Account locking is a security feature in Identity Server that prevents users from logging in to their account and from authenticating themselves using their IS account. A user account can be locked in one of the following ways:
...
Configuration | Description |
|---|---|
Notification.Sending.Enable=true | This property enables the email sending function when the password account is unlocked. |
Notification.Expire.Time=7200 | The time specified here is in minutes. In this case, the notification expires after 7200 minutes. |
Notification.Sending.Internally.Managed=true | This enables the internal email sending module. If this property is set to false, the email sending data is available to the application via a Web service. Thus the application can send the email using its own email sender. |
Authentication.Policy.Enable=true | This enables the authentication flow level which checks for the account lock and one time password features. This property must be enabled for the account lock feature to work. |
Authentication.Policy.Account.Lock.On.Failure=true | This enables locking the account when authentication fails. |
Authentication.Policy.Account.Lock.On.Failure.Max.Attempts=2 | This indicates the number of consecutive attempts that a user can try to log in without the account getting locked. In this case, if the login fails twice, the account is locked. |
Authentication.Policy.Account.Lock.Time=5 | The time specified here is in minutes. In this case, the account is locked for five minutes and authentication can be attempted once this time has passed. |
| Code Block | ||
|---|---|---|
| ||
Authentication.Policy.Enable=true Authentication.Policy.Account.Lock.On.Failure=true Authentication.Policy.Account.Lock.On.Failure.Max.Attempts=2 Authentication.Policy.Account.Lock.Time=5 |
...
Configure the
Authentication.Policy.Account.Lock.Timeproperty in the<IS_HOME>/repository/conf/identity/identity-mgt.propertiesfile. As mentioned in the above table, the value refers to the number of minutes that the account is locked for, after which, authentication can be attempted again.Code Block language xmlbash Authentication.Policy.Account.Lock.Time=55
Info If the lock time is set to 0, the account has to be unlocked by an admin user. For more information about this, see Account locking by an administrative user.
...
- Start the IS server if you haven't already and log in to the management console using admin credentials.
- Navigate to Claims>List on the Configure menu and select the http://wso2.org/claims claim dialect. For more information about claims, see Claim Management.
- Select the Account Locked claim and click Edit.
- Select the "Supported by Default" checkbox and click Update. This is done to make the "Account Locked" status appear in the user's profile.
- Navigate to Users and Roles>List>Users on the Main menu and click on User Profile of the user you want to lock.
- If it is the first time this particular account is being locked, a textbox will appear in front of the Account Locked field as seen below. To lock the account, type true in the textbox and click Update.
| Note |
|---|
If it is not the first time you are locking this user account, there will be a checkbox instead of the textbox shown above in front of the Account Locked field. Select the checkbox to lock the account or unselect it to unlock the account and click Update. |
...
1. Configure the following parameters in the <IS_HOME>/repository/conf/identity/identity-mgt.properties file.
| Code Block | ||
|---|---|---|
| ||
Notification.Sending.Enable=true Notification.Expire.Time=7200 Notification.Sending.Internally.Managed=true |
...
4. Restart the server once the configuration changes are made.
| Note | ||
|---|---|---|
| ||
For the account locking/unlocking process, IS uses the following Identity claims to store the related attributes
|
...
Storing claims in the user store
By default, IS stores these claim values in the JDBC datasource configured in the identity.xml file. If needed, you can configure IS to store the claim values in the userstore as well.
...