Configuring Admin-Initiated Account Locking¶
WSO2 Identity Server enables privileged users to temporarily lock suspicious user accounts and prevent the users from logging in. These locked user accounts can only be unlocked by privileged users.
Scenario¶
Pickup is a cab company that has many employees who use different credentials to sign in to different internal enterprise applications. While Sam is an administrator at Pickup, Larry is a new recruit. Due to suspicious user activity, Sam wants to lock Larry's account.
Let's learn how Sam can lock Larry's user account!
Prerequisites¶
- You need to add a user named
Larry
with login permissions. Do not assign any roles to this user.
Set up WSO2 IS¶
Follow the steps below to configure admin-initiated account locking in WSO2 Identity Server.
-
On the
<IS_HOME>/repository/conf/deployment.toml
file, check whether the following listener configs are in place.[event.default_listener.identity_mgt] priority= "50" enable = false [event.default_listener.governance_identity_mgt] priority= "95" enable = true
-
Add the following configurations to the
<IS_HOME>/repository/conf/deployment.toml
file to configure the email server to send emails requesting a password reset.[output_adapter.email] from_address= "" username= "" password= "" hostname= "smtp.gmail.com" port= 587 enable_start_tls= true enable_authentication= true
[output_adapter.email] from_address= "[email protected]" username= "wso2iamtest" password= "Wso2@iam70" hostname= "smtp.gmail.com" port= 587 enable_start_tls= true enable_authentication= true
Note
- If you are using a Gmail account as the from_address, you must create an App Password. After you get an App Password from Google, update the
password
. - If your password contains special characters (example:
<
,>
,&
), you will run into errors when running the server. To avoid errors, update thepassword
parameter as follows:password= "<![CDATA[xxxx]]>"
- For more information on configuring the email sending module, refer Configure Email Sender.
- If you are using a Gmail account as the from_address, you must create an App Password. After you get an App Password from Google, update the
-
Save the configurations and restart WSO2 Identity Server.
Configure account locking¶
To configure the account locking requirements:
-
On the Management Console, go to Identity > Identity Providers > Resident.
-
Expand Login Attempt Security > Account Lock.
-
Enable account locking by selecting the Lock user accounts on maximum failed attempts checkbox.
-
Click Update to save the configurations.
Configure account locking claims¶
To enable the account locking claim:
-
On the Management Console, go to Claims > List.
-
Click http://wso2.org/claims.
-
Under Account Locked claim, click Edit.
-
Select Supported by Default.
-
Click Update to save the configurations.
Try it out¶
Let us try out locking and unlocking a user profile.
Lock a user account¶
To lock Larry's user account:
-
On the Management Console, go to Users and Roles > List > Users.
-
Click User Profile for Larry.
-
Select default, enter Larry's email address, and select the Account Locked checkbox.
-
Click Update to save the configurations.
An email will be sent to Larry's email address informing him about the locking of the user account.
-
Access the WSO2 Identity Server's My Account portal at
https://localhost:9443/myaccount
. -
Try to log in with Larry's credentials. Note that an error message appears.
-
Wait for 15 minutes and try to log in again. The WSO2 Identity Server's My Account home screen appears.
Unlock a user account¶
To unlock Larry's user account:
-
On the Management Console, go to Users and Roles > List > Users.
-
Click User Profile for Larry.
-
Deselect the Account Locked checkbox.
-
Click Update to save the configurations.
An email will be sent to Larry's email address informing him about unlocking the user account.
-
Try to log in to the WSO2 Identity Server's My Account with Larry's credentials. The WSO2 Identity Server My Account home screen appears.
Larry will be able to successfully log in.
Top