Users#

Blocking inactive users#

Blitz Identity Provider tracks the time of last user activity. It is possible to block user accounts that have been inactive for a long time. To activate this feature, run the lockinactive.sh script in cron. The script is located in the /usr/share/identityblitz/blitz-console/bin directory on the server with the blitz-console application. It is recommended to run the script once a day during minimal activity on the system. Before running the script it is necessary to edit it in a text editor - install:

  • inactive_period - required period of inactivity (in days), after which the account should be blocked;

  • range_size is the range of account coverage (in days), accounts whose last activity was between (current date - inactive_period - range_size) and (current date - inactive_period) will be blocked.

Blitz Identity Provider also allows you to automatically lock an account at the time of a login attempt if the account has been inactive for a long period of time. To enable this feature, add the blitz.prod.local.idp.lock configuration block with the inactivity block having a limit setting in seconds that specifies the maximum allowed inactivity period after which the account will be locked out for inactivity when a login attempt is made. In the checkInterval setting, you can specify the minimum period in seconds, no more often than which the account will be checked for inactivity period when logging in.

Example of configuration:

"lock" : {
    "inactivity" : {
        "checkInterval" : 86400,
        "limit" : 31536000
    }
}

In the settings of the password recovery service, you can enable the mode that will allow unlocking an account locked due to inactivity in case of successful recovery of a forgotten password.

Prohibit reuse of the remote user ID#

Blitz Identity Provider keeps track of previously used user IDs so that they cannot be reused after a user account has been deleted for a specified period of time. To do this, add the following remove section to the blitz.prod.local.idp.provisioning block, specifying the number of days (days) during which the user ID cannot be used for re-registration:

"provisioning" : {
  …
  "remove": {
    "mode": "keepRemovedId",
    "days": 365
  }
}