identity-server
Security

How to disable users on WSO2 Identity Server

19th September 2019

Identity management that is both efficient and secure is key to an enterprise organization that faces a constant increase in the number of users and IT resources at its disposal. With WSO2 Identity Server it is possible to establish complete control over the identities that access the data and information available throughout the organization, even as complexity increases. With this open source solution, different identities can be managed and connected in the most efficient way, even if they come from very different applications. Here is one of the aspects that usually generates more doubts in WSO2 Identity Server, how to disable different users.

 

WSO2 Identity Server

Managing permissions for access to different volumes of data is one of the challenges facing WSO2 Identity Server, data that can come from many sources such as APIs, mobile devices, the Internet of Things or the cloud, to name a few. This tool grants access by means of a single user identification, so that the resources that can be used by each user can be managed in a very agile way, maintaining the security criteria in their highest standards. But what happens when we want to disable a specific user?

Steps to disable an account

A user with the administrator profile can deactivate a user account by configuring this function in the WSO2 Identity Server and editing the account user profile. You can also deactivate (turn off) the account deactivation feature so that users with the administrator profile do not have permission to deactivate users. Since version 5.3.0 of WSO2 Identity Server there is a new implementation for identity management functions, so the steps indicated in this article are set accordingly. The previous implementation has been preserved within the WSO2 Identity Server package for compatibility with previous versions and continued use if necessary.

 

Disable an account

After starting WSO2 IS by opening the corresponding session in the management console, go to Main/Claims/List and ‘click’ on http://wso2.org/claims. Then edit the ‘Account Disabled’ request form and check the ‘Supported by Default’ checkbox and ‘click’ on ‘Update’. The next step is to go to Main/Users and Roles/List/Users and ‘click’ on the user profile of the account you wish to deactivate. Finally, check the ‘Account Disabled’ checkbox and ‘click’ on ‘Update’.

Disabling Account Disabling

If we want to disable the account disabling option, even for users with administrator profile, we have to follow a series of steps, which begin by opening the file identity-event.properties that can be found in the folder <IS_HOME>/repository/conf/identity (the account disabling manager is registered by default in this file). Next, we need to remove the next subscription to disable the account deactivation (which will remove the option to disable the account for all users):

– account.disable.handler.subscription.1=PRE_AUTHENTICATION

– account.disable.handler.subscription.2=PRE_SET_USER_CLAIMS

– account.disable.handler.subscription.3=POST_SET_USER_CLAIMS

 

Identity Management with Identity Server

When you use multiple WSO products, you must log in to the management platform for each and every product, which can lead to work overload and excessive wasted time. However, it is possible to configure a single sign-on for all WSO2 products, providing credentials only once. This is the case with the WSO2 Enterprise Service Bus from version 4.5.1.

On the other hand, one of the objectives that is always pursued is to deploy authentication and authorization services for different users in a centralized and standard way, so that each business application, API and services do not implement their own security logic. From both WSO2 ESB and WSO2 API Manager it is possible to implement aspects of QoS or quality of service and security policies, identity management, authentication and authorization throughout an organization.