Augment XMLAccessControl for time based access control.

Description

Two pieces
1. Augment XMLAccessControl to allow for time of day access control. This would allow for access control based upon the time of day, local to the server, eg 06:00-20:00 hours.
2. Augment XMLAccessControl to allow for comparison against logon time of user on IdP. This may need more investigation of how to expose from IdP. This would allow for a hard timeout of 8 hours after logon from IdP.

The first is more concrete and more of a priority. Looking for possible suggestions on the second as it is a desired setting from a security department.

Environment

None

Activity

Scott Cantor May 24, 2012 at 11:34 PM

Closing with documentation added.

Scott Cantor May 24, 2012 at 4:09 PM

Scott Cantor May 24, 2012 at 3:41 AM

Playing with this syntax:

<AccessControlProvider type="Time" operator="AND|OR">
<TimeSinceAuthn>PT1H</TimeSinceAuthn>
<Time> LT|LE|EQ|GE|GT ISO </Time>
<Year> LT|LE|EQ|GE|GT nn </Year>
<Month> LT|LE|EQ|GE|GT nn </Month>
<Day> LT|LE|EQ|GE|GT nn </Day>
<Hour> LT|LE|EQ|GE|GT nn </Hour>
<Minute> LT|LE|EQ|GE|GT nn </Minute>
<Second> LT|LE|EQ|GE|GT nn </Second>
<DayOfWeek> LT|LE|EQ|GE|GT 0-6 </DayOfWeek>
</AccessControlProvider>

Scott Cantor November 16, 2010 at 5:07 PM

The second overlaps to some degree with SSPCPP-120, but it's a bit more tractable to do something that doesn't try to initiate a new session. I think maxTimeSinceAuthn meets the main security requirement in any case, but in all cases, you're at the mercy of what the IdP tells you the time of authentication is.

As I said on the call, it isn't practical to augment the XML plugin. I reserved no rule names other than what I did originally, so I can't use anything for this purpose. It would have to be done as a new plugin or plugins for a future release, or nothing is stopping anybody from doing an extension now.

Fixed

Details

Assignee

Reporter

Original estimate

Components

Fix versions

Created November 16, 2010 at 4:10 PM
Updated June 24, 2021 at 3:41 PM
Resolved May 24, 2012 at 4:09 PM