Advanced Identity Cloud

Account Lockout node

The Account Lockout node locks or unlocks the authenticating user’s account profile.

The Data Store Decision node checks whether the account is locked. Alternatively, you can use the Account Active Decision node to check at any point in the journey.

For more information, refer to Account lockout.


Product Compatible?

PingOne Advanced Identity Cloud


ForgeRock Access Management (self-managed)


ForgeRock Identity Platform (self-managed)



This node requires the username property in the incoming node state. It uses this information to access the account status in the user profile.

It also requires the realm property, which Identity Cloud sets by default.


This node depends on the underlying identity service that stores the user profile.


Property Usage

Lock Action

Choose whether to LOCK or UNLOCK the authenticating user’s account profile.


This node does not change the shared node state.


Single outcome path; the node updates the account status according to the configured Lock Action:


The account is inactive and the user cannot authenticate.


The account is active and the user can authenticate.


If this node fails to set the account status, it logs a failed to set the user status inactive warning.

This node can also throw exceptions with the following messages:

Message Notes

Could not get a valid username from the context

Failed to read the username from the shared node state

Could not get a valid realm from the context

Failed to read the realm from the shared node state

Could not find the identity based on the information available on context

Failed to find the account profile with this username in this realm

An error occurred when trying to lock out the user account

Failed to update the account status; applies when locking and unlocking the account


The following simple example uses this node with the Retry Limit Decision node to lock an account after the set number of invalid attempts:

Lock an account after too many authentication failures

The Retry Limit Decision node Retry limit (default: 3) defines the number of failed attempts before lockout.

Before using a journey like this in deployment, adapt it to reset the retry count on successful authentication.

Copyright © 2010-2024 ForgeRock, all rights reserved.