Lockout Self-Service in the Loginapp REST API/UI

The lockout self-service allows authenticated users to lock their user accounts.

This could be for security reasons, e.g. if a user thinks that his password has been stolen or the account has been compromised.

The account can only be unlocked by an administrator (or help desk) and not using theĀ Unlock self-service.

Implementation as protected self-service flow

The lockout self-service can be configured as a protected self-service flow. The main work of the flow - locking the user account - is done by the Lock Self-Service Step. It can be combined with other flow steps to obtain the desired user experience.

Consider the following example flow:

SelfLockoutProtectedSelfService

Configuration

  1. Go to:
    Loginapp >> Protected Self-Services >> Protected Self-Service Flows
  2. Add a new Custom Protected Self-Service Flow plugin to the list
  3. In the new flow, configure the necessary steps including the Lock Self-Service Step.
  4. For the flow to work correctly, a Custom Flow Processor needs to be configured (in property Processors of the flow) with the following processors:
    • Factor Use Reporting Processor: It makes sure that attempts to authentication factors are reported correctly.
    • Failed Factor Attempts Processor: It makes sure that attempts to authentication factors are counted correctly. This is important for security.
    • User Validity Processor with the string LockReason.SelfLockout in the list of Allowed Lock Reasons: This lets the flow finish successfully even though the user has been locked. Without this information, the processor would abort the flow once the user has been locked. Note that this processor also makes sure that the user session is terminated after the flow has finished.

A pre-configured flow (without 2nd-factor approval and with just one Acknowledge message step) can be found in the demo configuration template.

  • Text elements are available in the product for the following IDs:
  • Flow ID: self-lockout
  • Message ID in the Acknowledge Message Step: self-lockout

If showing the login page after the flow has been completed (this is defined in the UI settings of the flow), Airlock IAM will show the default message for locked user accounts on the login screen. In this case, the second Acknowledge Message Step in the above example may be omitted.