Idle User Account Suspension in WSO2 Identity Server
The purpose of this blog is to explain what user account suspension, the use cases of this feature and how it is implemented in WSO2 Identity Server.
Some organizations support self user registration capability for the end users. In such cases, there is a possibility that some users may register to the system, but they don’t use the system.
In scenarios like that, there is no need to have such kind of inactive user account in the organization’s POV. If the users are no longer using the system, these users should be either treated as invective or should be deleted.
The account suspension feature in WSO2 Identity Server allows you to set up account suspension to lock accounts that have been idle for a pre-configured amount of time.
Try out the Feature
Refer to this for official WSO2 Identity Server documentation to try out the feature.
Use Cases of the Feature
- This feature can be used to support dormant bank accounts. There is a possibility that users move their bank account from one bank to another bank. In such cases, the user may not do the transaction using the previous bank account. If there are no transactions for some period such as 2 years, the bank makes the account as a dormant bank account.
- Deactivate unused accounts from the system.
- Notify the user several times before deactivating the accounts
How it works.
- This feature is implemented as an IdentityEventHandler.
- You can refer to this for more details about eventing framework.
- The latest source code of the event handler
- The AccountSuspensionNotificationHandler is subscribed to the POST_AUTHENTICATION event.
- In order to check whether an account is idle or not, it is required to have the last login time of the user. This value is stored in the http://wso2.org/claims/lastLoginTime claim.
- POST_AUTHENTICATIO event triggers after each authentication. If the authentication is a success, AccountSuspensionNotificationHandler updates the last login time of the user.
- When the server is starting, a scheduling task is running backend in the AccountSuspensionNotificationHandler to check the account active status periodically.
- These configurations can be don in <IS_HOME>/repository/conf/identity/identity-event.properties file
suspension.notification.enable=true
suspension.notification.account.disable.delay=90
suspension.notification.trigger.time=20:00:00
suspension.notification.delays=30,45,60,75
- According to the above configurations, the task is running 8PM every day and notify users if the accounts are not using in last 30, 45,60,75 days.
- If the account is not using during the last 90 days, the task will mark the user account as locked. so that the user cannot login to the system unless a privileged user unlocks the account.
- In order to send notifications and lock the accounts, it is required to get the user list whose accounts are not using during the configured time period.
- Identity Server supports an extension point to get this user list. This extension can be configured as a user store property.
- The default extension points are as follows for LDAP and JDBC user stores.
LDAP Userstore
<Property name="NotificationReceiversRetrievalClass">org.wso2.carbon.identity.account.suspension.notification.task.ldap.LDAPNotificationReceiversRetrieval</Property>JDBC Userstore
<Property name="NotificationReceiversRetrievalClass">org.wso2.carbon.identity.account.suspension.notification.task.jdbc.JDBCNotificationReceiversRetrieval</Property>
- It retrieves the user list as follows and sends emails.
- Also, it gets the expired users and locks their account as follows.
Troubleshooting Tips
If you want to troubleshoot this feature enable the debug logs of the following package. You have to add the following debug lines to [WSO2_IS_HOME]\repository\conf\log4j.properties file and restart the server to print debug logs in the following packages.
log4j.logger.org.wso2.carbon.identity.account.suspension.notification.task=DEBUG
log4j.logger.org.wso2.carbon.identity.governance=DEBUG
Thanks for reading …!!!
