<div dir="ltr">Hi François,<div><br></div><div>Thank you for the explanation. How can we set the sessionExpiry based on some user attribute?</div><div><br></div><div>Actually, I would like to use a wireguard credential generated by the eduVPN portal for a mobile access point which will connect to a RADIUS server internally.</div><div><br></div><div>I have tested this and it works well. However, the default sessionExpiry that I set for my eduVPN setup is only for 90 days. It means I need to re-generate the credential</div><div><br></div><div>and reinstall it at the mobile access point. So, if I could have a longer credential just for this mobile access point use then that would be great. I could create a service account</div><div><br></div><div>and only that service account can have access to a profile with a longer sessionExpiry. Is this possible?</div><div><br></div><div>Regards</div><div><br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">--<div dir="ltr" style="color:rgb(80,0,80)"><font face="verdana, sans-serif" style="font-size:12.8px"><font color="#000000"><b>Ts. Muhammad Farhan Sjaugi, S.Kom. M.Sc.</b></font></font></div><div dir="ltr"><font face="verdana, sans-serif" style="color:rgb(80,0,80);font-size:12.8px"><font color="#666666"><b>VP (Engineering and Services)<br></b></font></font><div style="font-size:12.8px"><font color="#666666" face="verdana, sans-serif">SIFULAN Malaysian Access Federation</font></div><div style="color:rgb(80,0,80);font-size:12.8px"><font color="#666666"><font face="verdana, sans-serif">Email: <a href="mailto:farhan@sifulan.my" target="_blank">farhan@sifulan.my</a> | </font></font><span style="color:rgb(102,102,102);font-family:verdana,sans-serif">Website: <a href="https://www.sifulan.my" target="_blank">https://www.sifulan.my</a></span></div><div style="color:rgb(80,0,80);font-size:12.8px"><font color="#666666"><font face="verdana, sans-serif">PGP Fingerprint: 9AA0 1861 0921 3EBD 4E30 716A 1F71 FC55 49CD D06C</font></font></div><div style="color:rgb(80,0,80);font-size:12.8px"><font color="#666666"><font face="verdana, sans-serif">MBOT: GT20040131 | </font></font><font color="#666666"><font face="verdana, sans-serif">ORCID: </font></font><a href="https://orcid.org/0000-0001-8497-1768" target="_blank">https://orcid.org/0000-0001-8497-1768</a></div><div style="color:rgb(80,0,80);font-size:12.8px"><font color="#999999" style="font-size:small"><br></font></div></div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Aug 10, 2022 at 2:47 PM François Kooman <<a href="mailto:fkooman@deic.dk">fkooman@deic.dk</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello Muhammad,<br>
<br>
Unfortunately that is not currently possible. The reason for this is <br>
that the "sessionExpiry" configuration option is used for a number of <br>
things:<br>
<br>
- How long a configuration downloaded through the portal is valid;<br>
- How long the OAuth session (between app and server) is valid;<br>
- And thus how long the VPN can be used through the app without <br>
re-authorizing<br>
<br>
The OAuth session MUST be valid just as long, and as that is independent <br>
of the profile the user may or may not use, it can't know before what <br>
the expiry should be.<br>
<br>
It is not exactly clear (to me) how to change the current architecture <br>
to make this possible in a coherent way that is not a quick hack that <br>
doesn't actually work if you think more about it.<br>
<br>
However, what *would* be possible to implement, and is already done for <br>
_authorizations_, i.e. which *user* has access to which profile(s), is <br>
to dynamically set the "sessionExpiry" based on some user attribute and <br>
thus set it per user. The default could be 90 days, but users with SAML <br>
or LDAP attribute X set to value Y would get a different "sessionExpiry".<br>
<br>
Regards,<br>
François<br>
<br>
On 10.08.22 01:39, Muhammad Farhan SJAUGI via eduVPN-deploy wrote:<br>
> Hi,<br>
> <br>
> I am wondering whether is it possible to have a profile with longer <br>
> credential validity compared with the others? for example:<br>
> <br>
> - Profile A has default credential validity of 90 days<br>
> - Profile B has default credential validity of 180 days<br>
> <br>
> Regards<br>
> <br>
> --<br>
> *Ts. Muhammad Farhan Sjaugi, S.Kom. M.Sc.*<br>
> *VP (Engineering and Services)<br>
> *<br>
> SIFULAN Malaysian Access Federation<br>
> Email: <a href="mailto:farhan@sifulan.my" target="_blank">farhan@sifulan.my</a> <mailto:<a href="mailto:farhan@sifulan.my" target="_blank">farhan@sifulan.my</a>> | Website: <br>
> <a href="https://www.sifulan.my" rel="noreferrer" target="_blank">https://www.sifulan.my</a> <<a href="https://www.sifulan.my" rel="noreferrer" target="_blank">https://www.sifulan.my</a>><br>
> PGP Fingerprint: 9AA0 1861 0921 3EBD 4E30 716A 1F71 FC55 49CD D06C<br>
> MBOT: GT20040131 | ORCID: <a href="https://orcid.org/0000-0001-8497-1768" rel="noreferrer" target="_blank">https://orcid.org/0000-0001-8497-1768</a> <br>
> <<a href="https://orcid.org/0000-0001-8497-1768" rel="noreferrer" target="_blank">https://orcid.org/0000-0001-8497-1768</a>><br>
> <br>
> <br>
> _______________________________________________<br>
> eduVPN-deploy mailing list<br>
> <a href="mailto:eduVPN-deploy@list.surfnet.nl" target="_blank">eduVPN-deploy@list.surfnet.nl</a><br>
> <a href="https://list.surfnet.nl/mailman/listinfo/eduvpn-deploy" rel="noreferrer" target="_blank">https://list.surfnet.nl/mailman/listinfo/eduvpn-deploy</a><br>
</blockquote></div>