Your account is locked. You can unlock your account by going to Forgot Password

 
 

If you login to application protected by Oracle Access Manager (OAM for Single Sign-On/SSO) and you see screen like above “Your account is locked. You can unlock your account by going to Forgot Password” , This error means your account is locked in Oracle Access Manager (OAM)

Q: How OAM 11g treats account as locked ?

If value of user’s attribute obLockoutTime is set or value of obLoginTryCount is set to 5 then OAM treats this account as locked.

Q: How can an end user unlock account without contacting administrator (Self Service) ?

If OAM is integrated with Oracle Identity Manager (OIM) then clicking on Forgot Password link will take user to forgot password page in OIM. User can then answer challenge questions registered at time of first time login. After entering correct answer to challenge questions, OIM will reset password in OIM and also update password in LDAP (OID in this case) using LDAPSync (OIM should be configured with LDAPSync enabled. More on LDAPSync here, here, and here). This process will also clear two attributes obLockoutTime, and obLoginTryCount (OAM will then treat account as unlocked)

Q: How can an OIM Administrator unlock account locked in OAM via OIM ?

Once user is locked in OAM (via two attributes obLockoutTime and obLoginTryCount), LDAP User Reconciliation Job in OIM (that runs every 5 minutes) will bring user’s data in OIM and enable UNLOCK button next to this user (If you see LOCK button then user is not locked, If you see UNLOCK button that means user in Locked in OIM too). Administrator can click on UNLOCK button next to user details.

Note: If there is any problem with reconciliation job (LDAP User Reconciliation) then you can have a user that is locked in OAM but not in OIM. Workaround in such case is first LOCK the user from OIM and then UNLOCK again from OIM (This step should clear two attributes obLockoutTime and obLoginTryCount from OID)

Q: How can an OID Administrator unlock account locked in OAM ?
If you have access to Oracle Internet Directory (or LDAP server where OAM is connecting for User Store) then Login to LDAP Server and clear value of below two attributes  obLockoutTime and obLoginTryCount (Login again with password used earlier)
If you don’t know OAM is configured to connect to which LDAP (or OID store) for username/password validation then check here, here, and here

Other issues related to Account Lockout in Oracle Stack (depending on how you login and how components are integrated with each other) are

If you want to learn more in Oracle Access Manager, then register for our Free Minicourse by clicking on below image.

OAM FREE Mini Course by Oracle ACE Atul Kumar

Series Navigation<< Renew certificates in OAM 10.1.4.3How to configure a single sign-on system that assigns different authentication levels to different partner applications with OAM >>
This entry is part 17 of 20 in the series Oracle Access Manager

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Oracle Gold Partner specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment: