Configuring Admin-Initiated Account Locking¶
WS02 Identity Server enables the privileged users to temporarily lock suspicious user accounts and prevent the users from logging in. These locked user accounts can only be unlocked by privileged users.
Scenario¶
Pickup is a cab company that has many employees who use different credentials to sign in to different internal enterprise applications. While Sam is an administrator at Pickup, Alex is a new recruit. Due to suspicious user activity, Sam wants to lock Alex's account.
Let's learn how Sam can lock Alex's user account!
Set up¶
Follow the steps below to configure admin-initiated account locking in WSO2 Identity Server.
-
Open the
deployment.toml
file in the<IS_HOME>/repository/conf
directory.-
Check whether the following listener configs are in place.
[event.default_listener.identity_mgt] priority= "50" enable = false [event.default_listener.governance_identity_mgt] priority= "95" enable = true
-
To configure the email server to send emails requesting password reset, add the following configurations:
- from_address: This is the email address from which the confirmation email will be sent.
- username: This is the user name of the given email address.
- password: This is the password of the given email address.
[output_adapter.email] from_address= "" username= "" password= "" hostname= "smtp.gmail.com" port= 587 enable_start_tls= true enable_authentication= true
[output_adapter.email] from_address= "[email protected]" username= "wso2iamtest" password= "Wso2@iam70" hostname= "smtp.gmail.com" port= 587 enable_start_tls= true enable_authentication= true
If you are using a Google email account
Google has restricted third-party applications and less secure applications from sending emails by default. As WSO2 Identity Server acts as a third-party application when sending emails for password entry, follow the steps below to enable your Google email account to provide access to third-party applications.
-
Under the Signing in to Google section, turn off the 2-step Verification option.
-
Enable Less secure app access in Google account security section.
-
-
To configure the account locking requirements:
-
On the Main menu of the Management Console, click Identity > Identity Providers > Resident.
-
Under the Login Policies section, click Account Locking.
-
Select the Account Lock Enabled check box.
-
Click Update.
-
-
To enable the account locking claim:
-
On the Main menu of the Management Console, click Identity > Claims > List.
-
Click http://wso2.org/claims.
-
Under Account Locked, click Edit.
-
Select Supported by Default.
-
Click Update.
-
Try out¶
-
To create the user account for Alex:
-
On the Main menu of the Management Console, click Identity > Users and Roles > Add.
-
Click Add New User.
-
Enter the required data as follows.
- Domain:
Primary
- Username:
Alex
- Domain:
-
Click Finish.
-
-
To assign login permissions to the user:
-
Click the View Roles option of Alex.
-
Click Permissions.
-
Select Login and click Update.
-
-
To lock Alex's user account:
-
Click User Profile option of Alex.
-
Enter an email address to which Alex's account locking emails will be sent and select the User Locked check box.
-
Click Update.
-
An email that informs about the account locking is sent to the given email address.
-
Access the WSO2 Identity Server My Account at
https://localhost:9443/myaccount
. -
Try logging in with Alex's credentials. Note that an error message appears.
-
Wait for 15 minutes and try to log in again. The WSO2 Identity Server My Account home screen appears.
-
-
To unlock Alex's user account:
-
Click User Profile option of Alex.
-
Unselect the User Locked check box.
-
Click Update
-
An email that informs about the account unlocking is sent to the given email address.
-
Try logging in to the WSO2 Identity Server My Account with Alex's credentials. The WSO2 Identity Server My Account home screen appears.
-