Skip to content

Configuring Admin-Initiated Account Locking

WSO2 Identity Server enables the privileged users to temporarily lock suspicious user accounts and prevent the users from logging in. These locked user accounts can only be unlocked by privileged users.

Scenario

Pickup is a cab company that has many employees who use different credentials to sign in to different internal enterprise applications. While Robert is an administrator at Pickup, Larry is a new recruit. Due to suspicious user activity, Robert wants to lock Larry's account.

Let's learn how Robert can lock Larry's user account!

Set up

Follow the steps below to configure admin-initiated account locking in WSO2 Identity Server.

  1. Open the deployment.toml file in the <IS_HOME>/repository/conf directory and check whether the following listener configs are in place.

    [event.default_listener.identity_mgt]
    priority= "50"
    enable = false
    [event.default_listener.governance_identity_mgt]
    priority= "95"
    enable = true
  2. Restart WSO2 Identity Server.

  3. To configure the account locking requirements:

    1. On the Main menu of the Management Console, click Identity > Identity Providers > Resident.

      Resident menu-item

    2. Under the Login Policies section, click Account Locking.

      Account Locking Option

    3. Select the Account Lock Enabled check box.

      Account Locking form

    4. Click Update.

  4. To enable the account locking claim:

    1. On the Main menu of the Management Console, click Identity > Claims > List.

      Claims List option

    2. Click http://wso2.org/claims.

      WSO2 claim dialect

    3. Under Account Locked, click Edit.

      Account Locked claim edit option

    4. Select Supported by Default.

      Account Locked claim's Suppported by Default option

    5. Click Update.

Try out

  1. To create the user account for Larry:

    1. On the Main menu of the Management Console, click Identity > Users and Roles > Add.

      Add Users and Roles menu-item

    2. Click Add New User.

      Add New User option

    3. Enter the required data as follows.

      Add New User screen

      • Domain: Primary
      • Username: Larry
    4. Click Finish.

  2. To assign login permissions to the user:

    1. Click the View Roles option of Larry.

      View Roles option

    2. Click Permissions.

      Role Permissions option

    3. Select Login and click Update.

      Login permission

  3. To lock Larry's user account:

    1. Click User Profile option of Larry.

      User Profile option

    2. Enter an email address to which Larry's account locking emails will be sent and select the User Locked check box.

      User Email option

    3. Click Update.

    4. An email that informs about the account locking is sent to the given email address.

      Account Locked email

    5. Access the WSO2 Identity Server User Portal at https://localhost:9443/user-portal/.

      Sign In form

    6. Try logging in with Larry's credentials. Note that an error message appears.

    7. Wait for 15 minutes and try to log in again. The WSO2 Identity Server User Portal home screen appears.

  4. To unlock Larry's user account:

    1. Click User Profile option of Larry.

    2. Unselect the User Locked check box.

    3. Click Update

    4. An email that informs about the account unlocking is sent to the given email address.

      Account Unlocked email

    5. Try logging in to the WSO2 Identity Server User Portal with Larry's credentials. The WSO2 Identity Server User Portal home screen appears.

Top