PingFederate Server

Configuring account lockout protection

Use PingFederate’s functionality to customize your account lockout protection settings.

Steps

  1. Edit the com.pingidentity.common.security.AccountLockingService.xml file, located in the <pf_install>/pingfederate/server/default/data/config-store directory.

    The following table provides more information about properties in the com.pingidentity.common.security.AccountLockingService.xml file.

    Property Description

    MaxConsecutiveFailures

    The maximum number of failed attempts before a user is locked out for a time period.

    The default value is 3.

    The per-instance setting in the HTML Form Adapter and the Username Token Processor overrides this property.

    LockoutPeriod

    The amount of time in minutes that a user is locked out when the MaxConsecutiveFailures threshold is reached.

    The default value is 1 minute.

    UseIPForLockout

    Whether lockout decisions consider the user’s IP address.

    true uses a combination of username and IP address to determine whether to lock a user account.

    false uses only the username to determine whether to lock a user account. Requests with the same usernames from different IP addresses are considered together.

    The default value is true.

    Disabling this parameter can prevent malicious actors from bypassing lockouts by masking their IP address, but can also make it easier for malicious actors to intentionally lock an account.

    If you have a PingFederate clustered environment, edit this file on the console node.

  2. Save the change.

  3. Restart PingFederate.

  4. If you have a PingFederate clustered environment, click Replicate Configuration in System > Server > Cluster Management.