This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Account Lock/Unlock

Owned by Former user (Deleted)
Last updated: Sept 15, 2015
2 min read

The WSO2 Identity Server can be configured to lock a user account when configurable number of login attempts are exceeded. Also there are two configurations that can be used to unlock a user account.

Also an Admin user can directly lock a user account using the lockUserAccount service in https://localhost:9443/services/UserIdentityManagementAdminService?wsdl.

Configuring the account lock time

This section of this topic expands on how we can configure the WSO2 Identity Server to lock or unlock a user account using the <IS_HOME>/repository/conf/security/identity-mgt.properties file

  1. Configure the following parameters in the <IS_HOME>/repository/conf/security/identity-mgt.properties file.

    Identity.Listener.Enable=true
Notification.Sending.Enable=true
Notification.Expire.Time=7200
Notification.Sending.Internally.Managed=true
Authentication.Policy.Enable=true
Authentication.Policy.Account.Lock.On.Failure=true
Authentication.Policy.Account.Lock.On.Failure.Max.Attempts=2
Authentication.Policy.Account.Lock.Time=2

    See the following table for descriptions of these configurations.

    ConfigurationDescription
    Identity.Listener.Enable=true
    		This enables the identity listener.
    Notification.Sending.Enable=true

    This enables the email sending function when the password account is unlocked.

    Notification.Expire.Time=7200
    		The time specified here is in minutes. In this case, the notification expires after 7200 minutes.
    Notification.Sending.Internally.Managed=true

    This enables the internal email sending module. If false, the email sending data is available to the application via a Web service. Thus the application can send the email using its own email sender.

    Authentication.Policy.Enable=true

    This enables the authentication flow level checks for the account lock and one time password features. You must enable this to make the account lock feature work.

    Authentication.Policy.Account.Lock.On.Failure=true
    		This enables locking the account when authentication fails.
    Authentication.Policy.Account.Lock.On.Failure.Max.Attempts=2
    		This indicates the number of consecutive attempts that a user can have to log in without the account getting locked. In this case, if the authentication fails twice, the account is locked.
    Authentication.Policy.Account.Lock.Time=2
    		The time specified here is in minutes. In this case, the account is locked only for two minutes and authentication can be attempted once this time passes.
  2. Configure the following claims and correctly map the attributes with the existing underlying user store. See Claim Management for more information on how to do this.
    • http://wso2.org/claims/identity/accountLocked - This claim is used to store the status of the user's account, i.e., if it is locked or not.
    • http://wso2.org/claims/identity/unlockTime - This is used to store the timestamp that the user's account is unlocked.
    • http://wso2.org/claims/identity/failedLoginAttempts - This is used to track the number of consecutive failed login attempts. It is based on this that the account is locked.

  3. Make sure the following email template is defined in the <IS_HOME>/repository/conf/email/email-admin-config.xml file. This is the format in which the email is sent to the user when the account is unlocked.

    <configuration type="accountUnLock">
	<targetEpr></targetEpr>
	<subject>WSO2 Carbon - Your account unlocked</subject>
	<body>
		Hi {first-name},


		Please note that the account registered with us with the user name : {user-name} has been unlocked by Admin. 


	</body>
	<footer>
		Best Regards,
		WSO2 Identity Server Team
		http://www.wso2.com
	</footer>
	<redirectPath></redirectPath>
</configuration>