Tuesday, December 8, 2015

Tracking Last Successful Login Attempt Timestamp of Users with WSO2 Identity Server

In Identity and Access Management Systems, it is important to track the timestamp of last login attempt of users. However WSO2 Identity Server currently (IS 5.1.0 or before) does not support this feature out of the box. When a user logs into the Management Console, Identity Server is adding the following entry to the IS_HOME/repository/logs/wso2carbon.log file.

[2015-12-07 20:58:29,363]  INFO {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} -  '[email protected] [-1234]' logged in at [2015-12-07 20:58:29,363-0800]

Similarly, when the user logs out, following is added to the same log.

[2015-12-07 21:02:45,295]  INFO {org.wso2.carbon.core.services.authentication.AuthenticationAdmin} -  '[email protected] [-1234]' logged out at [2015-12-07 21:02:45,0295]

At the same time, it adds another entry to IS_HOME/repository/logs/audit.log file upon user login.
[2015-12-07 21:02:35,951]  INFO -  '[email protected] [-1234]' logged in at [2015-12-07 21:02:35,951-0800]

Corresponding entry for user logout is following.
[2015-12-07 21:02:45,296]  INFO -  '[email protected] [-1234]' logged out at [2015-12-07 21:02:45,0295]

However when considering SSO scenario, Identity Server does not persist the timestamp of the last successful login attempt which is a need to have feature. This feature is requested in the JIRA [1] and will be added into a feature version of Identity Server.

However with any WSO2 product, the extensibility is there where we can write a custom component that satisfies our requirement and plug that to the server. In this blog post, I am demonstrating how to write a custom component which can track the last successful login attempt of a user that got authenticated with Identity Server. Here when the user gets authenticated to Identity Server, I am getting the system timestamp and storing it as a claim of the logged in user.

For this demonstration, I am using WSO2 Identity Server 5.0.0 version with Service Pack 1 installed.

First, login to the Management Console of Identity Server and add a new claim under the Default WSO2 Carbon Dialect (http://wso2.org/claims). This is because then we can make this claim appear in the profile of user as an attribute. Here I am giving the claim URI as http://wso2.org/claims/lastLoginTimestamp . You can add any claim URI as you wish and from the custom component, we have to persist the timestamp value with the same claim URI. Here I set ‘Supported by Default’ to ‘true’ so that this claim will appear in the UI when we view the user’s profile. For the mapped attribute, I have added ‘title’ attribute which is a default attribute defined in the underlying LDAP schema of Identity Server. You can add any attribute name which is supported by the underlying userstore.

I have created a user with username ‘tharindu’. Then I view the User Profile of this user.
Now I can see the newly added claim for storing the Last Login Timestamp. Currently it does not have any value.

When writing the custom component, we can either implement the org.wso2.carbon.user.core.listener.UserOperationEventListener [2] interface or extend the org.wso2.carbon.user.core.common.AbstractUserOperationEventListener [3] class. (Currently for Carbon 4.2.0 kernel, the user.core component’s latest patch is patch0013 so here I have referred the links to the SVN for patch0013. But you don’t need to refer any of these classes because we just need to implement one method in our custom component’s class).  

In this example, I am extending the org.wso2.carbon.user.core.common.AbstractUserOperationEventListener class and overriding the doPostAuthenticate method.

The complete source code of this component is available in the GIT repository https://github.com/thariyarox/LastLoginTimestamp  [4].

You can clone this project from github and build it. Then you will get the org.wso2.carbon.custom.user.operation.event.listener-1.0.0.jar file. If you want to skip building the project and just try out this, you can download the pre-built jar file from [5].

Then copy this jar file to IS_HOME/repository/components/dropins directory. (Since this is an OSGI bundle we copy to dropins directory. For non-osgi components, we copy them into the lib directory instead of dropins).

If you want to enable debug logs for this component, you can add following line to IS_HOME/repository/conf/log4j.properties file.

After that restart the server and login to the management console. If you have enabled the debug logs, you will see the following in the wso2carbon.log file (or in the terminal).
[2015-12-07 23:56:35,934] DEBUG {org.wso2.carbon.custom.user.operation.event.listener.CustomUserOperationEventListener} -  Last Login Timestamp for user : tharindu is 1449561395892

Even if you login to a client application that used Identity Server for authentication, those login attempt timestamps are also tracked in the same manner with this.

You can login to the Management Console as admin and view the profile of the user. We can see that the timestamp value for last successful login attempt is persisted as a claim of the user.
In this sample, it is only persisting the timestamp of a successful login attempt. You can modify the code easily to handle failed login attempts scenarios as well according to your requirements.

References :

Tharindu Edirisinghe
Identity Server Team


  1. Hi Tharindu,
    Could you let me know how to control the session timeout for "sessionDataKey" from login page(Authentication end point project)? If you are in login page for >10minutes then if we try to login using proper credentials , system redirects to saml_redirect.jsp.


  2. Hi Prabu,

    You can refer [1] and [2] to get more information regarding this.

    [1] https://docs.wso2.com/display/IS500/Enabling+Authentication+Session+Persistence
    [2] http://malithiedirisinghe.blogspot.com/2015/03/how-to-manage-session-in-wso2-is-500.html