Account Locking by Failed Login Attempts

WSO2 Identity Server can be configured to lock a user account when a number of consecutive failed login attempts are exceeded. First, you need to configure WSO2 Identity Server for user account locking and disabling. The following section explains how to configure this.

Configuring WSO2 Identity Server for Account Locking by Failed Login Attempts feature

The instructions given on this page follow the recommended approach for account locking and account disabling in WSO2 Identity Server, which is to use the governance identity.mgt listener.

Prior to the WSO2 IS 5.2.0 release, this was configured in a different way. If you require documentation on the steps for the old method for backward compatibility, see the WSO2 IS 5.2.0 documentation.

Ensure that the "IdentityMgtEventListener" with the orderId=50 is set to false and the "IdentityMgtEventListener" with the orderId=95 is set to true in the <IS_HOME>/repository/conf/identity/identity.xml file.

This is already configured this way by default. You can skip this step if you have not changed this configuration previously.
Click to see the code block
<EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener" name="org.wso2.carbon.identity.mgt.IdentityMgtEventListener" orderId="50" enable="false"/> <EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener" name="org.wso2.carbon.identity.governance.listener.IdentityMgtEventListener" orderId="95" enable="true" />
Tip

The properties that you configure in the <IS_HOME>/repository/conf/identity/identity-event.properties file are applied at the time of WSO2 Identity Server startup.
Once you start the server, any consecutive changes that you do in the <IS_HOME>/repository/conf/identity/identity-event.properties file, will not be picked up.
Start the Identity Server and log into the management console using your tenant credentials.

Alternatively, you can also use the IdentityGovernanceAdminService SOAP service to do this instead of using the management console UI. See Calling Admin Services for more information on how to invoke this SOAP service. If you are using the SOAP service to configure this, you do not need to follow the steps given below this note.
Click Resident under Identity Providers found in the Main tab.
Expand the Login Policies tab.
Expand the Account Locking tab and select the Account Lock Enabled checkbox. Click Update to save changes.
To enable account locking for other tenants, log out and repeat the steps given above from step 2 onwards.

The following table describes the configuration properties and descriptions you need to configure:

Configuration	Description
Maximum Failed Login Attempts	This indicates the number of consecutive attempts that a user can try to log in without the account getting locked. If the value you entered is 2, the account is locked if the login attempt fails twice.
Lock Timeout Increment Factor	This indicates how much the account unlock timeout is incremented by after each failed login attempt. For example, according to the values configured in the above screen, when a user exceeds the specified limit of 4 Maximum Failed Login Attempts, the account is locked for 10 minutes. This account unlock timeout is calculated as follows. Account unlock timeout = Configured Account Unlock Time * (Lock Timeout Increment Factor ^ failed login attempt cycles) i.e., 10 minutes = 5 * ( 2 ^ 1 ) Tip If you want to configure the Lock Timeout Increment Factor property via the file based configuration, the parameter you need to configure is `account.lock.handler.login.fail.timeout.ratio` found in the `<IS_HOME>/repository/conf/identity/identity-event.properties` file. If the user attempts to log in with invalid credentials again after the wait time has elapsed and the account is unlocked, the number of login attempt cycles is now 2 and the wait time is 20 minutes.
Account Unlock Time	The time specified here is in minutes. According to the values in the screenshot above, the account is locked for 5 minutes after the user's second failed attempt and authentication can be attempted once this time has passed.
Account Lock Enabled	This enables locking the account when authentication fails.

If you want to configure different settings for another tenant, log out and follow the same steps to configure these properties for the other tenants.

Configuring WSO2 IS for automatic account unlock

The WSO2 Identity Server can be configured to automatically unlock a user account after a certain period of time. A user account locked by failed login attempts can be unlocked by setting a lock timeout period.

Configure the Authentication.Policy.Account.Lock.Time property in the <IS_HOME>/repository/conf/identity/identity-mgt.properties file. As mentioned in the above table, the value refers to the number of minutes that the account is locked for, after which, authentication can be attempted again.

Authentication.Policy.Account.Lock.Time=5

If the lock time is set to 0, the account has to be unlocked by an admin user. For more information about this, see Account locking for a particular user.

Configuring sending emails for Account Locking by Failed Login Attempts

Once you have configured WSO2 Identity Server for account locking by failed login attempts, you can also configure the WSO2 IS to send an email to the user's email address when the user account is locked due to failed login attempts. To configure this, follow the steps below.

Open the output-event-adapters.xml file found in the <IS_HOME>/repository/conf directory.

Configure the relevant property values for the email server under the <adapterConfig type="email"> tag.

<adapterConfig type="email">
    <!-- Comment mail.smtp.user and mail.smtp.password properties to support connecting SMTP servers which use trust
    based authentication rather username/password authentication -->
   	<property key="mail.smtp.from">abcd@gmail.com</property>
   	<property key="mail.smtp.user">abcd</property>
   	<property key="mail.smtp.password">xxxx</property>
   	<property key="mail.smtp.host">smtp.gmail.com</property>
   	<property key="mail.smtp.port">587</property>
   	<property key="mail.smtp.starttls.enable">true</property>
   	<property key="mail.smtp.auth">true</property>
   	<!-- Thread Pool Related Properties -->
   	<property key="minThread">8</property>
   	<property key="maxThread">100</property>
   	<property key="keepAliveTimeInMillis">20000</property>
   	<property key="jobQueueSize">10000</property>
</adapterConfig>

Restart the Server.

Tip: The email template used to send the email notification for account locking is the AccountLock template and the template used for account disabling is the AccountDisable template. You can edit and customize the email template. For more information on how to do this, see Customizing Automated Emails.

Configuring the email templates

To use these templates, apply the 5746 WUM update for WSO2 Identity Server 5.6.0 using the WSO2 Update Manager (WUM). To deploy a WUM update into production, you need to have a paid subscription. If you do not have a paid subscription, you can use this feature with the next version of WSO2 Identity Server when it is released. For more information on updating WSO2 Identity Server using WUM, see Getting Started with WUM.

With this WUM update, WSO2 Identity Server uses two separate email templates for notifying users of the following:

Account lock by administrator
Account unlock by administrator

Add the following email templates using the management console. For detailed instructions, see Customizing Automated Emails.

Account lock by administrator

Email Template Type	AccountLockFailedAttempt
Template Language	English(United States)
Email Content Type	text/html
Subject	WSO2 - Your Account has been Locked
Email Body	Click here to expand... <![CDATA[<table align="center" cellpadding="0" cellspacing="0" border="0" width="100%"bgcolor="#f0f0f0"> <tr> <td style="padding: 30px 30px 20px 30px;"> <table cellpadding="0" cellspacing="0" border="0" width="100%" bgcolor="#ffffff" style="max-width: 650px; margin: auto;"> <tr> <td colspan="2" align="center" style="background-color: #333; padding: 40px;"> <a href="http://wso2.com/" target="_blank"><img src="http://cdn.wso2.com/wso2/newsletter/images/nl-2017/wso2-logo-transparent.png" border="0"/></a> </td> </tr> <tr> <td colspan="2" align="center" style="padding: 50px 50px 0px 50px;"> <h1 style="padding-right: 0em; margin: 0; line-height: 40px; font-weight:300; font-family: 'Nunito Sans', Arial, Verdana, Helvetica, sans-serif; color: #666; text-align: left; padding-bottom: 1em;"> Account Locked </h1> </td> </tr> <tr> <td style="text-align: left; padding: 0px 50px;" valign="top"> <p style="font-size: 18px; margin: 0; line-height: 24px; font-family: 'Nunito Sans', Arial, Verdana, Helvetica, sans-serif; color: #666; text-align: left; padding-bottom: 3%;"> Hi {{user.claim.givenname}}, </p> <p style="font-size: 18px; margin: 0; line-height: 24px; font-family: 'Nunito Sans', Arial, Verdana, Helvetica, sans-serif; color: #666; text-align: left; padding-bottom: 3%;"> Please note that the account registered with the user name <b>{{user-name}}</b> has been locked. Please try again later. <br> </p> </td> </tr> <tr> <td style="text-align: left; padding: 30px 50px 50px 50px" valign="top"> <p style="font-size: 18px; margin: 0; line-height: 24px; font-family: 'Nunito Sans', Arial, Verdana, Helvetica, sans-serif; color: #505050; text-align: left;"> Thanks,<br/>WSO2 Identity Server Team </p> </td> </tr> <tr> <td colspan="2" align="center" style="padding: 20px 40px 40px 40px;" bgcolor="#f0f0f0"> <p style="font-size: 12px; margin: 0; line-height: 24px; font-family: 'Nunito Sans', Arial, Verdana, Helvetica, sans-serif; color: #777;"> © 2018 <a href="http://wso2.com/" target="_blank" style="color: #777; text-decoration: none">WSO2</a> <br> 787 Castro Street, Mountain View, CA 94041. </p> </td> </tr> </table> </td> </tr> </table>]] Footer: ---

Account unlock by administrator

Type	AccountUnlockTimeBased
Template Language	English(United States)
Email Content Type	text/html
Subject	WSO2 - Your Account has been Unlocked
Email Body	Click here to expand... <![CDATA[<table align="center" cellpadding="0" cellspacing="0" border="0" width="100%"bgcolor="#f0f0f0"> <tr> <td style="padding: 30px 30px 20px 30px;"> <table cellpadding="0" cellspacing="0" border="0" width="100%" bgcolor="#ffffff" style="max-width: 650px; margin: auto;"> <tr> <td colspan="2" align="center" style="background-color: #333; padding: 40px;"> <a href="http://wso2.com/" target="_blank"><img src="http://cdn.wso2.com/wso2/newsletter/images/nl-2017/wso2-logo-transparent.png" border="0" /></a> </td> </tr> <tr> <td colspan="2" align="center" style="padding: 50px 50px 0px 50px;"> <h1 style="padding-right: 0em; margin: 0; line-height: 40px; font-weight:300; font-family: 'Nunito Sans', Arial, Verdana, Helvetica, sans-serif; color: #666; text-align: left; padding-bottom: 1em;"> Account Unlocked </h1> </td> </tr> <tr> <td style="text-align: left; padding: 0px 50px;" valign="top"> <p style="font-size: 18px; margin: 0; line-height: 24px; font-family: 'Nunito Sans', Arial, Verdana, Helvetica, sans-serif; color: #666; text-align: left; padding-bottom: 3%;"> Hi {{user.claim.givenname}}, </p> <p style="font-size: 18px; margin: 0; line-height: 24px; font-family: 'Nunito Sans', Arial, Verdana, Helvetica, sans-serif; color: #666; text-align: left; padding-bottom: 3%;"> Please note that the account registered with the user name <b>{{user-name}}</b> has been unlocked automatically as locked time exceeded. <br> </p> </td> </tr> <tr> <td style="text-align: left; padding: 30px 50px 50px 50px" valign="top"> <p style="font-size: 18px; margin: 0; line-height: 24px; font-family: 'Nunito Sans', Arial, Verdana, Helvetica, sans-serif; color: #505050; text-align: left;"> Thanks,<br/>WSO2 Identity Server Team </p> </td> </tr> <tr> <td colspan="2" align="center" style="padding: 20px 40px 40px 40px;" bgcolor="#f0f0f0"> <p style="font-size: 12px; margin: 0; line-height: 24px; font-family: 'Nunito Sans', Arial, Verdana, Helvetica, sans-serif; color: #777;"> © 2018 <a href="http://wso2.com/" target="_blank" style="color: #777; text-decoration: none">WSO2</a> <br> 787 Castro Street, Mountain View, CA 94041. </p> </td> </tr> </table> </td> </tr> </table>]]> Footer: --