Versions Compared

Old Version 1

changes.mady.by.user Former user

Saved on

compared with

New Version 2

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

An WSO2 Identity Server (WSO2 IS) enables an administrative user can to disable a user account by configuring this feature in the WSO2 Identity Server and editing the user profile of the account. You can also disable (switch-off) the account disabling feature so that administrative users do not have permission to disable users. 

Table of Contents
maxLevel63
minLevel63

Configuring WSO2

...

IS for account disabling

But first, you need to configure WSO2 Identity Server for user account locking and disabling. Follow the below steps to do this configuration.

Warning

The instructions given on this page follow the  recommended approach for account locking and account disabling in WSO2 Identity Server, which is to use the governance identity.mgt listener.

Prior to the WSO2 IS 5.2.0 release, account locking and account disabling was configured in a different way. If you require documentation with regard to the old method for backward compatibility, see the WSO2 IS 5.2.0 documentation.

  1. Start the Identity Server and log into the management console using your tenant credentials.

...

Multiexcerpt include
MultiExcerptNameAccount Locking & Disabling Configuration
PageWithExcerptAccount Locking by Failed Login Attempts

...

From 5.3.0 onwards there is a new implementation for identity management features. The steps given below in this document follows the new implementation which is the recommended approach for account disabling.

...

  1.  
  2. Click Resident under Identity Providers found in the Main tab.
  3. Expand the Login Policies tab.
  4. Expand the Account Disabling tab and select the Enable Account Disabling checkbox. Click Update to save changes. 
    Image Added
  5. Next, enable account locking. Expand the Login Policies tab.

  6. Expand the Account Locking tab and select the Account Lock Enabled checkbox. Click Update to save changes. 
    Image Added

    Tip
    titleTip

    If a user is assigned the Internal/system role, the user can bypass account locking even if the user exceeds the specified number of Maximum Failed Login Attempts.

    Note
    titleNote

    WSO2 Identity Server has the Internal/system role configured by default. But generally a new user is not assigned the Internal/system role by default. Required roles can be assigned to a user depending on the set of permission a user needs to have. For more information on roles and permission, see Configuring Roles and Permissions.

    Although the Internal/system role is configured by default in WSO2 Identity Server, you can delete the role if necessary. To allow users with the Internal/system role to bypass account locking, you need to ensure that the role exists in WSO2 Identity Server.

  7. To enable account locking and disabling for other tenants, log out and repeat the steps given above from step 2 onwards. 

Disable an account

Follow the steps below to disable a user account through the WSO2 IS management console. 

  1. Navigate to Main>Claims>List and click on 'http://wso2.org/claims'.

  2. Edit the Account Disabled claim. See Editing Claim Mapping for more information on how to do this. 

  3. Tick the checkbox Supported by Default and click Update. 
    Image RemovedImage Added
  4. Navigate to Main>Users and Roles>List>Users and click on User Profile of the user account that you want to disable. 
  5. Tick the Account Disabled checkbox and click Update.

Switch off account disabling

If you want to switch off the account disabling option, follow the steps below.

The following section provides instructions on how to disable (switch-off) the account disabling feature. You may do this if you want to prevent even administrative users from disabling accounts. 

  1. Open the the identity-event.properties file  file found in the the <IS_HOME>/repository/conf/identity folder folder

  2. Set the following property to to false to  to disable account disabling. This will remove the account disabling option from the tenantall tenants.

    Code Block
    account.disable.handler.enable=false

    tip
    Tip

    To disable or enable this option for all tenantstenant-wise, do the following:

    1. Start WSO2 Identity Server and log in to the management console using tenant credentials.

    2. Click List under Identity Providers and then click Resident Identity Provider.

    3. Expand Login Policies>Account Disabling and select/unselect the Enable Account Disabling checkbox accordingly. 
      Image Modified

Alternatively,

...

  instead of using the management console, you can also enable/disable the user account using

...

the  setUserClaimValues()

...

 method in

...

the  RemoteUserStoreManagerService 

...

 after you have configured WSO2 IS for account disabling.

...

Sending email notifications for account disabling

Once you have configured WSO2 Identity Server for Account for account disabling, you can also configure the WSO2 IS to send an email to the user's email address when the user account is disabled. To configure this, follow the steps below.

Multiexcerpt include
MultiExcerptNameEmail configuration
PageWithExcerptAccount Locking by Failed Login Attempts

...