Augment XMLAccessControl for time based access control.
Basics
Technical
Logistics
Basics
Technical
Logistics
Description
Two pieces 1. Augment XMLAccessControl to allow for time of day access control. This would allow for access control based upon the time of day, local to the server, eg 06:00-20:00 hours. 2. Augment XMLAccessControl to allow for comparison against logon time of user on IdP. This may need more investigation of how to expose from IdP. This would allow for a hard timeout of 8 hours after logon from IdP.
The first is more concrete and more of a priority. Looking for possible suggestions on the second as it is a desired setting from a security department.
<AccessControlProvider type="Time" operator="AND|OR"> <TimeSinceAuthn>PT1H</TimeSinceAuthn> <Time> LT|LE|EQ|GE|GT ISO </Time> <Year> LT|LE|EQ|GE|GT nn </Year> <Month> LT|LE|EQ|GE|GT nn </Month> <Day> LT|LE|EQ|GE|GT nn </Day> <Hour> LT|LE|EQ|GE|GT nn </Hour> <Minute> LT|LE|EQ|GE|GT nn </Minute> <Second> LT|LE|EQ|GE|GT nn </Second> <DayOfWeek> LT|LE|EQ|GE|GT 0-6 </DayOfWeek> </AccessControlProvider>
Scott Cantor November 16, 2010 at 5:07 PM
The second overlaps to some degree with SSPCPP-120, but it's a bit more tractable to do something that doesn't try to initiate a new session. I think maxTimeSinceAuthn meets the main security requirement in any case, but in all cases, you're at the mercy of what the IdP tells you the time of authentication is.
As I said on the call, it isn't practical to augment the XML plugin. I reserved no rule names other than what I did originally, so I can't use anything for this purpose. It would have to be done as a new plugin or plugins for a future release, or nothing is stopping anybody from doing an extension now.
Two pieces
1. Augment XMLAccessControl to allow for time of day access control. This would allow for access control based upon the time of day, local to the server, eg 06:00-20:00 hours.
2. Augment XMLAccessControl to allow for comparison against logon time of user on IdP. This may need more investigation of how to expose from IdP. This would allow for a hard timeout of 8 hours after logon from IdP.
The first is more concrete and more of a priority. Looking for possible suggestions on the second as it is a desired setting from a security department.