[eduVPN-deploy] Longer credential validity for a certain profile
François Kooman
fkooman at deic.dk
Wed Aug 10 08:47:46 CEST 2022
Hello Muhammad,
Unfortunately that is not currently possible. The reason for this is
that the "sessionExpiry" configuration option is used for a number of
things:
- How long a configuration downloaded through the portal is valid;
- How long the OAuth session (between app and server) is valid;
- And thus how long the VPN can be used through the app without
re-authorizing
The OAuth session MUST be valid just as long, and as that is independent
of the profile the user may or may not use, it can't know before what
the expiry should be.
It is not exactly clear (to me) how to change the current architecture
to make this possible in a coherent way that is not a quick hack that
doesn't actually work if you think more about it.
However, what *would* be possible to implement, and is already done for
_authorizations_, i.e. which *user* has access to which profile(s), is
to dynamically set the "sessionExpiry" based on some user attribute and
thus set it per user. The default could be 90 days, but users with SAML
or LDAP attribute X set to value Y would get a different "sessionExpiry".
Regards,
François
On 10.08.22 01:39, Muhammad Farhan SJAUGI via eduVPN-deploy wrote:
> Hi,
>
> I am wondering whether is it possible to have a profile with longer
> credential validity compared with the others? for example:
>
> - Profile A has default credential validity of 90 days
> - Profile B has default credential validity of 180 days
>
> Regards
>
> --
> *Ts. Muhammad Farhan Sjaugi, S.Kom. M.Sc.*
> *VP (Engineering and Services)
> *
> SIFULAN Malaysian Access Federation
> Email: farhan at sifulan.my <mailto:farhan at sifulan.my> | Website:
> https://www.sifulan.my <https://www.sifulan.my>
> PGP Fingerprint: 9AA0 1861 0921 3EBD 4E30 716A 1F71 FC55 49CD D06C
> MBOT: GT20040131 | ORCID: https://orcid.org/0000-0001-8497-1768
> <https://orcid.org/0000-0001-8497-1768>
>
>
> _______________________________________________
> eduVPN-deploy mailing list
> eduVPN-deploy at list.surfnet.nl
> https://list.surfnet.nl/mailman/listinfo/eduvpn-deploy
More information about the eduVPN-deploy
mailing list