Versions Compared

Old Version 15

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Account locking is a security feature in Identity Server that prevents users from logging in to their account and from authenticating themselves using their IS Identity Server account. For more information about configuring user accounts, see the Configuring User Stores topic. A user account can be locked in one of the following ways:

...

  1. Enable the Identity Listener by setting the <EventListener> property <UserOperationEventListener> property with the name "IdentityMgtEventListener", to true in the <IS_HOME>/repository/conf/identity/identity.xml file.

    Code Block
    languagexml
    <EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener" name="org.wso2.carbon.identity.mgt.IdentityMgtEventListener" orderId="50" enable="true"/>

  2. Configure the following parameters in the <IS_HOME>/repository/conf/identity/identity-mgt.properties file.

    Configuration

    Description

    Authentication.Policy.Enable=true

    This enables the authentication flow level which checks for the account lock and one time password features. This property must be enabled for the account lock feature to work.

    Authentication.Policy.Account.Lock.On.Failure=true

    This enables locking the account when authentication fails.

    Authentication.Policy.Account.Lock.On.Failure.Max.Attempts=2

    		This indicates the number of consecutive attempts that a user can try to log in without the account getting locked. In this case, if the login fails twice, the account is locked.

    Authentication.Policy.Account.Lock.Time=5

    The time specified here is in minutes. In this case, the account is locked for five minutes and authentication can be attempted once this time has passed.

    Code Block
    languagebash
    Authentication.Policy.Enable=true
Authentication.Policy.Account.Lock.On.Failure=true
Authentication.Policy.Account.Lock.On.Failure.Max.Attempts=2
Authentication.Policy.Account.Lock.Time=5

...

  1. Start the IS server if you have not already and log in to the management console using admin credentials.
  2. Navigate to Claims>List on the Configure menu and select the http://wso2.org/claims  claim dialect. For more information about claims, see Claim Management
  3. Select the Account Locked claim and click Edit.

  4. Select the "Supported by Default" checkbox and click Update. This is done to make the "Account Locked" status appear in the user's profile. 
  5. Navigate to Users and Roles>List>Users on the Main menu and click on User Profile of the user you want to lock. 
  6. If it is the first time this particular account is being locked, a textbox will appear in front of the Account Locked field as seen below. To lock the account, type true in the textbox and click Update.
    Screen Shot 2016-01-10 at 9.44.40 PM.pngImage Modified 
Note

If it is not the first time you are locking this user account, there will be a checkbox instead of the textbox shown above in front of the Account Locked field.

Select the checkbox to lock the account or unselect it to unlock the account and click Update.

...

Code Block
titleLock Account SOAP Request
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"xmlns:ser="http://services.mgt.identity.carbon.wso2.org">
  <soapenv:Header/>
  <soapenv:Body>
  <ser:lockUserAccount>
  <!--Optional:-->
  <ser:userName>SpongeBob<userName>Alex</ser:userName>
  </ser:lockUserAccount>
  </soapenv:Body>
</soapenv:Envelope>

...

Code Block
languagexml
titleUnlock Account SOAP Request
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"xmlns:ser="http://services.mgt.identity.carbon.wso2.org">
  <soapenv:Header/>
  <soapenv:Body>
  <ser:unlockUserAccount>
  <!--Optional:-->
  <ser:userName>SpongeBob<userName>Alex</ser:userName>
  </ser:unlockUserAccount>
  </soapenv:Body>
</soapenv:Envelope>

The Identity Server can be configured to send an email notification to the user when a user account is unlocked by an admin user. Follow the steps below to configure this. 
 

  1. Configure the following parameters in the <IS_HOME>/repository/conf/identity/identity-mgt.properties file.

    ConfigurationDescription

    Notification.Expire.Time=7200

    The time specified here is in minutes. In this case, the notification expires after 7200 minutes.

    Notification.Sending.Internally.Managed=true

    This enables the internal email sending module. If this property is set to false, the email sending data is available to the application via a Web service. Thus the application can send the email using its own email sender.

    Notification.Sending.Enable=true

    This property enables the email sending function when the password account is unlocked.

    Code Block
    languagebash
    Notification.Sending.Enable=true
Notification.Expire.Time=7200
Notification.Sending.Internally.Managed=true

  2. Navigate to the <IS_HOME>/repository/conf/axis2/axis2.xml file and uncomment the following property. Change the parameter values according to your email (see the second code block below for an example of this).  

    Code Block
    languagexml
    <!--<transportSender name="mailto"
class="org.apache.axis2.transport.mail.MailTransportSender">

...

  1.  

    Code Block
    languagexml
    titleExample
    <transportSender name="mailto"
class="org.apache.axis2.transport.mail.MailTransportSender">
    <parameter name="mail.smtp.from">sampleemail@gmail.com</parameter>
    <parameter name="mail.smtp.user">sampleemail</parameter>
    <parameter name="mail.smtp.password">password</parameter>
    <parameter name="mail.smtp.host">smtp.gmail.com</parameter>
    <parameter name="mail.smtp.port">587</parameter>
    <parameter name="mail.smtp.starttls.enable">true</parameter>
    <parameter name="mail.smtp.auth">true</parameter>
</transportSender>

...

...
  1. Make sure the following email template is defined in the <IS_HOME>/repository/conf/email/email-admin-config.xml file. This is the format in which the email is sent to the user when the account is unlocked.
...

  1.  Code Block
    languagexml
    <configuration type="accountUnLock">
    <targetEpr></targetEpr>
    <subject>WSO2 Carbon - Your account unlocked</subject>
    <body>
        Hi {first-name},
        Please note that the account registered with us with the user name: {user-name} has been unlocked by Admin.
    </body>
    <footer>
        Best Regards,
        WSO2 Identity Server Team
        http://www.wso2.com
    </footer>
    <redirectPath></redirectPath>
</configuration>
 
  1. Restart the server once the configuration changes are made.
Storing claims in the user store 
By default, IS stores these claim values in the JDBC datasource configured in the identity.xml file. If needed, you can configure IS to store the claim values in the userstore as well. 
  1. Open the <IS_HOME>/repository/conf/identity/identity-mgt.properties file and change the Identity.Mgt.User.Data.Store property to the datastore you have configured.
     Code Block
    languagebash
    Identity.Mgt.User.Data.Store=org.wso2.carbon.identity.mgt.store.UserStoreBasedIdentityDataStore
     Info
    The default value  org.wso2.carbon.identity.mgt.store. JDBCIdentityDataStore  is the Identity datasource. Changing the store to   UserStoreBasedIdentityDataStore ensures that identity claims are stored in the userstoreuser store
  2. The identity claims mentioned below should be mapped correctly to the attributes in the underlying user store. For more information on how to do this, see  Claim Management
...