This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

User Account Locking and Account Disabling

Account locking and account disabling are security features in WSO2 Identity Server (IS) that can be applied to prevent users from logging in to their account and from authenticating themselves using their WSO2 IS account. The account locking feature is used to temporarily block a user from logging in, for example, in instances where there have been many consecutive, unsuccessful login attempts. Account disabling is a more of a long term security measure, which disables the account for a significant amount of time. 

  1. First configure WSO2 Identity Server for account locking and disabling.
  2. Next, you can do any or all of the following:

Configuring WSO2 Identity Server for account locking and disabling

First, do the following configurations to set up account locking and disabling in WSO2 Identity Server. 

Warning

The instructions given on this page follow the recommended approach for account locking and account disabling in WSO2 Identity Server, which is to use the governance identity.mgt listener.

Prior to the WSO2 IS 5.2.0 release, this was configured in a different way. If you require the steps for the old method for backward compatibility purposes, see the WSO2 IS 5.2.0 documentation.

  1. Ensure that the "IdentityMgtEventListener" with the orderId=50 is set to false and the "IdentityMgtEventListener" with the orderId=95 is set to true in the <IS_HOME>/repository/conf/identity/identity.xml file.

    This is already configured this way by default. You can skip this step if you have not changed this configuration previously.

     Click to see the code block
    <EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener" name="org.wso2.carbon.identity.mgt.IdentityMgtEventListener" orderId="50" enable="false"/>
    <EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener" name="org.wso2.carbon.identity.governance.listener.IdentityMgtEventListener" orderId="95" enable="true" />

    Tip

    The properties that you configure in the <IS_HOME>/repository/conf/identity/identity-event.properties file are applied at the time of WSO2 Identity Server startup.

    Once you start the server, any consecutive changes that you do in the <IS_HOME>/repository/conf/identity/identity-event.properties file, will not be picked up.

  2. Start the WSO2 IS and log into the management console using your tenant credentials. 

    Alternatively, you can also use the IdentityGovernanceAdminService SOAP service to do this instead of using the management console UI. See Calling Admin Services for more information on how to invoke this SOAP service.

    If you are using the SOAP service to configure this, you do not need to follow the steps given below this note.

  3. Click Resident under Identity Providers found in the Main tab.
  4. Expand the Login Policies tab.
  5. Expand the Account Locking tab and select the Account Lock Enabled checkbox. Click Update to save changes. 

    For more information about the other fields in this form, see Account Locking by Failed Login Attempts.

  6. To enable account locking for other tenants, log out and repeat the steps given above from step 2 onwards. 

Enable email sending for account locking/disabling

Optionally, you can configure the WSO2 IS to send an email to the user's email address when the user account is locked. To configure this, follow the steps below.

  1. Open the output-event-adapters.xml file found in the <IS_HOME>/repository/conf directory. 
  2. Configure the relevant property values for the email server under the <adapterConfig type="email"> tag.

    <adapterConfig type="email">
        <!-- Comment mail.smtp.user and mail.smtp.password properties to support connecting SMTP servers which use trust
        based authentication rather username/password authentication -->
       	<property key="mail.smtp.from">abcd@gmail.com</property>
       	<property key="mail.smtp.user">abcd</property>
       	<property key="mail.smtp.password">xxxx</property>
       	<property key="mail.smtp.host">smtp.gmail.com</property>
       	<property key="mail.smtp.port">587</property>
       	<property key="mail.smtp.starttls.enable">true</property>
       	<property key="mail.smtp.auth">true</property>
       	<!-- Thread Pool Related Properties -->
       	<property key="minThread">8</property>
       	<property key="maxThread">100</property>
       	<property key="keepAliveTimeInMillis">20000</property>
       	<property key="jobQueueSize">10000</property>
    </adapterConfig>

    Tip: The email template used to send the email notification for account locking is the AccountLock template and the template used for account disabling is the AccountDisable template.

    You can edit and customize the email template. For more information on how to do this, see Customizing Automated Emails.

What's Next?

Now that you have configured WSO2 Identity Server for account locking and disabling, you can lock or disable a user account in one of the following ways:

Related Topics
  • See  Enable last login and last password modified timestamps for more information on how to customize a user's profile to enable viewing of timestamps for the last time the user logged in and last time the user modified the password.
  • By default, the claim values of the identity claims used in this feature are stored in the JDBC datasource configured in the identity.xml file. See Configuring Claims for more information on how to store the claim values in the user store.