Governance Connectors Management API Definition¶
This is the RESTful API for managing identity governance configurations
in WSO2 Identity Server. These configurations are grouped into five main
categories. Each category has subcategories which are called connectors,
and properties of connectors as mentioned below.
Password Policies
Password History
| Property display name | Property name | Purpose |
|---|---|---|
| Validate password history | passwordHistory.enable | User will not be allowed to use previously used passwords. |
| Password history validation count | passwordHistory.count | Restrict reusing this number of previously used passwords during a password update. |
Password Patterns
| Property display name | Property name | Purpose |
|---|---|---|
| Validate passwords based on a policy pattern | passwordPolicy.enable | Validate user passwords against a policy. |
| Minimum number of characters | passwordPolicy.min.length | This denotes the minimum number of characters in the password. |
| Maximum number of characters | passwordPolicy.max.length | This denotes the maximum number of characters in the password. |
| Password pattern regex | passwordPolicy.pattern | The regular expression pattern to validate the password. |
| Error message on pattern violation | passwordPolicy.errorMsg | The error message that will be displayed when a pattern violation is detected in the password. |
User Onboarding
Self Registration
| Property display name | Property name | Purpose |
|---|---|---|
| User self registration | SelfRegistration.Enable | Users are allowed to self register to the system. |
| Lock user account on creation | SelfRegistration.LockOnCreation | Lock self-registered user account until e-mail verification. |
| Manage notifications sending internally | SelfRegistration.Notification.InternallyManage | This property should be disabled if the client application handles notification sending. |
| Prompt reCaptcha | SelfRegistration.ReCaptcha | This denotes whether reCaptcha verification is required during self registration. |
| User self registration verification link expiry time | SelfRegistration.VerificationCode.ExpiryTime | This denotes the expiry time in minutes for the verification link. |
| User self registration SMS OTP expiry time | SelfRegistration.VerificationCode.SMSOTP.ExpiryTime | This denotes the expiry time in minutes for the SMS OTP. |
| User self registration callback URL regex | SelfRegistration.CallbackRegex | This prefix will be used to validate the callback URL. |
| Manage Self-Sign-Up purposes | _url_listPurposeSelfSignUp | Manage Self-Sign-Up purposes |
| Send sign up confirmation email | SelfRegistration.NotifyAccountConfirmation | This enable sending notification for self signup confirmation. |
| Prompt reCaptcha on re-send confirmation | SelfRegistration.ResendConfirmationReCaptcha | This prompts reCaptcha verification for resend confirmation. |
| Enable Auto Login After Account Confirmation | SelfRegistration.AutoLogin.Enable | User will be logged in automatically after the account confirmation. |
| Alias of the key used to sign to cookie | SelfRegistration.AutoLogin.AliasName | This is the alias of the key used to sign to cookie. The public key has to be imported to the keystore. |
Lite User Registration
| Property display name | Property name | Purpose |
|---|---|---|
| Lite user registration | LiteRegistration.Enable | Users are allowed to self register to the system without a password. |
| Lock user account on creation | LiteRegistration.LockOnCreation | The self-registered user account will be locked until e-mail verification. |
| Manage notifications sending internally | LiteRegistration.Notification.InternallyManage | This property should be disabled if the client application handles notification sending. |
| Prompt reCaptcha | LiteRegistration.ReCaptcha | The reCaptcha verification will be prompted during self registration. |
| Lite user registration verification link expiry time | LiteRegistration.VerificationCode.ExpiryTime | Specify the expiry time in minutes for the verification link. |
| Lite user registration SMS OTP expiry time | LiteRegistration.VerificationCode.SMSOTP.ExpiryTime | Specify the expiry time in minutes for the SMS OTP. |
| Lite user registration callback URL regex | LiteRegistration.CallbackRegex | This regular expression pattern will be used to validate the callback URL. |
| Manage Lite-Sign-Up purposes | _url_listPurposeSelfSignUp | Manage Lite-Sign-Up purposes |
Ask Password
| Property display name | Property name | Purpose |
|---|---|---|
| Enable user email verification | EmailVerification.Enable | A verification notification will be triggered during user creation. |
| Enable account lock on creation | EmailVerification.LockOnCreation | The user account will be locked during user creation. |
| Manage notifications sending internally | EmailVerification.Notification.InternallyManage | Disable if the client application handles notification sending. |
| Email verification code expiry time | EmailVerification.ExpiryTime | Set the time span that the verification e-mail would be valid, in minutes. (For infinite validity period, set -1) |
| Ask password code expiry time | EmailVerification.AskPassword.ExpiryTime | Set the time span that the ask password e-mail would be valid, in minutes. (For infinite validity period, set -1) |
| Temporary password generation extension class | EmailVerification.AskPassword.PasswordGenerator | Temporary password generation extension point in ask password feature |
| Manage JIT provisioning purposes | _url_listPurposeJITProvisioning | Click here to manage just in time provisioning purposes. |
Login Attempts Security
Account Lock
| Property display name | Property name | Purpose |
|---|---|---|
| Lock user accounts | account.lock.handler.enable | Lock user accounts on failed login attempts |
| Maximum failed login attempts | account.lock.handler.On.Failure.Max.Attempts | Number of failed login attempts allowed before the account is locked. |
| Initial account lock duration | account.lock.handler.Time | The time period for which an account will remain locked during the first account locking instance. Account will be automatically unlocked after this time period. |
| Account lock duration increment factor | account.lock.handler.login.fail.timeout.ratio | Account lock duration will be increased by this factor. Ex: Initial duration: 5m; Increment factor: 2; Next lock duration: 5 x 2 = 10m |
| Manage notification sending internally | account.lock.handler.notification.manageInternally | This property should be disabled if the client application handles notification sending. |
reCaptcha for SSO Login
| Property display name | Property name | Purpose |
|---|---|---|
| Always prompt reCaptcha | sso.login.recaptcha.enable.always | Always prompt reCaptcha verification during SSO login flow. |
| Prompt reCaptcha after max failed attempts | sso.login.recaptcha.enable | Prompt reCaptcha verification during SSO login flow only after the max failed attempts exceeded. |
| Max failed attempts for reCaptcha | sso.login.recaptcha.on.max.failed.attempts | Number of failed attempts allowed without prompting reCaptcha verification. |
Other Settings
Consent Information Controller
| Property display name | Property name | Purpose |
|---|---|---|
| Controller Name | piiController | Name of the first Controller who collects the data |
| Contact Name | contact | Contact name of the Controller |
| Email Address | Contact email address of the Controller | |
| Phone Number | phone | Contact phone number of the Controller |
| On Behalf | onBehalf | A user information (PII) Processor acting on behalf of a Controller or PII Processor |
| Url | piiControllerUrl | A URL for contacting the Controller |
| Country | addressCountry | Country of the Controller |
| Locality | addressLocality | Locality of the Controller |
| Region | addressRegion | Region of the Controller |
| Post Office Box Number | postOfficeBoxNumber | Post Office Box Number of the Controller |
| Postal Code | postalCode | Postal Code of the Controller |
| Street Address | streetAddress | Street Address of the Controller |
Analytics Engine Configuration
| Property display name | Property name | Purpose |
|---|---|---|
| Target Host | adaptive_authentication.analytics.receiver | Target Host |
| Enable Basic Authentication | adaptive_authentication.analytics.basicAuth.enabled | Enable Basic Authentication |
| User ID | adaptive_authentication.analytics.basicAuth.username | Target Host Secured User ID |
| Secret | __secret__adaptive_authentication.analytics.basicAuth.password | Target Host Secured Secret |
| HTTP Connection Timeout | adaptive_authentication.analytics.HTTPConnectionTimeou | HTTP Connection Timeout in milliseconds |
| HTTP Read Timeout | adaptive_authentication.analytics.HTTPReadTimeout | HTTP Read Timeout in milliseconds |
| HTTP Connection Request Timeout | adaptive_authentication.analytics.HTTPConnectionRequestTimeout | HTTP Connection Request Timeout in milliseconds |
| Hostname verification | adaptive_authentication.analytics.hostnameVerfier | Hostname verification. (STRICT, ALLOW_ALL) |
User Claim Update
| Property display name | Property name | Purpose |
|---|---|---|
| Enable user email verification on update | UserClaimUpdate.Email.EnableVerification | Trigger a verification notification when user's email address is updated. |
| Email verification on update link expiry time | UserClaimUpdate.Email.VerificationCode.ExpiryTime | Validity time of the email confirmation link in minutes. |
| Enable user mobile number verification on update | UserClaimUpdate.MobileNumber.EnableVerification | Trigger a verification SMS OTP when user's mobile number is updated. |
| Mobile number verification on update SMS OTP expiry time | UserClaimUpdate.MobileNumber.VerificationCode.ExpiryTime | Validity time of the mobile number confirmation OTP in minutes. |
Account Management
Idle Account Suspend
| Property display name | Property name | Purpose |
|---|---|---|
| Suspend idle user accounts | suspension.notification.enable | Lock user account after a given idle period. |
| Allowed idle time span in days | suspension.notification.account.disable.delay | Time period in days before locking the user account. |
| Alert sending time periods in days | suspension.notification.delays | Send warning alerts to users before locking the account after each period. Comma-separated multiple values accepted. |
Account Disable
| Property display name | Property name | Purpose |
|---|---|---|
| Enable account disabling | account.disable.handler.enable | Allow an administrative user to disable user accounts |
| Manage notification sending internally | account.disable.handler.notification.manageInternally | This property should be disabled if the client application handles notification sending. |
Account Recovery
| Property display name | Property name | Purpose |
|---|---|---|
| Notification based password recovery | Recovery.Notification.Password.Enable | This enables password recovery via email notifications. |
| Enable reCaptcha for password recovery | Recovery.ReCaptcha.Password.Enable | reCaptcha is prompted during password recovery via email notifications. |
| Security question based password recovery | Recovery.Question.Password.Enable | This enables password recovery via answering security questions. |
| Number of questions required for password recovery | Recovery.Question.Password.MinAnswers | This defines the number of security questions that are required to be answered. |
| Security question answer regex | Recovery.Question.Password.ReCaptcha.Enable | The regular expression pattern for answers provided for security questions. |
| Enforce security question answer uniqueness | Recovery.Question.Answer.Uniqueness | This enforces the uniqueness of the answers provided for security questions. |
| Enable reCaptcha for security questions based password recovery | Recovery.Question.Password.ReCaptcha.Enable | Prompt reCaptcha for security question-based password recovery |
| Max failed attempts for reCaptcha | Recovery.Question.Password.ReCaptcha.MaxFailedAttempts | The reCaptcha will be prompted only after it exceeds this number of failed attempts. |
| Username recovery | Recovery.Notification.Username.Enable | This enables the user to recover the account if the user has forgotten the username. |
| Enable reCaptcha for username recovery | Recovery.ReCaptcha.Username.Enable | reCaptcha is prompted during username recovery |
| Manage notifications sending internally | Recovery.Notification.InternallyManage | This property should be disabled if the client application handles notification sending. |
| Notify when recovery success | Recovery.NotifySuccess | Upon a successful password reset, a success notification is sent to the user. |
| Notify when security questions based recovery starts | Recovery.Question.Password.NotifyStart | A notification will be sent to the user that the security question-based recovery has started. |
| Recovery link expiry time in Minutes | Recovery.ExpiryTime | The expiration time for the recovery link. |
| SMS OTP expiry time | Recovery.Notification.Password.ExpiryTime.smsOtp | Expiration time of the SMS OTP code for password recovery |
| SMS OTP regex | Recovery.Notification.Password.smsOtp.Regex | The regular expression pattern for SMS OTP in format [allowed characters] |
| Enable forced security questions | Recovery.Question.Password.Forced.Enable | Force users to provide answers to security questions during sign-in |
| Minimum number of forced security questions to be answered | Recovery.Question.MinQuestionsToAnswer | Force users to provide answers to more security questions during sign-in if the number of questions answered is lesser than this value |
| Recovery callback URL regex | Recovery.CallbackRegex | This regular expression pattern will be used to validate the recovery callback URL. |
| Enable Auto Login After Password Reset | Recovery.AutoLogin.Enable | User will be logged in automatically after completing the Password Reset wizard |
Password Reset
| Property display name | Property name | Purpose |
|---|---|---|
| Enable password reset via recovery e-mail | Recovery.AdminPasswordReset.RecoveryLink | User gets notified with a link to reset password. |
| Enable password reset via OTP | Recovery.AdminPasswordReset.OTP | User gets notified with a one-time password to try with SSO login. |
| Enable password reset offline | Recovery.AdminPasswordReset.Offline | An OTP will be generated and stored in users claims. |
The APIs can be used to retrieve the above mentioned categories, connectors of the categories, properties of the categories, and update the property values.
Click for instructions
Follow the steps given below to try out the REST APIs with your local instance of WSO2 Identity Server.
- Click Authorize and provide the desired values for authentication.
- Expand the relevant API operation and click Try it Out.
- Fill in relevant sample values for the input parameters and click Execute. You will receive a sample curl command with the sample values you filled in.
- Add a
-kheader to the curl command and run the curl command on the terminal with a running instance of WSO2 IS.