Locking a Specific User Account
An administrative user can lock and unlock a particular user's account through the management console or using the AdminService. Follow the instructions given in the following sections to set this up.
Configure WSO2 IS for account locking
If you have not already configured WSO2 identity Server (WSO2 IS) for account locking, expand the section below for instructions.
Enable claims for account locking
- Navigate to Claims>List on the Configure menu and select the http://wso2.org/claims claim dialect.
For more information about claims, see Claim Management. - Select the Account Locked claim and click Edit.
- Select the Supported by Default checkbox and click Update.
This is done to make the "Account Locked" status appear in the user's profile.
Lock a specific user account
Once you have configured account locking as instructed above, you can use one of the following methods to lock a user account.
Using the management console
An administrative user can lock a user account by editing the user’s profile in the management console.
- Navigate to Users and Roles>List>Users on the Main menu and click on User Profile of the user you want to lock.
- If it is the first time this particular account is being locked, a textbox will appear in front of the Account Locked field as seen below.
To lock the account, type true in the textbox and click Update.
If it is not the first time you are locking this user account, there will be a checkbox instead of the textbox (as shown above) in front of the Account Locked field. Select the checkbox to lock the account or unselect it to unlock the account and click Update.
Using the AdminService
An administrative user (with the permission level /permission/admin/configure/security/usermgt/users ) can lock a user account using the RemoteUserStoreManagerService
. You can use the setUserClaimValues
operation to achieve this. The following request is a sample SOAP request that can be sent to the RemoteUserStoreManagerService
to lock a user account.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.ws.um.carbon.wso2.org" xmlns:xsd="http://common.mgt.user.carbon.wso2.org/xsd"> <soapenv:Header/> <soapenv:Body> <ser:setUserClaimValues> <!--Optional:--> <ser:userName>test</ser:userName> <!--Zero or more repetitions:--> <ser:claims> <!--Optional:--> <xsd:claimURI>http://wso2.org/claims/identity/accountLocked</xsd:claimURI> <!--Optional:--> <xsd:value>true</xsd:value> </ser:claims> <!--Optional:--> <ser:profileName>default</ser:profileName> </ser:setUserClaimValues> </soapenv:Body> </soapenv:Envelope>
Unlocking a user account using the admin service
Similarly, you can use the setUserClaimValues
operation RemoteUserStoreManagerService
AdminService to unlock a locked user account. The following request is a sample SOAP request that can be sent to the RemoteUserStoreManagerService
to unlock a user account.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.ws.um.carbon.wso2.org" xmlns:xsd="http://common.mgt.user.carbon.wso2.org/xsd"> <soapenv:Header/> <soapenv:Body> <ser:setUserClaimValues> <!--Optional:--> <ser:userName>test</ser:userName> <!--Zero or more repetitions:--> <ser:claims> <!--Optional:--> <xsd:claimURI>http://wso2.org/claims/identity/accountLocked</xsd:claimURI> <!--Optional:--> <xsd:value>false</xsd:value> </ser:claims> <!--Optional:--> <ser:profileName>default</ser:profileName> </ser:setUserClaimValues> </soapenv:Body> </soapenv:Envelope>
Configure email notifications for account locking
Once you have configured WSO2 Identity Server for user account locking, you can also configure the WSO2 IS to send an email to the user's email address when the user account is locked. To configure this, follow the steps below.
- Open the
output-event-adapters.xml
file found in the<IS_HOME>/repository/conf
directory. Configure the relevant property values for the email server under the
<adapterConfig type="email">
tag.<adapterConfig type="email"> <!-- Comment mail.smtp.user and mail.smtp.password properties to support connecting SMTP servers which use trust based authentication rather username/password authentication --> <property key="mail.smtp.from">abcd@gmail.com</property> <property key="mail.smtp.user">abcd</property> <property key="mail.smtp.password">xxxx</property> <property key="mail.smtp.host">smtp.gmail.com</property> <property key="mail.smtp.port">587</property> <property key="mail.smtp.starttls.enable">true</property> <property key="mail.smtp.auth">true</property> <!-- Thread Pool Related Properties --> <property key="minThread">8</property> <property key="maxThread">100</property> <property key="keepAliveTimeInMillis">20000</property> <property key="jobQueueSize">10000</property> </adapterConfig>
Restart the Server.
Tip: The email template used to send the email notification for account locking is the AccountLock template and the template used for account disabling is the AccountDisable template. You can edit and customize the email template. For more information on how to do this, see Customizing Automated Emails.
Configuring the email templates
To use these templates, apply the 5746 WUM update for WSO2 Identity Server 5.6.0 using the WSO2 Update Manager (WUM). To deploy a WUM update into production, you need to have a paid subscription. If you do not have a paid subscription, you can use this feature with the next version of WSO2 Identity Server when it is released. For more information on updating WSO2 Identity Server using WUM, see Getting Started with WUM.
With this WUM update, WSO2 Identity Server uses two separate email templates for notifying users of the following:
Account lock by execeeding the "Maximum Failed Login Attempts"
Account unlock by exceeding the "Account Unlock Time"
Add the following email templates using the management console. For detailed instructions, see Customizing Automated Emails.
Account lock by exceeding the "Maximum Failed Login Attempts"
Email Template Type AccountLockAdmin Template Language English(United States) Email Content Type text/html Subject WSO2 - Your Account has been Locked
Email Body Account unlock by exceeding the "Account Unlock Time"
Type AccountUnlockAdmin Template Language English(United States) Email Content Type text/html Subject WSO2 - Your Account has been Unlocked
Email Body