This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.
Account Lock/Unlock
The WSO2 Identity Server can be configured to lock a user account when configurable number of login attempts are exceeded. Also there are two configurations that can be used to unlock a user account.
By using the unlockUserAccount service in https://localhost:9443/services/UserIdentityManagementAdminService?wsdl.
By configuring lock time in the
<IS_HOME>/repository/conf/security/identity-mgt.propertiesfile (this can be specified using the Authentication.Policy.Account.Lock.Time parameter).
Also an Admin user can directly lock a user account using the lockUserAccount service in https://localhost:9443/services/UserIdentityManagementAdminService?wsdl.
Configuring the account lock time
This section of this topic expands on how we can configure the WSO2 Identity Server to lock or unlock a user account using the <IS_HOME>/repository/conf/security/identity-mgt.properties file
Configure the following parameters in the
<IS_HOME>/repository/conf/security/identity-mgt.propertiesfile.Identity.Listener.Enable=true Notification.Sending.Enable=true Notification.Expire.Time=7200 Notification.Sending.Internally.Managed=true Authentication.Policy.Enable=true Authentication.Policy.Account.Lock.On.Failure=true Authentication.Policy.Account.Lock.On.Failure.Max.Attempts=2 Authentication.Policy.Account.Lock.Time=2See the following table for descriptions of these configurations.
Configure the following claims and correctly map the attributes with the existing underlying user store. See Claim Management for more information on how to do this.
http://wso2.org/claims/identity/accountLocked- This claim is used to store the status of the user's account, i.e., if it is locked or not.http://wso2.org/claims/identity/unlockTime- This is used to store the timestamp that the user's account is unlocked.http://wso2.org/claims/identity/failedLoginAttempts- This is used to track the number of consecutive failed login attempts. It is based on this that the account is locked.
Make sure the following email template is defined in the
<IS_HOME>/repository/conf/email/email-admin-config.xmlfile. This is the format in which the email is sent to the user when the account is unlocked.<configuration type="accountUnLock"> <targetEpr></targetEpr> <subject>WSO2 Carbon - Your account unlocked</subject> <body> Hi {first-name}, Please note that the account registered with us with the user name : {user-name} has been unlocked by Admin. </body> <footer> Best Regards, WSO2 Identity Server Team http://www.wso2.com </footer> <redirectPath></redirectPath> </configuration>