Berlin
Comment by ~fkooman on ~eduvpn/server
Perhaps we can even use something like this: https://chartscss.org/
They do not (yet) support pie charts, but there are bar and line charts!
Ticket created by ~fkooman on ~eduvpn/server
- Make sure the account is still there;
- Make sure the permissions are still up-to-date for VPN profile usage.
It should be easy to implement for LDAP, possible for OIDC and hard for SAML.
Comment by ~fkooman on ~eduvpn/server
An advantage of standardizing this is that there is no need to configure much in the portal. One would only have to indicate a "permissionAttribute", e.g.
eduPersonEntitlement
and the rest would be automatic.One issue we saw already: in NL their SAML proxy can't handle URLs for filtering, only
urn:X
strings. They use the filtering to not send all permissions to all services, only a subset of them.https://wiki.surfnet.nl/display/surfconextdev/Standardized+values+for+eduPersonEntitlement
Ticket created by ~fkooman on ~eduvpn/server
Various aspects of the server could be a candidate for different configuration based on the user. For now, the only thing that is "externally" configurable, i.e. through the IdM, is access to particular profiles and to the admin interface.
In #88 we also ran into allowing the (VPN) session expiry to be based on such an external attribute.
Here we'll contemplate a mechanism by which to (uniformly) allow for configuration of various aspects on a particular user (permission). The following aspects seem candidates for such a treatment:
- Profile access (ACL);
- (Web) interface admin access;
- (VPN) Session expiry;
- Whether (and how many!) VPN profile configuration downloads are allowed;
- Whether (and how many!) active API VPN clients should be allowed;
In #88 we define attribute values for expiry, in PORTAL_ADMIN.md we define one for access to the admin interface.
Purpose (Example) Value(s) Admin Access http://eduvpn.org/role/admin
Session Expiry http://eduvpn.org/expiry#P1Y
Profile Access http://eduvpn.org/profile#employees
Portal Config Download http://eduvpn.org/download#5
API Client http://eduvpn.org/api#1
Comment by ~fkooman on ~eduvpn/server
Notes: currently if 0 (or more than 1) permissions match the
http://eduvpn.org/expiry#
prefix, the default is used.