Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Account locking and account disabling are security features in WSO2 Identity Server (IS) that can be applied to prevent users from logging in to their account and from authenticating themselves using their WSO2 IS account. The account locking feature is used to block a user from logging in temporarily, for example, in instances where there have been many consecutive, unsuccessful login attempts. Account disabling is a more of a long term security measure, which disables the account for a significant amount of time.

For more information about configuring user accounts, see the Configuring User Stores topic. A user account can be locked or disabled in one of the following ways:

...

  1. Enable the Identity Listener by setting the <EventListener> property the <UserOperationEventListener> property with the name "IdentityMgtEventListener" to true in the the <IS_HOME>/repository/conf/identity/identity.xml file file.

    Code Block
    languagexml
    <EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener" name="org.wso2.carbon.identity.mgt.IdentityMgtEventListener" orderId="50" enable="true"/>
  2. Configure the following parameters in the <IS_HOME>/repository/conf/identity/identity-mgt.properties file.

    Configuration

    Description

    Authentication.Policy.Enable=true

    This enables the authentication flow level which checks for the account lock and one time password features. This property must be enabled for the account lock feature to work.

    Authentication.Policy.Account.Lock.On.Failure=true

    This enables locking the account when authentication fails.

    Authentication.Policy.Account.Lock.On.Failure.Max.Attempts=2

    This indicates the number of consecutive attempts that a user can try to log in without the account getting locked. In this case, if the login fails twice, the account is locked.

    Authentication.Policy.Account.Lock.Time=5

    The time specified here is in minutes. In this case, the account is locked for five minutes and authentication can be attempted once this time has passed.

    Code Block
    languagebash
    Authentication.Policy.Enable=true
    Authentication.Policy.Account.Lock.On.Failure=true
    Authentication.Policy.Account.Lock.On.Failure.Max.Attempts=2
    Authentication.Policy.Account.Lock.Time=5

...

  1. Start the WSO2 IS server if you have not already and log in to the management console using admin credentials.
  2. Navigate to Claims>List on the Configure menu and select the http://wso2.org/claims  claim dialect. For more information about claims, see Claim Management
  3. Select the Account Locked claim and click Edit.

  4. Select the "Supported by Default" checkbox and click Update. This is done to make the "Account Locked" status appear in the user's profile. 
  5. Navigate to Users and Roles>List>Users on the Main menu and click on User Profile of the user you want to lock. 
  6. If it is the first time this particular account is being locked, a textbox will appear in front of the Account Locked field as seen below. To lock the account, type true in the textbox and click Update.
    Screen Shot 2016-01-10 at 9.44.40 PM.png 

...