This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.
Locking a Specific User Account
An administrative user can lock and unlock a particular user's account through the management console or using the AdminService. First, you need to configure WSO2 Identity Server for user account locking and disabling. The following steps describe how to do this configuration.
Configuring WSO2 Identity Server for Locking a Specific User Account feature
The instructions given on this page follow the recommended approach for account locking and account disabling in WSO2 Identity Server, which is to use the governance identity.mgt
listener.
Prior to the WSO2 IS 5.2.0 release, this was configured in a different way. If you require documentation on the steps for the old method for backward compatibility, see the WSO2 IS 5.2.0 documentation.
Ensure that the "
IdentityMgtEventListener
" with theorderId=50
is set to false and the "IdentityMgtEventListener
" with theorderId=95
is set to true in the<IS_HOME>/repository/conf/identity/identity.xml
file.This is already configured this way by default. You can skip this step if you have not changed this configuration previously.
Tip
The properties that you configure in the
<IS_HOME>/repository/conf/identity/identity-event.properties
file are applied at the time of WSO2 Identity Server startup.Once you start the server, any consecutive changes that you do in the
<IS_HOME>/repository/conf/identity/identity-event.properties
file, will not be picked up.Start the Identity Server and log into the management console using your tenant credentials.
Alternatively, you can also use the
IdentityGovernanceAdminService
SOAP service to do this instead of using the management console UI. See Calling Admin Services for more information on how to invoke this SOAP service. If you are using the SOAP service to configure this, you do not need to follow the steps given below this note.- Click Resident under Identity Providers found in the Main tab.
- Expand the Login Policies tab.
Expand the Account Locking tab and select the Account Lock Enabled checkbox. Click Update to save changes.
- To enable account locking for other tenants, log out and repeat the steps given above from step 2 onwards.
Once the above configuration is done, you can use one of the following methods to lock a user account.
From 5.3.0 onwards there is a new implementation for identity management features. The steps given below in this document follows the new implementation which is the recommended approach for account locking.
Alternatively, to see steps on how to enable this identity management feature using the old implementation, see User Account Locking and Account Disabling documentation in WSO2 IS 5.2.0. The old implementation has been retained within the WSO2 IS pack for backward compatibility and can still be used if required.
Using the management console
An administrative user can lock a user account by editing the user’s profile in the management console.
- Start the WSO2 IS server and log in to the management console using admin credentials.
- Navigate to Claims>List on the Configure menu and select the http://wso2.org/claims claim dialect. For more information about claims, see Claim Management.
- Select the Account Locked claim and click Edit.
- Select the Supported by Default checkbox and click Update. This is done to make the "Account Locked" status appear in the user's profile.
- Navigate to Users and Roles>List>Users on the Main menu and click on User Profile of the user you want to lock.
- If it is the first time this particular account is being locked, a textbox will appear in front of the Account Locked field as seen below. To lock the account, type true in the textbox and click Update.
If it is not the first time you are locking this user account, there will be a checkbox instead of the textbox (as shown above) in front of the Account Locked field. Select the checkbox to lock the account or unselect it to unlock the account and click Update.
Using the AdminService
An administrative user (with the permission level /permission/admin/configure/security/usermgt/users) can lock a user account using the UserIdentityManagementAdminService
. The admin service provides the lockUserAccount
operation to achieve this. The following is a sample SOAP request that can be sent to the UserIdentityManagementAdminService
to lock a user account.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"xmlns:ser="http://services.mgt.identity.carbon.wso2.org"> <soapenv:Header/> <soapenv:Body> <ser:lockUserAccount> <!--Optional:--> <ser:userName>Bob</ser:userName> </ser:lockUserAccount> </soapenv:Body> </soapenv:Envelope>
Unlocking a user account using the admin service
Similarly, you can use the UserIdentityManagementAdminService
to unlock a locked user account. The service provides the unlockUserAccount
operation to achieve this. The following is a sample SOAP request that can be sent to the UserIdentityManagementAdminService
to unlock a user account.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"xmlns:ser="http://services.mgt.identity.carbon.wso2.org"> <soapenv:Header/> <soapenv:Body> <ser:unlockUserAccount> <!--Optional:--> <ser:userName>Bob</ser:userName> </ser:unlockUserAccount> </soapenv:Body> </soapenv:Envelope>
Configuring sending emails for Locking a Specific User Account feature
Once you have configured WSO2 Identity Server for Account Locking a specific user account, you can also configure the Identity Server to send an email to the user's email address when the user account is locked. To configure this, follow the steps below.
- Open the
output-event-adapters.xml
file found in the<IS_HOME>/repository/conf
directory. Configure the relevant property values for the email server under the
<adapterConfig type="email">
tag.<adapterConfig type="email"> <!-- Comment mail.smtp.user and mail.smtp.password properties to support connecting SMTP servers which use trust based authentication rather username/password authentication --> <property key="mail.smtp.from">abcd@gmail.com</property> <property key="mail.smtp.user">abcd</property> <property key="mail.smtp.password">xxxx</property> <property key="mail.smtp.host">smtp.gmail.com</property> <property key="mail.smtp.port">587</property> <property key="mail.smtp.starttls.enable">true</property> <property key="mail.smtp.auth">true</property> <!-- Thread Pool Related Properties --> <property key="minThread">8</property> <property key="maxThread">100</property> <property key="keepAliveTimeInMillis">20000</property> <property key="jobQueueSize">10000</property> </adapterConfig>
Restart the Server.
Tip: The email template used to send the email notification for account locking is the AccountLock template and the template used for account disabling is the AccountDisable template. You can edit and customize the email template. For more information on how to do this, see Customizing Automated Emails.