This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.
User Account Suspension
The WSO2 Identity Server allows you to set up account suspension to lock accounts that have been idle for a pre-configured amount of time.Â
Prior to account suspension, set up the notification system to send a warning notification to the user announcing that the account will be suspended. For instance, if a user has not logged in to the account for 90 days, the user can be notified that their account will be suspended within the next 7 days if there continues to be no activity, after which, the account will be suspended.Â
Note: Once an account is suspended, only an administrative user can unlock the account.Â
Setting up account suspension notifications
The notification module is a scheduled task that runs daily. It fetches users from the user store that are idle and eligible to receive a warning notification based on the last logged-in time. The scheduled task that checks for idle accounts is common to all tenants.Â
Before you begin
Ensure that the "IdentityMgtEventListener
" with the orderId=50
 is set to false and that the "IdentityMgtEventListener
" with the orderId=95
 is set to true in the <IS_HOME>/repository/conf/identity/identity.xml
 file.Â
<EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener" name="org.wso2.carbon.identity.mgt.IdentityMgtEventListener" orderId="50" enable="false"/> <EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener" name="org.wso2.carbon.identity.governance.listener.IdentityMgtEventListener" orderId="95" enable="true" />
Enable notifications for account suspension by setting the following property to true in theÂ
<IS_HOME>/repository/conf/identity/
 file.identity-event.properties
Âsuspension.notification.enable=true
To define the start time of the scheduled task, configure the following property in theÂ
<IS_HOME>/repository/conf/identity/
 file. The task runs daily at the trigger time that you configure here.identity-event.properties
ÂTip: Set the value in hh:mm:ss format. If you set it in the wrong format or do not set a value, the default value, which is 20:00:00, applies.
suspension.notification.trigger.time=20:00:00
Add the following property under all the relevant userstores that you are using in the user-mgt.xml file.
LDAP Userstore<Property name="NotificationReceiversRetrievalClass">org.wso2.carbon.identity.account.suspension.notification.task.ldap.LDAPNotificationReceiversRetrieval</Property>
JDBC Userstore<Property name="NotificationReceiversRetrievalClass">org.wso2.carbon.identity.account.suspension.notification.task.jdbc.JDBCNotificationReceiversRetrieval</Property>
Optionally, you can configure the following email properties to receive email notifications.Â
Open theÂoutput-event-adapters.xml
 file found in theÂ<IS_HOME>/repository/conf
 directory and configure the relevant property values for the email server under theÂ<adapterConfig type="email">
 tag.<adapterConfig type="email"> <!-- Comment mail.smtp.user and mail.smtp.password properties to support connecting SMTP servers which use trust based authentication rather username/password authentication --> <property key="mail.smtp.from">abcd@gmail.com</property> <property key="mail.smtp.user">abcd</property> <property key="mail.smtp.password">xxxx</property> <property key="mail.smtp.host">smtp.gmail.com</property> <property key="mail.smtp.port">587</property> <property key="mail.smtp.starttls.enable">true</property> <property key="mail.smtp.auth">true</property> <!-- Thread Pool Related Properties --> <property key="minThread">8</property> <property key="maxThread">100</property> <property key="keepAliveTimeInMillis">20000</property> <property key="jobQueueSize">10000</property> </adapterConfig>
You can customize the emails that are sent to the user by editing the pre-configured email templates.
- The email template used to send an email when the account has been idle for some time is the idleAccountReminder template.
- The template used to send an email when the account has been locked is the AccountLock template.
For more information on how to edit and customize the email templates, see Customizing Automated Emails.
Configuring account suspension settings
- Start the WSO2 IS and log into the management console using your tenant credentials.Â
- Click Resident under Identity Providers found in the Main tab. Expand the Login Policies tab.
- Expand the Account Locking tab and select the Account Lock Enabled checkbox. Click Update to save changes.Â
Expand the Account Management Policies tab.Â
Expand the Lock Idle Accounts tab and select Enable. Fill in the following fields and click Update.
Field Description Sample Value Lock Account After This specifies the total number of days after which the account will be locked. In this case, if the account is idle for 90 days, it will be locked. 90 Alert User in This specifies the number of days (in a comma separated list) after which the user is sent a warning notification informing that the account is about to be locked. In this case, the user will receive multiple notifications, one notification after 30 days, the next after 45 days etc. Finally if it reaches 90 days with no activity from the user, the account will be locked. 30,45,60,75
Troubleshooting Tips
If you want to troubleshoot this feature, add the following property to the log4j.properties
file found in the <IS_HOME>/repository/conf/
folder to receive DEBUG logs.
log4j.logger.org.wso2.carbon.identity.account.suspension.notification.task=DEBUG
By default, the claim values of the identity claims used in this feature are stored in the JDBC datasource configured in the identity.xml
 file. See Configuring Claims for more information on how to store the claim values in the user store.