Scribd
Upload
211 views25 pages

WSO2 Identity Server Guide

WSO2 Identity Server allows administrators to manage user identities through features like password recovery, account locking, account disabling, and setting password policies. It provides options for password recovery via email or security questions. Accounts can be temporarily locked or permanently disabled by administrators or automatically locked based on failed login attempts. Password policies help enforce strong passwords and can be customized by configuring password patterns.

Uploaded by

Vivian Biryomumaisho
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
211 views25 pages

WSO2 Identity Server Guide

WSO2 Identity Server allows administrators to manage user identities through features like password recovery, account locking, account disabling, and setting password policies. It provides options for password recovery via email or security questions. Accounts can be temporarily locked or permanently disabled by administrators or automatically locked based on failed login attempts. Password policies help enforce strong passwords and can be customized by configuring password patterns.

Uploaded by

Vivian Biryomumaisho
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Identity Management

Identity Management is a part of Identity and Access Management. Identity


management involves several features such as password recovery, account recovery,
user registration, locking or disabling user accounts and password policies, etc. In this
tutorial, we are going to try functionalities related to identity management in WSO2
Identity Server.

WSO2 IS Configurations
1. Open the ​[Link]​ file in the ​<IS_HOME>/repository/conf​ directory

2. Check whether following listener configs in place

[event.default_listener.identity_mgt]

priority= ​"50"

enable = ​false

[event.default_listener.governance_identity_mgt]

priority= "​ 95"

enable = ​true

[event.default_listener.governance_identity_store]

priority= ​"97"

enable = ​true

3. Configure the following email settings in the​ [Link] ​file. Refer ​this​ for
more information.
[output_adapter.email]

from_address= ​""

username= ​""

password= ​""

hostname= ​"[Link]"

​ 87
port= 5

enable_start_tls= ​true

enable_authentication= ​true

4. Navigate to ​<IS_HOME>/bin​ and start the server by executing either of the


following commands.

Linux --> sh [Link]

Windows --> [Link]

5. Log into the ​management console​, and give admin as both the username and the
password.

6. Create a user.

● On the ​Main​ tab click on ​Users and Roles​ -> ​Add New User​.

● Click ​Add New User​.

● Specify the following values to create a new user.

username= ​tom

password= ​tom123

● Edit that user and specify an email address.

 
 

Password Recovery
Once a user forgets his password, there should be a way to reset passwords. WSO2 
Identity Server can reset passwords in two ways.  

1. Password recovery via email 

2. Password recovery via challenge questions 

Password Recovery Via Email


Introduction:
When a user forgets his password, there should be a way to recover his password. The
one of the ways to reset his password is via email notifications. ​If users forget their
password, they can recover it by verifying himself by using the email sent to him.  
 

Setting up
1. Click on ​Main >Identity Providers>​ ​Resident > Account Management
Policies> Account Recovery.

2. In the Account recovery tab​, Enable Notification Based Password Recovery


check box.

3. Click ​Update​.

Try It
1. Go to the ​user portal​. Click ​forgot password​.

2. Enter the user's username and select ​Recover with Emai​l. Click ​Submit​.
3. An email notification is sent to the user's email address. Click on the ​Reset
Password​ button in the email.

4. Enter a new password and click ​Submit​.

 
Password Recovery via challenge questions
Introduction:
When a user forgets his password, there should be a way to recover his password. The
one of the ways to reset his password is via challenge questions. ​If users forget their
password, they can recover it by answering challenge questions that were set up for
their accounts.

Setting up:
1. Click on Main >​Identity Providers >Resident > Account Management
Policies> Account Recovery.

2. In the ​Account Recovery​ tab, ​enable the ​Enable the Security Questions
Based Password Recovery check box

 
 

3. Configure the required number of questions in the ​Number of Questions


Required for Password Recovery.

4. Sign in to the ​user portal​ as Tom.

 
 

5. Click on ​Update​ ​Account Security ​under​ Account Security​.

6. Click on ‘ ​+​ ‘ under ​Security > Account Recovery

 
 

7. Set challenge questions and answers for the user account.  

8. Click ​save

9. Sign out from the user portal.


Try It:
1. Go to the ​user portal​.

2. Click on ​Forgot Password​.

3. Enter the username and select ​Recover with Security Questions.

4. Click ​Submit​.

5. Enter the answers for the challenge questions and submit.


 

6. Once you enter the correct answers, you will be prompted with the ​reset
password​ form.

7. Enter the new password and confirm it.

8. Click ​Submit​ and you will receive a message on successfully resetting it.
 

Username Recovery
Introduction:
When a user forgets his username, there should be a way to recover his username.
WSO2 Identity Server helps to recover the username via email.

Setting up:
 

1. Go to ​Main>​ ​Identity Providers > Resident.

2. Expand the ​Account Management Policies​ tab, then the ​Account Recovery
tab.

3. Click on ​Enable Username Recovery​ checkbox and the ​Enable Internal


Notification Management​ check box.
 

Try It:
1. Go to the ​user portal​.

2. Click ​forgot username​.

3. Enter the required fields and click ​Submit​.

4. An email notification will be sent to the user's email address with the recovered
username. We can customize ​the email template as well.

 
Account Locking and Disabling
Introduction
 

Account locking and disabling are some security features in WSO2 Identity Server. The
account locking feature is used to ​temporarily​ block a user from logging in, and
Account disabling is a more of a​ ​long-term​ ​security measure, which disables the
account for a significant amount of time.

Account locking can be done by an administrative user or it can be configured to


automatically lock upon multiple failed login attempts.

Account Locking by an administrator


Setting up:
1. Go to ​Main ​> ​Identity Providers>​ ​Resident​ > Login Policies.

2. Click the ​Account Locking​ tab.

3. Select the ​Account Lock Enabled​ checkbox.


4. Click ​update​.

5. Go to​ Main >​ ​Claims>List ​and select the ​ [Link] claim dialect.

6. Select the ​Account Locked​ claim and click ​Edit​.


 

7. Select the ​Supported by Default​ check box and click ​Update​.

8. Create a user “bob”.


 

Try It:
1. Navigate to ​Main -> Users and Roles -> Lists -> User​s​. Now you can see all
the users listed.

2. Go to the user you want to lock and click on the ​User Profile.

3. Update the mandatory requirements such as first name, last name, and email.

4. Enable the​ Account Locked ​checkbox.


 

5. Click ​update​.

6. Go to the ​user portal​, and try to login as the user you locked.

7. Now the login attempt will fail.

 
Account Locking based on failed login attempts
Setting up:
 

1. Go to ​Main ​> ​Identity Providers>​ ​Resident​ > Login Policies.

2. Click the ​Account Locking​ tab.

3. Specify Maximum failed login attempts and account unlock time as follows.

Maximum Failed Login Attempts: ​3

Account Unlock time : 15

4. Click ​Update

Try It:
1. Go to the ​user portal​, and try to login giving wrong passwords more than 3 times

2. Now try to login using actual credentials. Now your login attempt will fail

3. An email that informs about the account locking is sent to the given email
address.
4. Wait for 15 minutes and try to log in again with the correct credentials. The
WSO2 Identity Server Dashboard home screen appears.

Account Disabling
Setting up:
1. Go to​ Main​ > ​Resident > Identity Providers > Login​ Policies.

2. Click the ​Account Disabling​ tab.

3. Select the ​Enable Account Disabling​ checkbox.

4. Click update.

5. Go to ​Main ​> ​Claims > List ​and select the ​ [Link] ​ claim dialect.

6. Select the ​Account Disabled​ claim and click ​Edit​.

7. Select the ​Supported by Default​ check box and click ​Update​.

Try It:
1. Create a user.

2. Navigate to Users and Roles > lists > Users. Now all the users will be listed.
3. Go to the user you want to lock and click on the ​User Profile.

4. Update the mandatory requirements such as first name, last name, and email.

5. Enable the ​Account Disabled ​checkbox.

6. Click ​update​.

7. Go to the ​user portal​, and try to login as the user you disabled.

8. Now the login attempt will fail.

Password Policies
Password Policies are some set of rules that enhance the users to use strong
passwords. WSO2 Identity server helps to customize the password patterns to enforce
password policies.

Password Patterns
Introduction
Password Patterns Policy helps to customize the pattern of users’ passwords.
Using this feature, organizations can enforce the users about the minimum
length, maximum length, and regex patterns of passwords.

Setting up:
1. Go to​ Main > Identity Providers > Resident.

2. Click on ​Password Policies > Password Patterns​ tab.

3. Select ​Enable Password Policy Feature​ and edit the features such as minimum
length, maximum length, regex format, and error message.
4. Click on the ​update​ button.

Try It:
1. Access the WSO2 Identity Server dashboard using the following link: ​user portal

2. Click ​Forgot Password​.

3. Enter the user's username, select ​Recover with Emai​l, and then click ​Submit​.
4. An email notification is sent to the user's email address. Click on the ​Reset
Password​ button given on the email.

5. Enter a password which violates the password patterns specified. It will give the
error specified
Password History
Introduction
This feature helps to prevent the users from configuring the passwords that were used
in the recent past. ​ For example, if you configure a count of 2 passwords, users will be
prevented from reusing their last 2 passwords as the current password

Setting up:
1. Go to ​Main > Identity Providers > Resident.

2. Click on the ​Password Policies > Password History​ tab.


3. Click on ​Enable Password History Feature​ ​and​ ​you can configure ​Password
History validation to count ​the features you require here.

Try It:
1. Create a user using the management console​. Ensure that the user has login
permissions.

2. Edit the user profile and enter an email address for the user. The email
notification for password recovery is sent to the email address given.

3. Access the WSO2 Identity Server dashboard using the following link: ​user portal

4. Click ​Forgot Password​.

5. Enter the user's username, select ​Recover with Emai​l, and then click ​Submit​.

6. An email notification is sent to the user's email address. Click on the ​Reset
Password​ button given on the email.
7. Enter the old password again as the new password and click ​Submit​. You will
be asked to use a different password as it was used previously.

You might also like