Wednesday, September 20, 2017

Customizing Account Locking Mechanism on a User Store base in WSO2IS-5.1.0

In WSO2IS-5.1.0, there is User Account Locking scenarios as explained in this document.

One type of account locking scenario is Account locking by failed login attempts

Be default configurations related to Account locking based on failed attempts are global to all the users in the Identity Server.(i.e. Global to all the user stores)

Configuration parameters in the <IS_HOME>/repository/conf/identity/identity-mgt.properties file.
Configuration
Description
Authentication.Policy.Enable=true
This enables the authentication flow level which checks for the account lock and one time password features. This property must be enabled for the account lock feature to work.
Authentication.Policy.Account.Lock.On.Failure=true
This enables locking the account when authentication fails.
Authentication.Policy.Account.Lock.On.Failure.Max.Attempts=2
This indicates the number of consecutive attempts that a user can try to log in without the account getting locked. In this case, if the login fails twice, the account is locked.
Authentication.Policy.Account.Lock.Time=5
The time specified here is in minutes. In this case, the account is locked for five minutes and authentication can be attempted once this time has passed.


Let's say there is a use case to maintain these configurations per user store.

Example scenario would be,
  1. There are two user stores configured with WSO@IS-5.1.0 instance.
    1. Primary user store with default name "PRIMARY"
    2. A secondary user store with name "TEST"
  2. For both user stores we need different configuration parameter values
    1. PRIMARY user Store
      • Authentication.Policy.Account.Lock.On.Failure.Max.Attempts=2
      • Authentication.Policy.Account.Lock.Time=5
    2. TEST user store
      • Authentication.Policy.Account.Lock.On.Failure.Max.Attempts=5
      • Authentication.Policy.Account.Lock.Time=3
Let's say user store specific configurations can be in the below format and added to <IS_HOME>/repository/conf/identity/identity-mgt.properties.
  1. <UserStore>.Authentication.Policy.Account.Lock.On.Failure.Max.Attempts=2
    <UserStore>.Authentication.Policy.Account.Lock.Time=5
ex:
  1. TEST.Authentication.Policy.Account.Lock.On.Failure.Max.Attempts=5
    TEST.Authentication.Policy.Account.Lock.Time=3

WSO2 Identity Server doesn't support this custom configuration by default.We need to write a custom User Operations Event Listener in order to achieve this.

One approach is to extend org.wso2.carbon.identity.mgt.IdentityMgtEventListener| and override it's methods to check particular values based on the UserStore Domain.

I have written a sample user operation event listener with this approach and overridden only two methods doPreAuthenticate and doPostAuthenticate.

I have implemented a CustomIdentityMgtConfig to hold configurations and used them accordingly to retrieve user store specific configuration values.(Go through the code to get a better understanding)

Once the custom user operation event listener(org.wso2.carbon.sample.user.operation.event.listener.CustomIdentityMgtEventListener) is implemented you can enable it in the place of org.wso2.carbon.identity.mgt.IdentityMgtEventListener in $IS_HOME/repository/conf/identity/identity.xml.

Copy the built org.wso2.carbon.sample.user.operation.event.listener-1.0.0.jar to $IS_HOME/repository/components/dropins and restart the server.


To achieve full functionality we may need to override other methods as well.



Read More

Defining a Custom Default Authentication Flow for All Service Providers WSO2IS-5.3.0


You can set the default authentication sequence in the $IS_HOME/repository/conf/identity/service-providers/default.xml file.

..........
<LocalAndOutBoundAuthenticationConfig>
        <AuthenticationSteps>
            <AuthenticationStep>
                <StepOrder>1</StepOrder>
                <LocalAuthenticatorConfigs>
                    <LocalAuthenticatorConfig>
                        <Name>BasicAuthenticator</Name>
                        <DisplayName>basicauth</DisplayName>
                        <IsEnabled>true</IsEnabled>
                    </LocalAuthenticatorConfig>
                </LocalAuthenticatorConfigs>
                <!-- FederatedIdentityProviders>
                 <IdentityProvider>
                       <IdentityProviderName>facebook</IdentityProviderName>
                       <IsEnabled>true</IsEnabled>
                                     <DefaultAuthenticatorConfig>
                                             <FederatedAuthenticatorConfig>
                                                     <Name>FacebookAuthenticator</Name>
                                                     <IsEnabled>true</IsEnabled>
                                             </FederatedAuthenticatorConfig>
                                     </DefaultAuthenticatorConfig>
                 </IdentityProvider>
                </FederatedIdentityProviders -->
                <SubjectStep>true</SubjectStep>
                <AttributeStep>true</AttributeStep>
            </AuthenticationStep>
        </AuthenticationSteps>   
    </LocalAndOutBoundAuthenticationConfig>
..........


Here, You can define Authentication steps for the default authentication flow. By default it is set to One step with BasicAuthenticator.

If you do NOT configure Local & Outbound Authentication Configuration section in a Service Provider and set to Default as in below image, authentication flow for the Service Provider will be the flow you define in above configuration.

Read More
Designed ByBlogger Templates