[eduVPN-deploy] Longer credential validity for a certain profile

François Kooman fkooman at deic.dk
Wed Aug 10 08:47:46 CEST 2022 

Hello Muhammad,

Unfortunately that is not currently possible. The reason for this is 
that the "sessionExpiry" configuration option is used for a number of 
things:

- How long a configuration downloaded through the portal is valid;
- How long the OAuth session (between app and server) is valid;
   - And thus how long the VPN can be used through the app without 
re-authorizing

The OAuth session MUST be valid just as long, and as that is independent 
of the profile the user may or may not use, it can't know before what 
the expiry should be.

It is not exactly clear (to me) how to change the current architecture 
to make this possible in a coherent way that is not a quick hack that 
doesn't actually work if you think more about it.

However, what *would* be possible to implement, and is already done for 
_authorizations_, i.e. which *user* has access to which profile(s), is 
to dynamically set the "sessionExpiry" based on some user attribute and 
thus set it per user. The default could be 90 days, but users with SAML 
or LDAP attribute X set to value Y would get a different "sessionExpiry".

Regards,
François

On 10.08.22 01:39, Muhammad Farhan SJAUGI via eduVPN-deploy wrote:
> Hi,
> 
> I am wondering whether is it possible to have a profile with longer 
> credential validity compared with the others? for example:
> 
> - Profile A has default credential validity of 90 days
> - Profile B has default credential validity of 180 days
> 
> Regards
> 
> --
> *Ts. Muhammad Farhan Sjaugi, S.Kom. M.Sc.*
> *VP (Engineering and Services)
> *
> SIFULAN Malaysian Access Federation
> Email: farhan at sifulan.my <mailto:farhan at sifulan.my> | Website: 
> https://www.sifulan.my <https://www.sifulan.my>
> PGP Fingerprint: 9AA0 1861 0921 3EBD 4E30 716A 1F71 FC55 49CD D06C
> MBOT: GT20040131 | ORCID: https://orcid.org/0000-0001-8497-1768 
> <https://orcid.org/0000-0001-8497-1768>
> 
> 
> _______________________________________________
> eduVPN-deploy mailing list
> eduVPN-deploy at list.surfnet.nl
> https://list.surfnet.nl/mailman/listinfo/eduvpn-deploy

More information about the eduVPN-deploy mailing list