WSO2 Identity Server 5.11: Password expiry option not available as per documention

Question

I need to add password expiry feature in my application using wso2 identity server version 5.11. Referred to following documentation:https://is.docs.wso2.com/en/latest/learn/password-expiry/ As per the aforementioned document we need to download password policy authenticator which is not supported by latest IS 5.11. Also, I did not get Password Expiry option under Password Policies in resident section of identity providers.

Kindly suggest how can I add password expiry feature in wso2 IS 5.11 which will redirect my application to change password window after user password gets expire.

Thanks in Advance!

Answer 1

To do this,
Prerequsists

1. Stop the server if it is already running.
2. Download the Password Reset Enforcer code from here and build it using mvn clean install -DskipTest
3. Add the following lines to <IS_HOME>/repository/conf/deployment.toml file

    [[event_handler]]
    name= "passwordExpiry"
    subscriptions =["POST_UPDATE_CREDENTIAL", "POST_UPDATE_CREDENTIAL_BY_ADMIN", "POST_ADD_USER"]
    [event_handler.properties]
    passwordExpiryInDays= "30"
    enableDataPublishing= false
    priorReminderTimeInDays= "0"

3. Check the build files and copy the authentication page (<PASSWORD_RESET_ENFORCER_ARTIFACTS>/is/pwd-reset.jsp) to the <IS_HOME>/repository/deployment/server/webapps/authenticationendpoint/ directory.
4. Copy the connector (org.wso2.carbon.extension.identity.authenticator.passwordpolicy.connector-<version>.jar) to the <IS_HOME>/repository/components/dropins/ directory.

Configuring the Expiration Policy

1. Start the Identity Server and log in.
2. In the Identity section under the Main tab, click Resident under Identity Providers.
3. Go to Password Expiry under Password Policies.
4. Change Password Expiry In Days according to your requirements. (By default, the Password Reset Enforcer will expire passwords in 30 days.)
5. Click Update to save the changes.

Configurations

1. Go to claims in the admin console and find http://wso2.org/claims/identity/lastPasswordUpdateTime URI or last password update claim and make it as supported by default.
2. Create a new user then go to the management console and go to user-profile of the user and update the Last Password Update value to a lower value.
3. Go to the Local and Outbound Authentication Configuration section in the Service Providers page of your service.
4. Select the Advanced Configuration radio button option. Add the basic authentication as the first step and Password Reset Enforcer authentication as the second step. Select User subject identifier from this step under basic authentication. Select Use attributes from this step under Password Reset Enforcer.
5. Now try to login into the app again, you will be requested the password.

More info: https://github.com/wso2-extensions/identity-outbound-auth-passwordPolicy/blob/master/docs/config.md