[eduVPN-deploy] Longer credential validity for a certain profile

Thu Aug 11 09:27:39 CEST 2022

Hi François,

Thank you for the explanation. How can we set the sessionExpiry based on
some user attribute?

Actually, I would like to use a wireguard credential generated by the
eduVPN portal for a mobile access point which will connect to a RADIUS
server internally.

I have tested this and it works well. However, the default sessionExpiry
that I set for my eduVPN setup is only for 90 days. It means I need to
re-generate the credential

and reinstall it at the mobile access point. So, if I could have a longer
credential just for this mobile access point use then that would be great.
I could create a service account

and only that service account can have access to a profile with a longer
sessionExpiry. Is this possible?

Regards

--
*Ts. Muhammad Farhan Sjaugi, S.Kom. M.Sc.*

*VP (Engineering and Services)*
SIFULAN Malaysian Access Federation
Email: farhan at sifulan.my | Website: https://www.sifulan.my
PGP Fingerprint: 9AA0 1861 0921 3EBD 4E30 716A 1F71 FC55 49CD D06C
MBOT: GT20040131 |  ORCID: https://orcid.org/0000-0001-8497-1768

On Wed, Aug 10, 2022 at 2:47 PM François Kooman <fkooman at deic.dk> wrote:

> Hello Muhammad,
>
> Unfortunately that is not currently possible. The reason for this is
> that the "sessionExpiry" configuration option is used for a number of
> things:
>
> - How long a configuration downloaded through the portal is valid;
> - How long the OAuth session (between app and server) is valid;
>    - And thus how long the VPN can be used through the app without
> re-authorizing
>
> The OAuth session MUST be valid just as long, and as that is independent
> of the profile the user may or may not use, it can't know before what
> the expiry should be.
>
> It is not exactly clear (to me) how to change the current architecture
> to make this possible in a coherent way that is not a quick hack that
> doesn't actually work if you think more about it.
>
> However, what *would* be possible to implement, and is already done for
> _authorizations_, i.e. which *user* has access to which profile(s), is
> to dynamically set the "sessionExpiry" based on some user attribute and
> thus set it per user. The default could be 90 days, but users with SAML
> or LDAP attribute X set to value Y would get a different "sessionExpiry".
>
> Regards,
> François
>
> On 10.08.22 01:39, Muhammad Farhan SJAUGI via eduVPN-deploy wrote:
> > Hi,
> >
> > I am wondering whether is it possible to have a profile with longer
> > credential validity compared with the others? for example:
> >
> > - Profile A has default credential validity of 90 days
> > - Profile B has default credential validity of 180 days
> >
> > Regards
> >
> > --
> > *Ts. Muhammad Farhan Sjaugi, S.Kom. M.Sc.*
> > *VP (Engineering and Services)
> > *
> > SIFULAN Malaysian Access Federation
> > Email: farhan at sifulan.my <mailto:farhan at sifulan.my> | Website:
> > https://www.sifulan.my <https://www.sifulan.my>
> > PGP Fingerprint: 9AA0 1861 0921 3EBD 4E30 716A 1F71 FC55 49CD D06C
> > MBOT: GT20040131 | ORCID: https://orcid.org/0000-0001-8497-1768
> > <https://orcid.org/0000-0001-8497-1768>
> >
> >
> > _______________________________________________
> > eduVPN-deploy mailing list
> > eduVPN-deploy at list.surfnet.nl
> > https://list.surfnet.nl/mailman/listinfo/eduvpn-deploy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://list.surfnet.nl/pipermail/eduvpn-deploy/attachments/20220811/756e489d/attachment.html>