Running VIP Authentication Hub, when using the API to unlock an account, the account doesn't get unlocked.

Use case:

  Configuration:

  userMaxStrikeCount = 3
  userAutoUnlockPeriodMinutes = 3
  isAuthoritativeForIDLCM = true

1. User access page with "VIP Authentication Hub Template" Authentication Scheme protected;
2. The user enters 3 times wrong credentials;
3. User status is locked in LDAP but not unlocked if an attempt is done after 3 minutes;
4. Manual unlock user using https://{{sspHost}}/{{apiPathTenant}}/admin/v1/UserLocker/{{userLoginid}} call  Body: {"locked": false};
5. The disabled state is not changed in LDAP;

The /admin/v1 URL version unlocks the account in the Authentication Hub Database. This is used by ZFP (Zero FootPrint) setups.

However, in non-ZFP setups, the LDAP ID Store is authoritative for the lock status, so every sign-in checks the lock status in the id store first and uses it to update the account.

During lock operation when a user exceeds allowed strike attempts, the user's lock status in the LDAP ID Store will be locked if the LDAP ID Store is marked as authoritative for identity lifecycle operations.

Hence with non-zfp and authoritative LDAP ID Store, users lock status is managed in the LDAP ID Store or via /idstore locker API as (1):

  https://{{host}}/{{tenantName}}/idstore/v1/UserLocker/{{userLoginid}}

1. Configuring the User Lockout