This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.
Account Disabling
An administrative user can disable a user account by configuring this feature in the WSO2 Identity Server and editing the user profile of the account. You can also disable (switch-off) the account disabling feature so that administrative users do not have permission to disable users.
Configuring WSO2 Identity Server for Account Disabling feature
But first, you need to configure WSO2 Identity Server for user account locking and disabling. Follow the below steps to do this configuration.
The instructions given on this page follow the recommended approach for account locking and account disabling in WSO2 Identity Server, which is to use the governance Prior to the WSO2 IS 5.2.0 release, this was configured in a different way. If you require documentation on the steps for the old method for backward compatibility, see the WSO2 IS 5.2.0 documentation. Ensure that the " This is already configured this way by default. You can skip this step if you have not changed this configuration previously. Tip The properties that you configure in the Once you start the server, any consecutive changes that you do in the Start the Identity Server and log into the management console using your tenant credentials. Alternatively, you can also use the Click Resident under Identity Providers found in the Main tab. Expand the Account Locking tab and select the Account Lock Enabled checkbox. Click Update to save changes. identity.mgt
listener.IdentityMgtEventListener
" with the orderId=50
is set to false and the "IdentityMgtEventListener
" with the orderId=95
is set to true in the <IS_HOME>/repository/conf/identity/identity.xml
file. <IS_HOME>/repository/conf/identity/identity-event.properties
file are applied at the time of WSO2 Identity Server startup.<IS_HOME>/repository/conf/identity/identity-event.properties
file, will not be picked up.IdentityGovernanceAdminService
SOAP service to do this instead of using the management console UI. See Calling Admin Services for more information on how to invoke this SOAP service. If you are using the SOAP service to configure this, you do not need to follow the steps given below this note.
Disable an account
Follow the steps below to disable a user account through the WSO2 IS management console.
Navigate to Main>Claims>List and click on 'http://wso2.org/claims'.
Edit the Account Disabled claim. See /wiki/spaces/IS5xx/pages/50463856 for more information on how to do this.
- Tick the checkbox Supported by Default and click Update.
- Navigate to Main>Users and Roles>List>Users and click on User Profile of the user account that you want to disable.
- Tick the Account Disabled checkbox and click Update.
Try it out: Try to log in to IS through the dashboard using 'mark's profile, the login attempt will not be successful.
Switch off account disabling
If you want to switch off the account disabling option, follow the steps below.
The following section provides instructions on how to disable (switch-off) the account disabling feature. You may do this if you want to prevent even administrative users from disabling accounts.
Open the
identity-event.properties
file found in the<IS_HOME>/repository/conf/identity
folder.Set the following property to false to disable account disabling. This will remove the account disabling option from the tenant.
account.disable.handler.enable=false
To disable or enable this option for all tenants, do the following:
- Start WSO2 Identity Server and log in to the management console.
Click List under Identity Providers and then click Resident Identity Provider.
- Expand Login Policies>Account Disabling and select/unselect the Enable Account Disabling checkbox accordingly.
Alternatively, instead of using the management console, you can also enable/disable the user account using the
setUserClaimValues()
method in theRemoteUserStoreManagerService
after you have configured WSO2 IS for account disabling.
Configuring sending emails for Account Disabling feature
Once you have configured WSO2 Identity Server for Account disabling, you can also configure the WSO2 IS to send an email to the user's email address when the user account is disabled. To configure this, follow the steps below. Configure the relevant property values for the email server under the Restart the Server. Tip: The email template used to send the email notification for account locking is the AccountLock template and the template used for account disabling is the AccountDisable template. You can edit and customize the email template. For more information on how to do this, see Customizing Automated Emails.output-event-adapters.xml
file found in the <IS_HOME>/repository/conf
directory. <adapterConfig type="email">
tag.<adapterConfig type="email">
<!-- Comment mail.smtp.user and mail.smtp.password properties to support connecting SMTP servers which use trust
based authentication rather username/password authentication -->
<property key="mail.smtp.from">abcd@gmail.com</property>
<property key="mail.smtp.user">abcd</property>
<property key="mail.smtp.password">xxxx</property>
<property key="mail.smtp.host">smtp.gmail.com</property>
<property key="mail.smtp.port">587</property>
<property key="mail.smtp.starttls.enable">true</property>
<property key="mail.smtp.auth">true</property>
<!-- Thread Pool Related Properties -->
<property key="minThread">8</property>
<property key="maxThread">100</property>
<property key="keepAliveTimeInMillis">20000</property>
<property key="jobQueueSize">10000</property>
</adapterConfig>