

Configuring Admin-Initiated Account Locking¶

WSO2 Identity Server enables privileged users to temporarily lock suspicious user accounts and prevent the users from logging in. These locked user accounts can only be unlocked by privileged users.

Scenario¶

Pickup is a cab company that has many employees who use different credentials to sign in to different internal enterprise applications. While Sam is an administrator at Pickup, Larry is a new recruit. Due to suspicious user activity, Sam wants to lock Larry's account.

Let's learn how Sam can lock Larry's user account!

Prerequisites¶

You need to add a user named Larry with login permissions. Do not assign any roles to this user.

Set up WSO2 IS¶

Follow the steps below to configure admin-initiated account locking in WSO2 Identity Server.

On the <IS_HOME>/repository/conf/deployment.toml file, check whether the following listener configs are in place.

[event.default_listener.identity_mgt]
priority= "50"
enable = false
[event.default_listener.governance_identity_mgt]
priority= "95"
enable = true

Add the following configurations to the <IS_HOME>/repository/conf/deployment.toml file to configure the email server to send emails requesting a password reset.
Format
```
[output_adapter.email]
from_address= ""
username= ""
password= ""
hostname= "smtp.gmail.com"
port= 587
enable_start_tls= true
enable_authentication= true
```
Sample
```
[output_adapter.email]
from_address= "[email protected]"
username= "wso2iamtest"
password= "Wso2@iam70"
hostname= "smtp.gmail.com"
port= 587
enable_start_tls= true
enable_authentication= true
```
Note
- If you are using a Gmail account as the from_address, you must create an App Password. After you get an App Password from Google, update the password.
- If your password contains special characters (example: <, >, &), you will run into errors when running the server. To avoid errors, update the password parameter as follows:
```
password= "<![CDATA[xxxx]]>"
```
- For more information on configuring the email sending module, refer Configure Email Sender.
Save the configurations and restart WSO2 Identity Server.

Configure account locking¶

To configure the account locking requirements:

On the Management Console, go to Identity > Identity Providers > Resident.
Expand Login Attempt Security > Account Lock.
Enable account locking by selecting the Lock user accounts on maximum failed attempts checkbox.
Click Update to save the configurations.

Configure account locking claims¶

To enable the account locking claim:

On the Management Console, go to Claims > List.
Click http://wso2.org/claims.
Under Account Locked claim, click Edit.
Select Supported by Default.
Click Update to save the configurations.

Try it out¶

Let us try out locking and unlocking a user profile.

Lock a user account¶

To lock Larry's user account:

On the Management Console, go to Users and Roles > List > Users.
Click User Profile for Larry.
Select default, enter Larry's email address, and select the Account Locked checkbox.
Click Update to save the configurations.

An email will be sent to Larry's email address informing him about the locking of the user account.
Access the WSO2 Identity Server's My Account portal at https://localhost:9443/myaccount.
Try to log in with Larry's credentials. Note that an error message appears.
Wait for 15 minutes and try to log in again. The WSO2 Identity Server's My Account home screen appears.

Unlock a user account¶

To unlock Larry's user account:

On the Management Console, go to Users and Roles > List > Users.
Click User Profile for Larry.
Deselect the Account Locked checkbox.
Click Update to save the configurations.

An email will be sent to Larry's email address informing him about unlocking the user account.
Try to log in to the WSO2 Identity Server's My Account with Larry's credentials. The WSO2 Identity Server My Account home screen appears.

Larry will be able to successfully log in.

Top