Identity Management

Identity Management is a part of Identity and Access Management. Identity

management involves several features such as password recovery, account recovery,
user registration, locking or disabling user accounts and password policies, etc. In this
tutorial, we are going to try functionalities related to identity management in WSO2
Identity Server.

WSO2 IS Configurations
1. Open the deployment.toml file in the <IS_HOME>/repository/conf directory

2. Check whether following listener configs in place

[event.default_listener.identity_mgt]

priority= "50"

enable = false

[event.default_listener.governance_identity_mgt]

priority= "95"

enable = true

[event.default_listener.governance_identity_store]

priority= "97"

enable = true

3. Configure the following email settings in the deployment.toml file. Refer this for
more information.
 [output_adapter.email]

from_address= ""

username= ""

password= ""

hostname= "smtp.gmail.com"

port= 587

enable_start_tls= true

enable_authentication= true

4. Navigate to <IS_HOME>/bin and start the server by executing either of the

following commands.

Linux --> sh wso2server.sh

Windows --> wso2server.bat

5. Log into the management console, and give admin as both the username and the
password.

6. Create a user.

● On the Main tab click on Identity -> Users and Roles -> Add.

● Click Add New User.

● Specify the following values to create a new user.

username= tom

password= tom123

● Edit that user and specify an email address.

Password Recovery
Once a user forgets his password, there should be a way to reset passwords. WSO2
Identity Server can reset passwords in two ways.

1. Password recovery via email

2. Password recovery via challenge questions

Password Recovery Via Email

Introduction:
When a user forgets his password, there should be a way to recover his password. The
one of the ways to reset his password is via email notifications. If users forget their
password, they can recover it by verifying himself by using the email sent to him.

Setting up
1. Click on Main > Identity > Identity Providers > Resident > Account
Management > Account Recovery.

2. In the Account recovery tab, Enable Notification Based Password Recovery

check box.

3. Click Update.

Try It
1. Go to my account. Click forgot password.

2. Enter the user's username and select Recover with Email. Click Submit.
3. An email notification is sent to the user's email address. Click on the Reset
Password button in the email.

4. Enter a new password and click Submit.

Password Recovery via challenge questions
Introduction:
When a user forgets his password, there should be a way to recover his password. The
one of the ways to reset his password is via challenge questions. If users forget their
password, they can recover it by answering challenge questions that were set up for
their accounts.

Setting up:
1. Click on Main > Identity > Identity Providers > Resident > Account
Management > Account Recovery.

2. In the Account Recovery tab, enable Security Questions Based Password

Recovery check box.

3. Configure the required number of questions in the Number of Questions

Required for Password Recovery.

4. Click Update
5. Sign in to my account as Tom.

6. Click on Update Account Security under Account Security.

7. Click on ‘ + ‘ under Security > Account Recovery
 8. Set challenge questions and answers for the user account.

9. Click save.

10. Sign out from the user portal.

Try It:
1. Go to my account.

2. Click on Forgot Password.

3. Enter the username and select Recover with Security Questions.

4. Click Submit.

5. Enter the answers for the challenge questions and submit.

6. Once you enter the correct answers, you will be prompted with the reset
password form.
7. Enter the new password and confirm it.

8. Click Submit and you will receive a message on successfully resetting it.
Username Recovery
Introduction:
When a user forgets his username, there should be a way to recover his username.
WSO2 Identity Server helps to recover the username via email.

Setting up:

1. Go to Main > Identity > Identity Providers > Resident.

2. Expand the Account Management tab, then the Account Recovery tab.

3. Click on the Username Recovery checkbox and Manage notifications sending

internally checkbox.

4. Click Update.
Try It:
1. Go to my account.

2. Click forgot username.

3. Enter the required fields (Default tenant domain is carbon.super) and click
Submit.
4. An email notification will be sent to the user's email address with the recovered
username. We can customize the email template as well.
Account Locking and Disabling
Introduction
Account locking and disabling are some security features in WSO2 Identity Server. The
account locking feature is used to temporarily block a user from logging in, and Account
disabling is a more of a long-term security measure, which disables the account for a
significant amount of time.

Account locking can be done by an administrative user or it can be configured to

automatically lock upon multiple failed login attempts.

Account Locking by an administrator

Setting up:
1. Go to Main > Identity > Identity Providers > Resident > Login Attempts
Security.

2. Click the Account Lock tab.

3. Select the Lock User Accounts checkbox.

4. Click update.

5. Go to Main > Identity > Claims > List and select the http://wso2.org/claims
claim dialect.

6. Select the Account Locked claim and click Edit.

7. Select the Supported by Default check box and click Update.

8. Create a user “tom”.

Try It:
1. Navigate to Main > Identity > Users and Roles > Lists > Users. Now you can
see all the users listed.

2. Go to the user you want to lock and click on the User Profile.

3. Update the mandatory requirements such as first name, last name, and email.

4. Enable the Account Locked checkbox.

5. Click update.

6. Go to my account, and try to login as the user you locked.

7. Now the login attempt will fail.

Account Locking based on failed login attempts
Setting up:

1. Go to Main > Identity > Identity Providers > Resident > Login Attempts
Security.

2. Click the Account Lock tab.

3. Specify Maximum failed login attempts and account unlock time as follows.

Maximum Failed Login Attempts: 3

Initial account lock duration : 15

4. Click Update.

Try It:
1. Go to my account, and try to login giving wrong passwords more than 3 times.

2. Now try to login using actual credentials. Now your login attempt will fail.

3. An email that informs about the account locking is sent to the given email
address.
4. Wait for 15 minutes and try to log in again with the correct credentials. The
WSO2 Identity Server Dashboard home screen appears.
Account Disabling
Setting up:
1. Go to Main > Identity > Identity Providers > Resident > Account
Management.

2. Click the Account Disable tab.

3. Select the Enable Account Disabling checkbox.

4. Click Update.

5. Go to Main > Identity > Claims > List and select the http://wso2.org/claims
claim dialect.

6. Select the Account Disabled claim and click Edit.

7. Select the Supported by Default check box and click Update.

Try It:
1. Create a user.

2. Navigate to Main > Identity > Users and Roles > Lists > Users. Now all the
users will be listed.

3. Go to the user you want to lock and click on the User Profile.

4. Update the mandatory requirements such as first name, last name, and email.

5. Enable the Account Disabled checkbox.

6. Click update.

7. Go to my account, and try to login as the user you disabled.

8. Now the login attempt will fail.

Password Policies
Password Policies are some set of rules that enhance the users to use strong
passwords. WSO2 Identity server helps to customize the password patterns to enforce
password policies.

Password Patterns
Introduction
Password Patterns Policy helps to customize the pattern of users’ passwords. Using
this feature, organizations can enforce the users about the minimum length, maximum
length, and regex patterns of passwords.

Setting up:
1. Go to Main > Identity > Identity Providers > Resident.

2. Click on Password Policies > Password Patterns tab.

3. Select Validate passwords based on a policy pattern checkbox and edit the
features such as minimum length, maximum length, regex format, and error
message.
 4. Click on the update button.

Try It:
1. Access the WSO2 Identity Server dashboard using the following link: my account

2. Click Forgot Password.

3. Enter the user's username, select Recover with Email, and then click Submit.

4. An email notification is sent to the user's email address. Click on the Reset
Password button given on the email.
5. Enter a password which violates the password patterns specified. It will give the
error specified.
Password History
Introduction
This feature helps to prevent the users from configuring the passwords that were used
in the recent past. For example, if you configure a count of 2 passwords, users will be
prevented from reusing their last 2 passwords as the current password.

Setting up:
1. Go to Main > Identity > Identity Providers > Resident.

2. Click on the Password Policies > Password History tab.

3. Click on Validate password history and you can configure Password History
validation to count the features you require here.
Try It:
1. Create a user using the management console. Ensure that the user has login
permissions.

2. Edit the user profile and enter an email address for the user. The email
notification for password recovery is sent to the email address given.

3. Access the WSO2 Identity Server dashboard using the following link: my account

4. Click Forgot Password.

5. Enter the user's username, select Recover with Email, and then click Submit.

6. An email notification is sent to the user's email address. Click on the Reset
Password button given on the email.
7. Enter the old password again as the new password and click Submit. You will
be asked to use a different password as it was used previously.