Page Comparison

...

...

...

This page is currently under construction.

...

The account locking feature in IS allows to prevent users from authenticating using ISAccount locking is a security feature in Identity Server that prevents users from logging in to their account and from authenticating themselves using their Identity Server account. For more information about configuring user accounts, see the Configuring User Stores topic. A user account can be locked by in one of the following methods.

...

Account locking by failed login attempts

ways:

Account locking by failed login attempts

The Identity Server can be configured to lock a user account when a number of consecutive failed login attempts are exceeded. Following The following section explains on configuring how to configure the Identity Server for account locking.

Configuring Identity

...

Server for

...

account locking

...

1. Enable the Identity Listener by setting the

...

1. <UserOperationEventListener> property with the name "IdentityMgtEventListener", to true in the <IS_HOME>/repository/conf/identity/identity.xml file.

   Code Block
   language xml
   <EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener" name="org.wso2.carbon.identity.mgt.IdentityMgtEventListener" orderId="50" enable="true"/>

...

1. Configure the following parameters in the <IS_HOME>/repository/conf/identity/identity-mgt.properties file.

   Configuration	Description
   Authentication.Policy.Enable=true	This enables the authentication flow level which checks for the account lock and one time password features. This property must be enabled for the account lock feature to work.
   Authentication.Policy.Account.Lock.On.Failure=true	This enables locking the account when authentication fails.
   Authentication.Policy.Account.Lock.On.Failure.Max.Attempts=2	This indicates the number of consecutive attempts that a user can try to log in without the account getting locked. In this case, if the login fails twice, the account is locked.
   Authentication.Policy.Account.Lock.Time=5	The time specified here is in minutes. In this case, the account is locked for five minutes and authentication can be attempted once this time has passed.

   Code Block
   language bash
   Authentication.Policy.Enable=true Authentication.Policy.Account.Lock.On.Failure=true Authentication.Policy.Account.Lock.On.Failure.Max.Attempts=2 Authentication.Policy.Account.Lock.Time=5

...

Unlocking the locked user account

A locked user account by failed login attempts can be unlocked by one of the following methods

By setting a lock timeout period:

IS can be The Identity Server can be configured to automatically unlock a user account after a configured amount of time

The above mentioned certain period of time. A user account locked by failed login attempts can be unlocked by setting a lock timeout period. To configure this:

• Configure the Authentication.Policy.Account.Lock.Time property

...

• in the  <IS_HOME>/repository/conf/identity/identity-mgt.properties file. As mentioned in the above table, the value refers to the number of minutes that the account is locked for, after which, authentication can be attempted again. 

  Code Block
  language bash
  Authentication.Policy.Account.Lock.Time=5

  Info
  If the lock time is set to 0, the account has to be unlocked by an admin user.

...

• For more information about this, see Account locking by an administrative user.

Account locking by an administrative user

An administrative user can unlock a user account by using Admin Service or by editing the user profile from management console

...

using one of the following methods:

Using the management console

An administrative user can lock a user account by editing the user’s profile in the management console. But in order to make the Account Lock status appear in the user’s profile, the Account Locked claim ( 

1. Start the IS server if you have not already and log in to the management console using admin credentials.
2. Navigate to Claims>List on the Configure menu and select the http://wso2.org/claims

...

Image Removed

...

1.  claim dialect. For more information about claims, see Claim Management. 
2. Select the Account Locked claim and click Edit.
   Image Added
   
3. Select the "Supported by Default" checkbox and click Update. This is done to make the "Account Locked" status appear in the user's profile.  Image Added
4. Navigate to Users and Roles>List>Users on the Main menu and click on User Profile of the user you want to lock. 
5. If

...

1. it is the first time

...

1. this particular account is being locked, a textbox will appear in front of the

...

1. Account Locked

...

1. field as seen below. To lock the

...

1. account, type true in the textbox and

...

1. click Update.
   Image Modified 

...

...

...

...

...

...

Image Removed

...

Using the AdminService

An administrative user (with the permission level /permission/admin/configure/security/usermgt/users ) can lock a user account using the  UserIdentityManagementAdminService . The admin service provides the lockUserAccount operations operation to achieve this. Following The following request is a sample SOAP request that can be sent to UserIdentityManagementAdminService (https://localhost:9443/services/UserIdentityManagementAdminService) to the UserIdentityManagementAdminService  to lock a user account.

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"xmlns:ser="http://services.mgt.identity.carbon.wso2.org">
  <soapenv:Header/>
  <soapenv:Body>
  <ser:lockUserAccount>
  <!--Optional:-->
  <ser:userName>SpongeBob<userName>Alex</ser:userName>
  </ser:lockUserAccount>
  </soapenv:Body>
</soapenv:Envelope>

Unlocking a user account from the admin service

Similarly, we you can use the UserIdentityManagementAdminService to unlock a locked user account. The service provides the unlockUserAccount operation to achieve this. Following The following request is a sample SOAP request that can be sent to the UserIdentityManagementAdminService to  to unlock a user account.

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"xmlns:ser="http://services.mgt.identity.carbon.wso2.org">
  <soapenv:Header/>
  <soapenv:Body>
  <ser:unlockUserAccount>
  <!--Optional:-->
  <ser:userName>SpongeBob<userName>Alex</ser:userName>
  </ser:unlockUserAccount>
  </soapenv:Body>
</soapenv:Envelope>

The Identity Server can be configured to send an email notification to the user when a user account is unlocked by an admin user. Following are the required configurations.1. Follow the steps below to configure this. 

1. Configure the following parameters in the <IS_HOME>/repository/conf/identity/identity-mgt.properties file.

   Configuration	Description
   Notification.Expire.Time=7200	The time specified here is in minutes. In this case, the notification expires after 7200 minutes.
   Notification.Sending.Internally.Managed=true	This enables the internal email sending module. If this property is set to false, the email sending data is available to the application via a Web service. Thus the application can send the email using its own email sender.
   Notification.Sending.Enable=true	This property enables the email sending function when the password account is unlocked.

   Code Block
   language bash
   Notification.Sending.Enable=true Notification.Expire.Time=7200 Notification.Sending.Internally.Managed=true

Detailed description of the above properties can be found at the end of this page.

...

1. Navigate to the <IS_HOME>/repository/conf/axis2/axis2.xml file and uncomment the following property. Change the parameter values according to your email (see the second code block below for an example of this).  
   

   Code Block
   language xml
   <!--<transportSender name="mailto"

...

1. class="org.apache.axis2.transport.mail.MailTransportSender">

...

1.  
   

   Code Block
   language xml title Example
   <transportSender name="mailto" class="org.apache.axis2.transport.mail.MailTransportSender"> <parameter name="mail.smtp.from">sampleemail@gmail.com</parameter> <parameter name="mail.smtp.user">sampleemail</parameter> <parameter name="mail.smtp.password">password</parameter> <parameter name="mail.smtp.host">smtp.gmail.com</parameter> <parameter name="mail.smtp.port">587</parameter> <parameter name="mail.smtp.starttls.enable">true</parameter> <parameter name="mail.smtp.auth">true</parameter> </transportSender>

...

...

1. Make sure the following email template is defined in the <IS_HOME>/repository/conf/email/email-admin-config.xml file. This is the format in which the email is sent to the user when the account is unlocked.

...

1. 
   

   Code Block
   language xml
   <configuration type="accountUnLock"> <targetEpr></targetEpr> <subject>WSO2 Carbon - Your account unlocked</subject> <body> Hi {first-name}, Please note that the account registered with us with the user name: {user-name} has been unlocked by Admin. </body> <footer> Best Regards, WSO2 Identity Server Team http://www.wso2.com </footer> <redirectPath></redirectPath> </configuration>

...

...

1. Restart the server once the configuration changes are made.

...

Storing claims in the user store 

By default, IS stores these claim values in the JDBC datasource configured in the identity.xml file. If needed, you can configure IS to store the claim values in the userstore as well. For that, open the

1. Open the <IS_HOME>/repository/conf/identity/identity-mgt.properties file and change

...

1. the Identity.Mgt.User.Data.Store

...

1.  property to the datastore you have configured.

   Code Block
   language bash
   Identity.Mgt.User.Data.Store=org.wso2.carbon.identity.mgt.store.UserStoreBasedIdentityDataStore

   Info
   The default value org.wso2.carbon.identity.mgt.store. JDBCIdentityDataStore  is the Identity datasource. Changing the store

...

1. to UserStoreBasedIdentityDataStore

...

1. ensures that identity claims are stored in the

...

Identity.Mgt.User.Data.Store=org.wso2.carbon.identity.mgt.store.UserStoreBasedIdentityDataStore

...

1. user store.

2. The identity claims mentioned below should be mapped correctly to the attributes in the underlying user store.

...

1. For more information on how to do this, see  Claim Management.

...

See the following table for descriptions of the configurations in identity-mgt.properties.

...

Configuration

...

Description

...

Notification.Sending.Enable=true

...

This enables the email sending function when the password account is unlocked.

...

Notification.Expire.Time=7200

...

The time specified here is in minutes. In this case, the notification expires after 7200 minutes.

...

Notification.Sending.Internally.Managed=true

...

This enables the internal email sending module. If false, the email sending data is available to the application via a Web service. Thus the application can send the email using its own email sender.

...

Authentication.Policy.Enable=true

...

This enables the authentication flow level checks for the account lock and one time password features. You must enable this to make the account lock feature work.

...

Authentication.Policy.Account.Lock.On.Failure=true

...

This enables locking the account when authentication fails.

...

Authentication.Policy.Account.Lock.On.Failure.Max.Attempts=2

...

This indicates the number of consecutive attempts that a user can try to log in without the account getting locked. In this case, if the login fails twice, the account is locked.

...

Authentication.Policy.Account.Lock.Time=5

...

• • http://wso2.org/claims/identity/accountLocked - This claim is used to store the status of the user's account, i.e., if it is locked or not.

  • http://wso2.org/claims/identity/unlockTime - This is used to store the timestamp that the user's account is unlocked.

  • http://wso2.org/claims/identity/failedLoginAttempts - This is used to track the number of consecutive failed login attempts. It is based on this that the account is locked.