Table of Contents

Restricting Login by Date and Time

Overview

Take control of login timing with PhenixID Server! Whether you need to limit access to specific time windows or enforce strict scheduling for heightened security, this solution allows you to configure login permissions dynamically. By validating login attempts against current date and time using account attributes, you can ensure that only authorized users gain access when needed.

This approach is ideal for scenarios where:

  • Access is restricted to certain timeframes.
  • Temporary or conditional access is required for specific accounts.

While PhenixID Server cannot terminate sessions once established, it provides robust control at the login stage. The example below demonstrates how to configure this feature using Microsoft Active Directory, leveraging the msTSExpireDate attribute for validation.

The msTSExpireDate attribute in Active Directory defines the expiration date and time for a user’s access, originally used for Remote Desktop Services (RDS). Stored in UTC format (yyyyMMddHHmmss.0Z), it specifies when access will no longer be valid, such as 20241115235959.0Z for November 15, 2024, at 23:59:59 UTC.

This built-in attribute requires no schema modifications and provides precise control over time-bound access. It’s ideal for temporary access or login restrictions and works effectively with tools like PhenixID Server to enforce dynamic, time-based access policies.

Configuration Steps

To implement this functionality, add three valves to your flow:

  1. ItemCreateValve
  2. PropertyAddDateTimeValve
  3. ItemRemoveValve

Step 1: Modify the Execution Flow

  1. Log in to the PhenixID configuration portal.
  2. Locate the scenario you want to modify.
  3. Navigate to the "Execution Flow" section and add the valves listed above.

Step 2: Configure the PropertyAddDateTimeValve

Add a PropertyAddDateTimeValve, configure it with the following settings:

```json
{
    "name": "PropertyAddDateTimeValve",
    "enabled": "true",
    "config": {
        "proceed_on_error": "false",
        "name": "date",
        "format": "yyyyMMddHHmmss",
        "tz": "CET"
    }
}
```

Step 3: Configure the LDAPSearchValve

Add an LDAPSearchValve to enforce the date and time restrictions with the following configuration:

{
  "name": "LDAPSearchValve",
  "enabled": "true",
  "config": {
    "connection_ref": "fe37eb47-8738-4bff-ae9f-f9066a0a431f",
    "base_dn": "DC=company,DC=local",
    "scope": "SUB",
    "size_limit": "0",
    "filter_template": "(&(samAccountName={{request.User-Name}})(msTSExpireDate>={{item.date}}.000Z))",
    "attributes": "mobile"
  }
}

Step 4: Save the Configuration

After making the changes, click "Save." The flow should now include the configured valves in sequence.

Step 5: Finalize with an Example Pipe Configuration

Here’s an example of a complete pipe configuration for a username/password scenario, incorporating the LDAPBindValve for password validation:

{
  "id": "example-pipe-id",
  "name": "RestrictLoginByDateTime",
  "description": "Restricts login based on date and time",
  "valves": [
    {
      "name": "ItemCreateValve",
      "enabled": "true",
      "config": {
        "dest_id": "placeholder"
      }
    },
    {
      "name": "PropertyAddDateTimeValve",
      "enabled": "true",
      "config": {
        "proceed_on_error": "false",
        "name": "date",
        "format": "yyyyMMddHHmmss",
        "tz": "CET"
      }
    },
    {
      "name": "LDAPSearchValve",
      "enabled": "true",
      "config": {
        "connection_ref": "<change_to_your_connection_ref>",
        "base_dn": "DC=company,DC=local",
        "scope": "SUB",
        "size_limit": "0",
        "filter_template": "(&(samAccountName={{request.User-Name}})(msTSExpireDate>={{item.date}}.000Z))",
        "attributes": "mobile"
      }
    },
    {
      "name": "LDAPBindValve",
      "enabled": "true",
      "config": { 
        "connection_ref":"<change_to_your_connection_ref>",
        "password_param_name":"password",
        "userid_param_name":"username"
    }
    },
    {
      "name": "ItemRemoveValve",
      "enabled": "true",
      "config": {
        "item_include_expr": "item.id === ('placeholder')"
      }
    }
  ]
}

Verification Steps for Date and Time-Based Login Restrictions Configuration

Once the configuration is complete, follow these steps to test it:

Test Login During Allowed Time

  • Set the msTSExpireDate attribute of a test user to a future date and time.
  • Attempt to log in as the test user during the allowed period.
  • Confirm successful login.

Test Login Outside Allowed Time

  • Set the msTSExpireDate attribute of a test user to a past date and time.
  • Attempt to log in as the test user outside the allowed period.
  • Confirm login is denied.

By completing these steps, you can ensure your configuration is working as intended and is ready for deployment.

Authentication Active Directory Date and time