Is there any way to cancel askPassword request and set Account State to LOCKED during askPassword task?
So, we need to lock user before he completes askPassword task.
If you want to keep the user account locked until the user sets his own password through the invitation link, that feature is available in IS-6.0.0
That improvement was introduced from: https://github.com/wso2/product-is/issues/10930
If you want to have this capability in previous IS versions, you can patch the changes linked to the git issue. Refer to: https://stackoverflow.com/a/73899512/10055162
Related
I tried to add a user using the Web API via client credentials and via identity provider. Neither resulted in the invited user receiving an email or seeing the granted lock in his app.
I called /api/v1/Owners to get the owner account's ID for the locks I want a new user to grant access for.
I created a new contact by posting to /api/v1/Owners//Contacts only setting email as identifier (not posting any other data) and using the ownerAccountId from step 1
With the newly created contact id from step 2, ownerAccountId from step 1 and boundlock id I did a put request to /api/v1/Owners//Grants
This resulted in a 200 response, but the new contact did not get any notify or invite email.
When I login to my.portal.nl as owner of the lock I do see the the added user as smartphone user with correct lock and validFrom and validBefore
I expect the invited user in step 4 to be emailed. What am I missing? In your comment you say : Generally speaking, Tapkey will usually not send emails to users.
But how do new users get notified about new locks the can open?
Via the API I do see the users and grants are actually added. I have checked spam folders, but no emails.
When I register as one of these user by using the emailadress I setup as identity and login into the tapkey app, still no locks.
The client ID I'm using is c2f11e47604639323320d08f8e4038f4 and the owner account id is e12e4145-3afb-45ae-81f5-2cdd57d89fb5
I will just summarize what was already explained by Markus in his answer:
Regarding the question about the email:
User will not be informed by email if you create a grant for him.
Regarding the permissions:
If you have created permissions for an user with an identity provider tapkey then these grants are visible for the user once he logs in into the Tapkey app and navigates to his smartphone keys.
If you have created permissions for an user with your own identity provider, these are not displayed in the Tapkey app for a granted user and you need to implement your own application to handle these keys.
We had a look on the grants you have created and as you correctly said, they were created successfuly. All, but one, have been created with your own identity provider and therefore they are not visible in Tapkey app for the granted user. Due to the privacy reasons, I don't want to share anymore details regarding your data here.
Does wso2 has unlock on password recovery and auto locking no active user features? For example:
user will be unlocked if he changes password (if he was locked)
if user last authentication was 1 month before, account will be locked
If the user is locked, IS doesn't allow to recover the password by user via email or security questions. Here you can see the validation prior to password recovery flow.
However, admin forced password reset can be used for your case. When the admin forced to reset the password, the user will receive the notification. Upon password resetting, the account will be unlocked.
Refer https://is.docs.wso2.com/en/latest/learn/user-account-suspension/
I'm working on a use case where i have to lock the user after unsuccessful attempts of username and password and then later the admin should be able to unlock the user in Cognito and then the user should be able to login .
For now Cognito locks the user after 5 unsuccessful attempts of username and password and when the user tries to login with a proper username and password it gives the following exception.
"Unable to login because of security reasons. "
However i'm not able to find a way to unlock that particular user as an admin.Does Cognito provide any API or dashboard for unlocking the user?. Can anyone help me here?
No you cannot interfere with their default lockout policy. You can however put in your own logic to lock out users using pre sign in lambda trigger along with custom field which stores recent unsuccessful login attempts. Lambda is triggered and checks if user has too many login attempts and then blocks him from logging in.
You can then write another function that lets admin clear the custom field that tracks unsuccessful logins.
if you make a call to disable the user, then re-enable the user, that resets the login attempts and your user should be able to log in
We use the following feature in WSO2IS 5.3.0
https://docs.wso2.com/display/IS530/Forced+Password+Reset#ForcedPasswordReset-PasswordResetviaRecoveryEmail
This feature sends an email for the user to reset their password, but also sends the user a "Locked Account" email. Is there a way to prevent the "Locked Account" email being sent without modifying the source code of the WSO2 extension that seems to be driving this feature? (in particular, the offending line seems to be here https://github.com/wso2-extensions/identity-governance/blob/master/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/handler/AdminForcedPasswordResetHandler.java#L129 . )
I have checked this feature in both Identity Server version 5.3.0 and 5.5.0. Forced password reset via recovery mail put user account to lock state but it does not send two emails for forced password reset and account lock. Please check your steps.
Find Forced Password Reset claim from wso2 claim dialect (http://wso2.org/claims)
Check Supported by Default on http://wso2.org/claims/identity/adminForcedPasswordReset
Go to user profile, you will find an attribute name Force Password Reset, make it true by typing "true" in text box.
End of third step you should get only single email regarding Admin password rest.
I'm using WSO2 Identity Server 5.0 for SAML SSO and need to have user passwords expire after n days. I found the following properties in identity-mgt.properties but I can't find any documentation on how to use them. Is this functionality implemented/available?
Authentication.Policy.Check.Password.Expire=false
Authentication.Policy.Password.Expire.Time=0
Thanks
These two properties had been introduced initially to IS planning to support password expiry, but the implementation was never done.
if Authentication.Policy.Check.Password.Expire is set to true, then the when the user updates the password, timestamp of password update is set as a user claim.
But Authentication.Policy.Password.Expire.Time is not logically used anywhere in the code base, and ideally should be removed.
Anyways, you can achieve the same functionality in a different way using password policy authenticators in IS. Hope this helps.