--- title: Account Lockout node description: The Account Lockout node locks or unlocks the authenticating user's account profile. component: auth-node-ref version: latest page_id: auth-node-ref::account-lockout canonical_url: https://docs.pingidentity.com/auth-node-ref/latest/account-lockout.html keywords: ["Nodes & Trees", "Journeys", "Accounts", "User Profiles", "Authentication"] page_aliases: ["auth-node-account-lockout.adoc"] superseded_by: https://docs.pingidentity.com/auth-node-ref/latest/account-lockout.html section_ids: example: Example availability: Availability inputs: Inputs dependencies: Dependencies configuration: Configuration outputs: Outputs outcomes: Outcomes errors: Errors --- # Account Lockout node The Account Lockout node locks or unlocks the authenticating user's account profile. The node also determines whether the account has been locked through both persistent (physical) lockout and duration lockout. Find more information in [Account lockout](https://docs.pingidentity.com/pingoneaic/am-authentication/auth-nodes-and-journeys.html#account-lockout-trees). | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can also use the [Account Active Decision node](account-active-decision.html) to check whether the account is locked at any point in the journey. | ## Example The following simple example uses this node with the [Retry Limit Decision node](retry-limit-decision.html) to lock an account after the set number of invalid attempts: ![Lock an account after too many authentication failures](_images/retry-limit-decision-journey.png) The [Retry Limit Decision node](retry-limit-decision.html) Retry limit (default: 3) defines the number of failed attempts before lockout. Before using a journey like this in deployment, adapt it to reset the retry count on successful authentication. ## Availability | Product | Available? | | ------------------------------------- | ---------- | | PingOne Advanced Identity Cloud | Yes | | PingAM (self-managed) | Yes | | Ping Identity Platform (self-managed) | Yes | ## Inputs This node requires the `username` property in the incoming node state. It uses this information to access the account status in the user profile. It also requires the `realm` property, which the product using this node sets by default. ## Dependencies This node depends on the underlying identity service that stores the user profile. ## Configuration | Property | Usage | | ----------- | ------------------------------------------------------------------------------- | | Lock Action | Choose whether to `LOCK` or `UNLOCK` the authenticating user's account profile. | ## Outputs This node doesn't change the shared state. ## Outcomes Single outcome path; the node updates the account status according to the configured Lock Action: * `LOCK` The account is inactive and the user cannot authenticate. * `UNLOCK` The account is active and the user can authenticate. ## Errors If this node fails to set the account status, it logs a `failed to set the user status inactive` warning. This node can also throw exceptions with the following messages: | Message | Notes | | --------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- | | `Could not get a valid username from the context` | Failed to read the `username` from the shared node state | | `Could not get a valid realm from the context` | Failed to read the `realm` from the shared node state | | `Could not find the identity based on the information available on context` | Failed to find the account profile with this `username` in this `realm` | | `An error occurred when trying to lock out the user account` | Failed to update the account status; applies when locking and unlocking the account |