config/install/role_expire.config.yml

 role_expire_default_roles: '{"administrator":"0","uw_role_site_owner":"0","uw_role_site_manager":"0","uw_role_content_author":"0","uw_role_content_editor":"0","uw_role_form_editor":"0","uw_role_form_results_access":"0","uw_role_private_content_viewer":"0"}'
 role_expire_disabled_roles: '{"administrator":0,"uw_role_site_owner":0,"uw_role_site_manager":0,"uw_role_content_author":0,"uw_role_content_editor":0,"uw_role_form_editor":0,"uw_role_form_results_access":0,"uw_role_private_content_viewer":0}'
-role_expire_default_duration_roles: {  }
+role_expire_default_duration_roles:
+  administrator: '1 day'

uw_sites_all.install

@@ -99,6 +99,21 @@ function uw_sites_all_install() {
   \Drupal::database()->update('users_field_data')
     ->fields(['preferred_admin_langcode' => 'en'])
     ->execute();
+
+  // Get the config factory.
+  $config_factory = \Drupal::service('config.factory');
+
+  // Load the role_expire settings.
+  $config = $config_factory->getEditable('role_expire.config');
+
+  // Get role_expire_default_duration_roles.
+  $data = $config->get('role_expire_default_duration_roles');
+
+  // Set role_expire_default_duration_roles administrator to 1 day.
+  $data['administrator'] = '1 day';
+
+  // Save the change.
+  $config->set('role_expire_default_duration_roles', $data)->save();
 }
 
 /**
@@ -2039,3 +2054,50 @@ function uw_sites_all_update_9166(&$sandbox) {
 function uw_sites_all_update_9167(&$sandbox) {
   \Drupal::service('module_installer')->install(['pantheon_advanced_page_cache']);
 }
+
+/**
+ * Set 1 day expire for the existing Administrator users.
+ */
+function uw_sites_all_update_9168(&$sandbox) {
+
+  // Get the config factory.
+  $config_factory = \Drupal::service('config.factory');
+
+  // Load the role_expire settings.
+  $config = $config_factory->getEditable('role_expire.config');
+
+  // Get role_expire_default_duration_roles.
+  $data = $config->get('role_expire_default_duration_roles');
+
+  // Set role_expire_default_duration_roles administrator to 1 day.
+  $data['administrator'] = '1 day';
+
+  // Save the change.
+  $config->set('role_expire_default_duration_roles', $data)->save();
+  // Load all users with the administrator role.
+  $user_storage = \Drupal::entityTypeManager()->getStorage('user');
+  $query = $user_storage->getQuery()
+    ->condition('roles', 'administrator')
+    ->condition('mail', 'wcmsadmin@uwaterloo.ca', '<>');
+
+  $uids = $query->execute();
+  $users = $user_storage->loadMultiple($uids);
+
+  // Get the role expire API.
+  $role_expire = \Drupal::service('role_expire.api');
+
+  // Add the expiry to each account.
+  foreach ($users as $account) {
+    $role_expire->writeRecord(
+      $account->id(),
+      'administrator',
+      strtotime('+1 day')
+    );
+  }
+
+/**
+ * Installing views_tree module.
+ */
+function uw_sites_all_update_9169(&$sandbox) {
+  \Drupal::service('module_installer')->install(['views_tree']);
+}

uw_sites_all.module

@@ -7,6 +7,7 @@
 
 use Drupal\Core\Form\FormStateInterface;
 use Drupal\menu_link_content\Entity\MenuLinkContent;
+use Drupal\user\Entity\User;
 use Drupal\webform\WebformInterface;
 
 /**
@@ -159,3 +160,36 @@ function uw_sites_all_preprocess_input(&$variables) {
     $variables['attributes']['alt'] = t('Add');
   }
 }
+
+/**
+ * Implements hook_user_login().
+ */
+function uw_sites_all_user_login(User $account) {
+
+  // Get the SimpleSAMLphp attributes.
+  $auth_manager = \Drupal::service('simplesamlphp_auth.manager');
+  $saml_attributes = $auth_manager->getAttributes();
+
+  // Check if the group does not have the administrator role.
+  if (isset($saml_attributes['http://schemas.xmlsoap.org/claims/Group']) &&
+    in_array('ist-WCMS Admins', $saml_attributes['http://schemas.xmlsoap.org/claims/Group']) &&
+    !$account->hasRole('administrator')) {
+
+    // Add the administrator role to the user.
+    $account->addRole('administrator');
+    $account->save();
+  }
+
+  // Check if the user has the administrator role.
+  if ($account->hasRole('administrator') && $account->getEmail() !== 'wcmsadmin@uwaterloo.ca') {
+    // Get the role expire API.
+    $role_expire = \Drupal::service('role_expire.api');
+
+    // Add the expiry to the account.
+    $role_expire->writeRecord(
+      $account->id(),
+      'administrator',
+      strtotime('+1 day')
+    );
+  }
+}