This topic guides you through configuring reCAPTCHA for the single sign-on flow. By configuring reCAPTCHA, you can mitigate or block brute force attacks.
- For more information on configuring single sign-on, see Configuring Single Sign-On.
- For more information on brute force attacks, see Mitigating Brute Force Attacks.
Set up reCAPTCHA with WSO2 Identity Server. For instructions on how to do this and more information about reCAPTCHA, see Setting Up ReCaptcha.
- If you want to modify the filter mapping for reCAPTCHA:
- Open the
web.xml
file in the<IS_HOME>/repository/conf/tomcat/carbon/WEB-INF
directory. Locate the following filter and modify the relevant URL patterns if required.
<filter> <filter-name>CaptchaFilter</filter-name> <filter-class>org.wso2.carbon.identity.captcha.filter.CaptchaFilter</filter-class> </filter> <filter-mapping> <filter-name>CaptchaFilter</filter-name> <url-pattern>/samlsso</url-pattern> <url-pattern>/oauth2</url-pattern> <url-pattern>/commonauth</url-pattern> <dispatcher>FORWARD</dispatcher> <dispatcher>REQUEST</dispatcher> </filter-mapping>
- Open the
- Start WSO2 Identity Server and sign in to the Management Console.
- On the Main tab, click Identity > Identity Providers > Resident.
- To configure captcha:
- Expand Login Policies > Captcha for SSO Login.
Provide the required data as given below.
Field Description Sample Value Enable This determines whether the captcha verification at SSO should be enabled or not. Enable Max failed attempts This defines the maximum number of failed attempts allowed without having to use the captcha.
This value should be less than the number of failed attempts configured for account locking in the next step.
3
- Expand Login Policies > Captcha for SSO Login.
To configure account locking:
This configuration ensures that user account gets locked when an incorrect password is typed even after using the captcha.
Expand Login Policies > Account Locking.
Provide the required data as given below.
Field Description Sample Value Account Lock Enabled This determines whether the accounts should get locked for failed logins or not.
Enabled Maximum Failed Login Attempts This defines the maximum number of failed attempts allowed.
5
Account Unlock Time This defines the duration in minutes for which the account is locked for. 5
Lock Timeout Increment Factor This defines how the
account unlock time
should be increased for every subsequent account locking.2
Click Update.
You have successfully configured reCAPTCHA for SSO.Access the WSO2 Identity Server Dashboard.
Attempt signing in as an administrator with an incorrect password for three times. The reCAPTCHA appears.