Identity Server can be configured to lock a user account when configurable number of login attempts are exceeded. Also there are two configurations that can be used to unlock a user account.
- By using theĀ unlockUserAccount service in
https://localhost:9443/services/UserIdentityManagementAdminService?wsdl
. - By configuring lock time in the identity-mgt.properties file (this can be specified using the Authentication.Policy.Account.Lock.Time parameter).
Also an Admin can directly lock a user account using the lockUserAccount service in https://localhost:9443/services/UserIdentityManagementAdminService?wsdl
.
Configuration
Configure the following parameters in theĀ identity-mgt.properties file.
Identity.Listener.Enable=true Notification.Sending.Enable=true Notification.Expire.Time=7200 Notification.Sending.Internally.Managed=true Authentication.Policy.Enable=true Authentication.Policy.Account.Lock.On.Failure=true Authentication.Policy.Account.Lock.On.Failure.Max.Attempts=2 Authentication.Policy.Account.Lock.Time=2
Configure the following claims and correctly map the attributes with existing underlying user store.
http://wso2.org/claims/identity/accountLocked
http://wso2.org/claims/identity/unlockTime
http://wso2.org/claims/identity/failedLoginAttempts
Configure the email template as follows.
<configuration type="accountLock"> <targetEpr></targetEpr> <subject>WSO2 Carbon - Your account unlocked</subject> <body> Hi {first-name}, Please note that the account registered with us with the user name : {user-name} has been unlocked by Admin. </body> <footer> Best Regards, WSO2 Identity Server Team http://www.wso2.com </footer> <redirectPath></redirectPath> </configuration>
To enable the https://localhost:9443/services/UserIdentityManagementAdminService?wsdl
admin service, the admin has to change the following configuration to false in the carbon.xml file.
<!-- If this parameter is set, the ?wsdl on an admin service will not give the admin service wsdl. --> <HideAdminServiceWSDLs>false</HideAdminServiceWSDLs>