JoshuaS.52230 (Customer) asked a question.
Help understanding time cutoff in the default inactivity workflow
In the default Inactive user workflow there is a Continue If statement that allows the flow to continue if the Last Login is less than the inactivity cut-off date. What I can't wrap my head around is why that is less than rather than greater than and the fact that the last login is in date format and the cutoff is just a number value. How is it comparing the number to the date? If the last login is less than the cutoff date wouldn't that mean the user has logged in since the cutoff date and would thus be considered active? I mean the whole thing works but it's hurting my brain.
As the "Note" card proceeding the "Branching - Continue If" mentions, if the "Last Login" value is older than the "inactivityCutoffDate" then proceed meaning that the account is inactive since they have not logged in for some larger than expected time.
If you press the "run this card" play button found in the bottom left of the "Branching - Continue If" card and put in the following values it might help you understand what it is doing.
This represents an active user:
value a = 2025-01-23T19:26:59.425Z
>
value b = 2024-12-23T19:26:59.425Z
otherwise message = Active
<<<<RESULT message = Active>>>>
This represents an inactive user:
value a = 2025-01-23T19:26:59.425Z
>
value b = 2024-12-23T19:26:59.425Z
otherwise message = Active
<<<<RESULT message = **blank**>>>>
Don't forget what year you are dealing with as this can add some confusion if you are testing crossing the end of a year.
Part of the logic is that is < not > in the template as shown above. What you represented is > and what I would assume would make more sense but that doesn't appear to work. After doing some more testing I believe I have the answer. The less than < works because if the last login is a greater number in the past it is considered "less than" the cutoff value. So its like a timeline or number line where the dates in the past, the farther away they are, the greater in value but the "less" they are in value relative to the cutoff number. So -14 is less than -9 for example so if someone logged in -14 days ago that is less than -9 days ago. Took me awhile to grock this but hope it makes sense. I liked your logic but in this case you have to use less than.
I'm sorry my examples should have been "<" not ">".
After doing some more testing I believe I have the answer. The less than < works because if the last login is a greater number in the past it is considered "less than" the cutoff value. So its like a timeline or number line where the dates in the past, the farther away they are, the greater in value but the "less" they are in value relative to the cutoff number. So -14 is less than -9 for example so if someone logged in -14 days ago that is less than -9 days ago.
@JoshuaS.52230 (Customer) -- I am not very familiar with the template you are reviewing. However, depending on your environment's configuration you also have to consider that the top-level attribute lastLogin is only updated on user.session.start being successful. And this only occurs when a user logs in directly through Okta.
Take a look at the following:
https://support.okta.com/help/s/article/Howto-Properly-Identify-Inactive-Users-Using-Okta-Workflows-For-IdP-or-SP-Initiated-Login?language=en_US
If you have a mix of idp/sp initiated logins you essentially need to create your own custom attribute & populate it to have an accurate understanding of activity