time=5 |
Unlocking the locked user account
A locked user account by failed login attempts can be unlocked by one of the following methods
By setting a lock timeout period:
IS The Identity Server can be configured to automatically unlock a user account after a configured amount of time
| Note | ||
|---|---|---|
| ||
The automatic unlocking happens only when the account is locked due to exceedance of max failed login attempts. |
The above mentioned certain period of time. A user account locked by failed login attempts can be unlocked by setting a lock timeout period. To configure this:
Configure the
Authentication.Policy.Account.Lock.Timeproperty
...
in the
<IS_HOME>/repository/conf/identity/identity-mgt.propertiesfile. As mentioned in the above table, the value refers to the number of minutes that the account is locked for, after which, authentication can be attempted again.Code Block language xml Authentication.Policy.Account.Lock.Time=5Info If the lock time is set to 0, the account has to be unlocked by an admin user.
...
For more information about this, see Account locking by an administrative user.
Account locking by an administrative user
An administrative user can unlock a user account by using Admin Service or by editing the user profile from management console
...
using one of the following methods:
Table of Contents maxLevel 4 minLevel 4
Using the management console
An administrative user can lock a user account by editing the user’s profile in the management console. But in order to make the Account Lock status appear in the user’s profile, the Account Locked claim (
- Start the IS server if you haven't already and log in to the management console using admin credentials.
- Navigate to Claims>List on the Configure menu and select the http://wso2.org/claims
...
...
- claim dialect. For more information about claims, see Claim Management.
- Select the Account Locked claim and click Edit.
- Select the "Supported by Default" checkbox and click Update. This is done to make the "Account Locked" status appear in the user's profile.
- Navigate to Users and Roles>List>Users on the Main menu and click on User Profile of the user you want to lock.
- If
...
- it is the first time
...
- this particular account is being locked, a textbox will appear in front of the
...
- Account Locked
...
- field as seen below. To lock the
...
- account, type true in the textbox and
...
- click Update.
| Note |
|---|
If it is not the first time you are locking |
...
this user account, there |
...
will be a checkbox instead of |
...
the textbox |
...
shown above in front of the Account Locked field. Select the checkbox to lock the account or |
...
unselect it to unlock the account and click |
...
Update. |
...
Using the AdminService
An administrative user (with the permission level /permission/admin/configure/security/usermgt/users ) can lock a user account using the UserIdentityManagementAdminService . The admin service provides the lockUserAccount operations operation to achieve this. Following The following request is a sample SOAP request that can be sent to UserIdentityManagementAdminService (https://localhost:9443/services/UserIdentityManagementAdminService) to the UserIdentityManagementAdminService to lock a user account.
| Code Block | ||
|---|---|---|
| ||
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"xmlns:ser="http://services.mgt.identity.carbon.wso2.org"> <soapenv:Header/> <soapenv:Body> <ser:lockUserAccount> <!--Optional:--> <ser:userName>SpongeBob</ser:userName> </ser:lockUserAccount> </soapenv:Body> </soapenv:Envelope> |
Unlocking a user account from the admin service
Similarly, we you can use the UserIdentityManagementAdminService to unlock a locked user account. The service provides the unlockUserAccount operation to achieve this. Following The following request is a sample SOAP request that can be sent to the UserIdentityManagementAdminService to to unlock a user account.
| Code Block | ||||
|---|---|---|---|---|
| ||||
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"xmlns:ser="http://services.mgt.identity.carbon.wso2.org"> <soapenv:Header/> <soapenv:Body> <ser:unlockUserAccount> <!--Optional:--> <ser:userName>SpongeBob</ser:userName> </ser:unlockUserAccount> </soapenv:Body> </soapenv:Envelope> |
...
See the following table for descriptions of the configurations in identity-mgt.properties.
Configuration
Description
Notification.Sending.Enable=true
This enables the email sending function when the password account is unlocked.
Notification.Expire.Time=7200
The time specified here is in minutes. In this case, the notification expires after 7200 minutes.
Notification.Sending.Internally.Managed=true
This enables the internal email sending module. If false, the email sending data is available to the application via a Web service. Thus the application can send the email using its own email sender.
Authentication.Policy.Enable=true
This enables the authentication flow level checks for the account lock and one time password features. You must enable this to make the account lock feature work.
Authentication.Policy.Account.Lock.On.Failure=true
This enables locking the account when authentication fails.
Authentication.Policy.Account.Lock.On.Failure.Max.Attempts=2
This indicates the number of consecutive attempts that a user can try to log in without the account getting locked. In this case, if the login fails twice, the account is locked.
Authentication.Policy.Account.Lock.Time=5