Limit date and time for login

This document describes how to limit the date and time allowed for login.

The reader of this document should have some basic knowledge about PhenixID Server.

We will make changes to phenix-store.json, so make sure to have a recent  copy/backup of this file.

System requirements

PhenixID Server installed.

Overview

The example configuration in this document will show how PhenixID Server can deny login by using date and time.
In case a login should be allowed only for a specific date and time, this type of configuration can be used.

PhenixID Server is not able to end the actual session that has been created during a successful login. Since the communication has then passed from PhenixID Server to the application secured with 2fa.

But we can look at current date/time, and then use the value in an attribute on the account logging in, to see if the account should be allowed.

Example below is made against Microsoft Active Directory.
The attribute used in this example is 'msTSExpireDate'.

When the configuration is done, make sure to test the login thoroughly, making sure that only allowed accounts can login.

Configuration example

Three valves needs to be added to the flow:
ItemCreateValve
PropertyAddDateTimeValve
ItemRemoveValve

Login to the configuration portal and locate the scenario that you want to modify.
Now go to "Execution Flow" and add them accordingly:

To set the parameter 'tz' on 'PropertyAddDateTimeValve', after the changes has been made in the flow (and saved), please click the tab 'Advanced', then click the pencil next to 'Pipe valves'. Add the desired value, like this example:

{
    "id": "8fe3529d-91f5-4576-89e7-10c94e1c60c2",
    "name": "PropertyAddDateTimeValve",
    "enabled": "true",
    "config": {
        "proceed_on_error": "false",
        "name": "date",
        "format": "yyyyMMddHHmmss",
        "tz": "CET"
        }
}

More information about 'PropertyAddDateTimeValve':

PropertyAddDateTimeValve

After the valves have been added, press 'Save'.

The flow should now look similar to this:

Example, LDAPSearchValve

{
    "name": "LDAPSearchValve",
    "enabled": "true",
    "config": {
        "connection_ref": "fe37eb47-8738-4bff-ae9f-f9066a0a431f",
        "base_dn": "DC=company,DC=local",
        "scope": "SUB",
        "size_limit": "0",
        "filter_template": "(&(samAccountName={{request.User-Name}})(msTSExpireDate>={{item.date}}.000Z))",
        "attributes": "mobile"
        }
}

So in this example, the value for msTSExpireDate must be equal or higher than current time, picked up in the flow in 'item.date'.