From fb83a8ba09fdc3a87a7e69155cce94ca7c2bcb5d Mon Sep 17 00:00:00 2001 From: stianst Date: Thu, 18 Sep 2025 12:02:53 +0200 Subject: [PATCH] Documentation for federated client authentication Closes #42721 Signed-off-by: stianst --- .../images/client-federated-jwt.png | Bin 0 -> 23487 bytes .../images/spiffe-add-identity-provider.png | Bin 0 -> 25602 bytes docs/documentation/server_admin/topics.adoc | 1 + .../con-confidential-client-credentials.adoc | 30 ++++++++++++++-- .../topics/identity-broker/oidc.adoc | 6 ++++ .../topics/identity-broker/spiffe.adoc | 32 ++++++++++++++++++ .../admin/messages/messages_en.properties | 2 +- .../broker/spiffe/SpiffeIdentityProvider.java | 1 - 8 files changed, 68 insertions(+), 4 deletions(-) create mode 100644 docs/documentation/server_admin/images/client-federated-jwt.png create mode 100644 docs/documentation/server_admin/images/spiffe-add-identity-provider.png create mode 100644 docs/documentation/server_admin/topics/identity-broker/spiffe.adoc diff --git a/docs/documentation/server_admin/images/client-federated-jwt.png b/docs/documentation/server_admin/images/client-federated-jwt.png new file mode 100644 index 0000000000000000000000000000000000000000..7b408f4401b4aa81f900d78a2fb2fe4664bd7551 GIT binary patch literal 23487 zcmeFZbySsaw>G*IBn&`NDd|v20SRePP^3gbkw!%6?iQp=KuPJ8M!Ka1q`SMj8_sEX>q&pXfQX>ZXdy-=wV?Af)*?&_^0Rc&vq)m$zW z=(niIu5}!05)dGA7jMM3q?D@aJZ^8()Wzpu^~S1?!7R_ z%J$pYG0!&`e%+~Y?`zw9lQ+&MVxhAje{Y;P*(sxw-Gc?GYu+|rB@vs_!o-wu~GLJSQ<^w^=F1KWdinKhh=9kvTg#mZY)_*68hU5+ ziUY&37uKp{3o2 z=D9@%IW{j>4aZA-@UPzuwB^5cc*(7!r^oqIrGTwkG)kIDYJRnN9WHw!}^kniwS)y&vW}W+oW*_IcMr=4{QWz;u|KuJ)>C}+Q!_v za`{256L~%xTV3mlQn4w=rIduWsjgXu1M8)mP1~h!VmPVXKXCRpGYoTW@hGv&IHV4 z=_v2=a=!0^PGqi_xDDkt+Yhw7cQj=>{mBLWnUo5D)83GjlF~3T!sX!LaBJ8rPfh=! zu|^Q%lqssP0O2XL~c`QB$yYe@;v;;<4 zk;HlUQ&4X5(fK-L51BLVD#ltcP^UiB>xhE>zusBz#;>ro zj)mZRCSBqlR&1RyoO4N2%+I;k?98Bit-rsk>m`j!<;A;=%-nX&Vy0A|qO*0*H(lf6 zKE>Bg9Dea6b_*2490) zdCSDJ0oEr`{2sV;GB<-6vr9D_{WThVi4OLLjV70u8MxYphe;B|{9N4K-D{@w?m?tI z-CrBMMcQyBAui6pvchg+ZM2Nr;^>cFTyF?W6bS5;AfoD5hpjr|-PW#nO}6w{y1bPvq0-@fG<*4|E3l|e%>D&(W19$4mcv9TLXWozC=p@fI6E_~zaGP1F$ zIS=Jn7;C+Sqq1Vmy2vIXf~z4^CGf1=`1+$qB@Z|Ze2U8XI?E5w4N=b}B(5LL%O)l! z#wX^ZNAX&?1a(c**Q{5v-wYu8M#(*cdYPs2R9xr&j?z+f!_ei?(b2lJI=}i#G)$Ap z8d`hqS%-zw>A5X^^Q%)g+NS4P_49SL(0P^gin$-5P>zb54EhFRLNTiRbz4bENeVls z0fbx)n5#pD20g>-y=n4<{I=!=G$OYc7#KFs1MWO>VW~Q~ArZn@9YiY;o0$0d%NM+_ zU%yWDt2xzA)_Md+NBbL&mTGLxG%XAjq;qFdU>(ecs^vJHJHiwE8XP1dBO~h#Dbj4j zSs5)O*xcOA$;+!9HmdTIO%U^%#>BbfX*FhpiH(i@ySZ7!#^%w<$;rg*>?M@;Xemc? zb2AEsfe|oXn3$46&Bu4=3ITInQ}EpjsKCI$fuCAe+M;+pPEPE(A3f68TN%tLEX*?D z%}}i%w%c0~e*XM2kNE-$7Z+DDMu2o^Xz1LurHYW4n7G(%->LO!R!Y+J`m4ZVM}AUW z-ByhceK-}i#cz14_!e~<1yOedO>X3FdKH_^<0$59f5KTEj#G_j%-IE_X(jLGHU=#ev~L3if5X%al0}OXYq1HV&64Y|ed& zIBv|pn|kp=0qfeeYu0dR-rJlqV;*uqHq-+vPC<07jl$rDF^6@Z8+Y9HsU#bNQoKLHBETVrOB@Du>16^JhF zn%_Cu#v&82#=^CF!_E6>VrKDP$rF*C67GeirC)Fbi1MGEhOSQo$SA3(E|yuY2JuOm zn6Tc!$IsR2rdxO;aPLnvKZ&TQs6xK>^`Qbi59+7>>LbM_10`lD164Is^**_J{mdu( zRp+APl@2De&A06LN3Be^$8t3>`?6GgO3dbK00BO>N7vW5U6EB*W(-~6Hl4xZG#a}q zFE39+L!-XX5r=j4>SqrR%%4Ah<^W3Q5B|Iq7Z+EM^)&B8D#F@(n?Zts!)7S5^IXTM^y>2>cu zlg>@A&tLU^KuDyqdc9DyFz}%dWmc>IoSP7vk>N`c{#Jn`hloBwUVSW%|F**^ZJSsl z#g?Rbrc^IIJ$;T{J2~M&^4*N_9NpF3C{mV6t9p0kA?{8H*K5PP2CJ=51qbRp8kc>6U@X<1oKUGX(@3-dI7->=_7HIWfeP|`RV zkbUv;Wli{knF4+ec8uiiKy->9lG z+ngtUe6PNuZ4~>{QuJ4{(4Vk9av&%iN6QTKXWFv!11(2P_>23(7D zQ8ygB5Ij!qF_)HB{KXvGrpO5GTWcYYQrNVq0^eiRt7kbGJq$8=eeASJ^xonn#U?w{OL zy;PsxxNng7W(Nr*oRmMo8MO8ED47MW!!t~F2M9Pn*NU%c?z-4?zkg$6@^S3X7!3Sr z&UeEv^cW;q@ka@dWXUm3wpOQXjcDa2nJEv;#) zCi4hzr{1-VIN-d$CHZh@S!ZWvK8pv_X-w9*P1!r09e&JEEO;&{ zu(LW$02wii+k}cvDuQP01eb(UQaL0ulgS;I+<#(Xf>@8cr=hy~0uIi(o!QoIzglfq z*NsqSm9*Cklq@W`A3l6AHaAB{nXeAXXBCQSzOX;9JP=EH9!w{tZlHx7U>KmuZ#iXD zuF*@hjze-0)u9*XgRMDU+g_C+rfh%ldyI9kTvFEb`B()N0!jIq*r?cwx4ijWdVB`4 z>!DwT9w)4|aU`YcDanz>>=pJ+kvyN~%+$~`a69~6x6{bR9ypYY6!o1R~^s!vKons$SMqUPLA z0G;yWNELQ%16W8dHMlFRbyRzSs979 zxA)}K43-542P~lK-gAdk*P~f$Bp%avM1+;S1Kjfa$WmzrixmHT#}5@I^nr6kKm+w9;>p-09v}ce%#k+wWq{4xwKy zbQn*Z-cs)uxmGZZIm~bFeQkPgyzoxy`p#!@BV4GByyz^%$d`fZ2;^uf2u1B+vf#w)SX=&+; zH*cOwOXDyy>Sjl6(O6hmloXXgE)s?JfbA+}>dWVOvVUy*H8!RyN!2q0tLK@tw0la* zN55$^Gc!FYYeEtdYF1X+mnZVfDy5$x{g8n#q1~N)jgOxnaui^Ii>?+wA0Hkb9*Tv9 zB`hrL*U%6#SORoB7E5y3S^_fXEBdTE?bN^jlw+@7KQD``hz`MFX?Ha3zR$oV`q4+a z*pfd}kxICE(`YOgOXHOYzNvhr+WGO zbF$_Aq-Bv16}?npXX$ayqSx_K1{W~%!Fq>kIdh`2gqx!TKdaYf0G8v>Z?v(} zkLeF;W!08Ai!Mb@q9KlL5(DL6w_jIzifOWCesgD6DL(24w*FX-2(0%di)g2i(}eT{ z*Qu#vA?m8a*q>hGZa$%3zF1$VI=@cEwf1L_kTvj2Nc5)*GBn1z@5XZZ<>chPfD3Y` zbYQZkUgE{;*J5|K{e`q@HYVbzpOxC*dj6cv`~f?@W@@Y8x=zrmEYNG)it9RwC$|$b zBs4eMhF#+lGHK5;lW3jJmcS74oK2AhI%>eg^h8Xw7M?jZElps5TSHT@&}*T0yP4)j zG>DSVg$8~a`Xj{Km1nm>s@3~s?|W+GpH5@Oz3zpK=0K>kCAM1YIh}KkBp4q-MMp;%}WKV3)D)3n$xMg9+5EKQih`H?jF_s z``EU&w!8ju0%UyFC?g{yMui;I+1Xh~SC@#g@*Ph7)WhUwFz>^K2DP&-q1W;8U4!q+ zOnHzy{%Y_e=`1puF4tKZYrQspJ`n%}Wh>@EW@B=Y?a8t99iNpIrDs)vUO;HL3vKzw zwjBvVqHe`#v+8~HExl=QfoW_GC0G3sFKngJwB-1-JEt8;1sUif!)@5Frl`Z+&;NOQF>lZ08h*m+@Ls7SUyO9h!&2vo%uLPEk{ z&CQpEg@t#OT_gBcivoj!T#onGHGwvFblIMWHH?i_wq?IkP*70sNtH#CKj>#;_%DXn zt_@%hPIHY|5>%Dh6k@ z^-FN1M@A$^Rj-~=AC7n^vyarDG@9tDd#`7+rR-~LU=@0|;wP%=>H5fbA|Thg5>eG0 zXmwn8Krx*A*iO0F8XGPV%_As(>z0C?<0thYr;{%x)cBV!xe4*NZMXk)I{U$@rUV4L zrf(>1$QX<=!Xh2&*ZW)sdM;rD2R!rhQ!Abj@xOt}f7R>n-1SPP{h_l6QRbetHtiv) zLK%mIrGv^ppAm7XK5AB#BNTl4~jL7{zY_+D$YF5#&bxADdU z98v-LHW?*}EA*`qlVTrk121{;a;u8o5##6x$pdnQnP*%ptNO8VS^mya!ifC_zG>av z=*D`9(0Vox9P;|J4#9eo%#7w}yWxm@o96GgQq*Fik(dTxxyhpN7^A{#W7=uDo!Tib zHWqJx?Un{meC5g@My||sA9fs4?8nD@t96k?<>du z;0r}X@2_8Pt_c5f@~U(9;>V`ZxMg;=ul z@1{2=CLh25I9}7xsuXC!PGVWu2Tp!N@~_om@Mw9h*58evxfTa~zt~<`F&kp>aE1Hw zmGwzSaqKgJTV7z=t9J;=Y-Z}J^hcDwlh5DrB{|UAwLQsQM`bBX*^Hb&(Ya409ob`)N|0|Ac}n@4Fx1a}q~$q=6e?YmrgMiA1kE8Z0r*r3_kGUb5vsaz7_3nUQC zVi)ArIuo7-t(7HawY1cv6fZD9_vtP}<%M9!%nVm)Z=aqLl62>Sy?}?DlIK-xuE02!nFa{Ymr6q-vTL> zzmsb84vLg_np&CF1B=N8+YK%(B=HI#>{aw5CMC|_oOWa*qopDxIUoL_k{7(TFJ<^J1YYFT`abVzXbfNOo= z0=Rd0Irp((p&*p4eQm8*fHL*jhgC@+NO!5B1Of9(ZGA2bxc{qIO7AN1!u=921(jhD zdJx3cwQ1}j%xV`>y7O8 zg`vzuHmcm&{2LE^%jt##b)yZ(jB5i|Q5{BuH-LZrrhRlF)<8*9f3OgL5PVW_XR6UK ze~tBt-BJ6OI|7fE$ddw;mD+z%I$_3`L*456J<7Wp8T>jV(=oxg|>UlIc2#mAhv0T28lQ z-xdZJr0+aF=61NGdu~F-=F^P}`jT{2ZEWpZL?fyn1@h zzSo2trra-VGI%U=YZp`VdfOI3nhk^n7*N@AG@*;{p2WmN@aWi)8Vr`AVH`2V=p7I2 z?CcQp?!QW8hm>YrcmL1#v(76z)Zx+5I3y$_*t9=#pG!*Wn>U(hb`m;GX9xYuNQT1# z4|?4jJ|C-@6t9x7tVMq84-*`eeB!;`)&IU;1#LaV&+(dPnF4UySz$tED8e1)8D_o_p6>W#joGL@uYSsi8rvld^-o*kbv%sj2BdH*~#I zPl68XB0ly%kMM*BJCgH1Rj1zCQpWmsF97mj|C2@Se~Rt@|0Vw4$3beD{!3Wc!8{sdr=i>yV)TN+|uGaV*mML7|%gb+4PG|LWa9 z2`MQlby9kUJ)^MoZrIVJMMfvS|COd)Qxo)b{PUtA`d^FWzx~(jxZdo&f=&B$Ysa5%0CWzW%|32i8l1dV0$rRja;y`I5p+O+z!I z)_y#$U*^QX$aodxpxzgoZ{NOg43vAqYhkx<;Rbe@)w+985tm|t?j<`rJNvDsyPiHi zXsEBDp$RHwmI|fj_fZqSKA~y%rrmOJbtTb1gx52$G4qtIt+}Ck7{O)a4{n4lOA1gA zkO-o(vVq(yp=yqwfSixyxWDc;tvXs_2n!FV_k0=)sYhM%8Kvj&*&wS;8D8)L-Z%(r|05> z78HMf|9`AG|AY1HsU&g_$;N~*@M2%ztH0l~p`78GKlAe9 z($a?1O$G)ACVW^bQ}afEo zoYG-U5&`t=ou+1e)g|FyagRMVCOycfHYRILwKO#~q0uAT`JNXtm8o$Y5l?F7W1Re< zrjAt3itP{CPEJpA4M%zE>gv?z{)8`#RoE5iz-cjs@gAuEawZ_w6BfPzwQkq@uabZL z`Ezx-Kies;#Yh{RB#yPQ3LkhndY-SL&*eqZ!SC;F_>r3WYhXa(WVpK9 zn~6AJxdJQnn&maCVqT)E;)#;=&+H@Uu!3wjlz=H1RhCoG^}@uEI;Hfsa9Xk%kz z3!pvAD=PFPKY)pbhrBV6OO0`r&>4!Cd>)z40B&|{kLDtcmh^uf&zugYC(F{@0JzHe z&`P|sGKddsJBTDDGt;l$hv4z!#|cB`P%pU)YX;{IH%hMZx=MvD$I;Fr8Z|XFFzwe_ zOBOK#4ii&TE-{Wr*sDVYk0Ut^>Z0r>eqDedgkmWg3_G+uxn^e@`E3FO;X{CJY;IOV zX$GlWE-Yx9oETM|VgUck$$0>QnycBFCeMHpDl#0Mn4iZ)Ep#Pafy-y9RWXP7d3riS zaG6_JOioX`LJXUX6zKIMhvDPn1EL{bpb&IXycmpDqzl#n$-U5>f(xGeN|`GC!Eci(cI z7e3tbr@+ALwtFksPEO~#CfSMwm!+kpVf0hC!*s3=$zPkQ`4GErJ^r^ffrCn)FP&Qa_<~Hp-V^Rl1RfN;G#Fvbha4Q6(0nuv>r05gP(|f9wi&z$ zR;M%j_a8opKqC+gooi?)f#uqW*JBTyIQjI~h@g7=mMB>&(*67QI{=LuV2}K6YP!yA zJ@T)DH!R8ti0Cjjt;Pz%F60HpUn-y^Aq-W@7}5YE<|#mEh#uM z)nHciZ6+rthw<5LUGZCVyRigm;KiH3kI;!kiNd?htbEX83KMe!g%#tl7fylY0{$N5 z1!tti2Kojxnu2IAq9(zexeetAbhwbPnwr}0wzk{o!g#j(YfRcYI@oIVn{FG8D(v=eLyB?(%aM56*vt(7&!0c=;m=_8TyWlKx*Ov;y}vR@ zjlx3^90%m9uR8cgSS}P#o<6+-=y4N;b>YGV5o_yWs4r9fi4jyoQTP(Eiw#uR6>YTf zu4AD-Lrp{s4_z2+AAfaSUHXBcq01zk`goNmTN1)jQc_`pPL;@m?JUS%aGror1!z`L z$ot?2RblF#_3`r`Em4pNP(sC4>(OxF#Of;3J#fn_D=TYYzTGMvjxX1G;1a-HL%MU5 z5jcE;Tpa2$6bp-sy^qdQQ|}4CefyRW?j0O>Mg(kKV9X!b?dg{k!vejZp;RQzZM`v3 z#qCY3>gZURXbM4wCvdbtT|GLg0?kMT0Kce7=z6+UltO_ea(;H|25aUDG|@sXzOAgR z{5d|Js^kzF|77?IeZ0NV9UL4e!Bouhjf{-U`Pfbdb45u_{n&cikLxpt+Y&ax)1BZ4 zI$bnPEkU}_KH-v?nK|;{&6_ur+}sKfp_~h9gMU7NU`k3-X1ceNLU>l9Q1Iv z*VR3NnXXc_Z~y!0%1XxqCl6fm+n<|P*$hXDb-ND_4zM6X@mqQdRuflT(;RHhP7YHV zl;z}Tpi+h9<>fW?fPjF2b&lT9&`?BQKVu~4_wQ%b04k}esdz2=13AK3k}wpp+1V_x zC-lPWtZMyOZ$OwNl0(?R4$&0_|r~x1xS)-*cf*U+hW>d#H26 z5lYRdUtcI6t7~g}0%cH#)P+I;k~6B76Qa}&4gI5dt)@mw%oYao?%M7yxqWDj5SEd_ zt+3rqGkFAEVcZT!4=aI*poGBEoLpP;hyGQ~!Jk^-JY=!=-A(_@%grsP$6NWX{_?`Y zg8D#?#)F3sZ?*t>Q86)H)6vn<9xh~hF}OGigpKuM+Z~gmaQ2Vyz#vCCPd5hm7`ZPi z8ulKo0xSbCB3&vMP(a{r9~&Yh!~H4|Rfr&%l!b<)P&e>aoUa166Fd@4KqYA1sfGvp z5)t98)e_RQ`xF`(eONUcdP+`-BM}giG6FgXYuTBU*HV3BqMF-$0S_4FO!L#HPiq0i zmX?-wRYPDJ6sRXx2J;Xk32?g$QOdvl^GqBMJ@?VmTX1MyeSP)V7#R@}(Z-6A7JIn8J5BG^eG%C0WWl} zGq|foF4x)9^Y!=`9HoP^<8`1`pEwPMegQv#P5@}yPPMRs%p+oI$_9X{cSo&vQxAR@ z^CgsBwntdY!XObLAwn*#motmLgoI$AU^LNS*{MY+_MN{@ct!(##g73ff%cvDkAGyj zcTdRBkon@pi^y{1$|_WCPv;@XXrI5$WiW&;=eQV4AO1pXeXQc0%;~i_AT8RR@ot1_ zz144D-HLE3T+Qk#w=v_h-Fddf_UhHE3n&DwJopbO?%cfjSt^oq5`qUjV=)a4O2lcG zmAycl6rt3dn3M#grfMhvUAPF4C@_(6@M%~0MsONj#>B)N7#yq~7$AgpL}L?^Kn7|o zk<8&VW*LFsE$`VBl$3nb1X7!--oAze=XbYqWkr8sdAa49nX$2uw)VZf_3;2`w@!GQ z_W^|h769j>1fp(YVnQfjZ(Z>&wFyXK8flBnGKCxr!`j*!hktO>dj#KK4QGlETE5&9 zmim7v@D03}-$GIRQwQV-DX~}vuNBdo@lNYa??t+krE;Cl&lK0YRcZa=1JI#Y2=Vj* z&XJj%ZMb#wCbGaREOCIpTmy*uwo_p_5vFxbPY@mkR+@AFKl-MM(Qa zG_+669^xodgFzCJ-pDRsly8(8(@ff%fnKJblxuy1f>T0bBD$NK8zHYHV@5{C7pOw{ zk#NOB7q3NIH(2|iAlxXhrg9P!X&xGlDQ7*d36)Y+B@1CuQ=Jaw?CS28RaI5hG)-J$ zpm}-p$~po%Mxhhsis`8t-||mbD;`-YWmABy-$>v%f56q+-d=e_Yk8)xfa-7TB-R!e zy~dr+Nt>FQdV}ttyJuw?7U1aXF7b+b!>K4~XwZSG7lZ`=^4Q;gcph``>+_wP zKkG^@Z_lhZ{Q8A@{rWZ5<;!UnW6)>}yf8s|J{pmqJ139_DF8U2Lq1#d#sxpxKokn; zd7Y?s-K-~2iv@5%Ow+lxs4K7}8I=mJ!n%=(QU#6$pbDsiMkf>P3!yo6yk6CKa=5*` zD>l~Fh65JC!E$z0+OA`j)w=3Psl^riyV6gxRV(V8fcG@!Xw>2n6MI9m4g?V-C?W)e zfMDdjZ@O^@Ds_gcoSd8}XXMd6a7aZoG&G`erNSOun46p1*xGWbsuG0RLn<`=%aqAk zv(V&P1C7)^1T5|`G30>En0k78l5jlurqHvhJ(PbRs36j^3y1VQIzKSO`Ww zGl~iBY^oMlu#Rio-u2Rz+Z2G?&|y^b_5Q0D3JRW}I~20YzkRy}U}_ACNZ0GLhUDVQ&6Shihj@hkG0ym#BMvb8QPErUiR}t~y+1oWF!qlrT)-^P|YyNs4s_OOUr{m|suU_Hn z^<`AUT8vFk_o0;ti3NPMXdADuzXb9D$vF1*_Bnt_(3T*y;yS4{3!3j$iga~jBPM`- z{qI0(jgKEa5UT~!9TcOr{JJ>|hHifP^a)DQbr9?iOlO`UF#@Z6*IxrP1ETFdv`70% zNAYNYs9G4WstSueod1adec>SELEa_w*#L={S12+hMM~tr^y1-Kz|=16t&J*WHo5-% z$@cyG_ldPNRi?MFGYAcYkU6lAvE|)z(5;jd6sVAp5JX-4X>GkuNazVP-=`Hb(Xgx( zV7RBZ7kSTSd#<{p0}ok}u!cM0MX!{Y%5xN4y?QmrZr>2)3>6euXt}`RfVsZwh!uXo z${Kh~F9s|S#Av`bhBq}ZNLOw%{(^@jwr042SW3&!>3TN5MummltJI>ijk#gHL_Zt~8pXzwE+Y?M(d{htN}QDahr1^0%Cv983pN#4c5cvEsn~LrjE@i!s6(7d z;6q4DIk~yA=7j&;FNf|!FLY5L3_q2-P~WgYOk6>oo;G zvhzVVj6?4>vc&<}t+0?2QDx?9BSe5Bb)e($NJtn$7Y;!!BYi3Sc6;iO@`|Bz z2fQXae?jXF3gC~QA#;J%h4c5O@4!kB0-p+Oid;y0u*D$`7(y7A5t(A4{-H<__TQ1L z7$P?CLsXMJq}ZIC9OsgfN1TQu3YmWZ8{J@;*20nm4E>tkd_I1DMgU0+a!XE8kw;b* zGawPtjR2npmj(UOC8Qe_4v6BhxQGJOKpQQ!Ktq`?_g#aLK{-SFo)BH|Bw#1fy$62n z?7Q5&JlB$v5@iG6uV9gY!Q>6<9YH+kXsv_RcG=gjF;K|X^(#6GNt58x04Omq&o_T#fSMxGcX4*IEdzIWhuavcIan88 zXDMUDjuhxKN47srZKW%hSt7Rxc=9Pdox$;75)(XJv~L9u;atfwG5#Kiibl_Tmk}cVT!N>1qB&ZN^gQOmNIex86XZ=DdL2~GKfn_@jzGsa23;8%he$_ zaCnJh?6Fq!2=)YHMrJ zKsdRAI)~5HZ^CjA1#b_Jh{y}DJrKF+1T(3Nq_NAnw6I&5tgMJ7g zrOzZJ9z#rDK*69YRN6lRV(1Fvi9#VB0(3N$N84@hQUy14lv?PO5R(HkWGWWafOqhz zxehk?oOyz#Llz;Nqkt|B%C%ts`(CFOJ4v@LFE2-Cd>=?RQJ?qU+_m6DtmOxtdJkiN z>Qr|(D_7bRNku$FOkKc+&FMzy%6qx|5cGU++Ri!2?c2AFEiCGxUDzLH9-5`lK*VJ4 z;hpC%g7Fa;8hRH8(M;!6x~D42%5@qI4GqvT`50_5l=@N+81|_`5S=0-BE}FG#P~!Y zZGN}3r1#yN7ME{f=isYO!o?-vYL9WVx*}?7Ff(}PJ z)i6*<(GkG<{D)Q*^zum_o$sv)R?d~4Pakam`FdT`?1P`y*Q?hXo~$x-y$sEGdEdSF z-D0TPw+Hqtw6jmk3bSUO_I)Fl8fQ#QS8j;^!cs~X92Xv<=jgjP>V6VYQRSrkz2zr) zjE)(O-H1`qDEIvKS$X^N_FS=zVEg>3Kw#hz>=f?-EE&}2Y>nnW4zf&tll}VT%OEKD z#KGJ$z=8#5aj8FBjaC&Kz7N4Ut$}v^*_TAbo(&KRY(Rm>CM8(8(A@34D)c&$!S;nb95bJ)8 zgl7oa4xa)qPlHV6Rn#ES1&-QIpOTRd$cUrvn6t!$rvYg|)%>U7R{LNd+%00_G?*TG zDk>4X{k6<5S`_zG3v_#X5}x7~7!3DafBkI+RHQsus%J<2RrKKJLW6u40H?ip8BmdX zj~=~+GK4KiHhBewRDh%6-~EyoVT68>Yq4wnDF>gc<@-opOWBdU;yB1 zJdP*Duz$|Jez}%B7_dY}rv3TiFku2P(tA8Sr2{Ww%K-=zp+a#w%i{Fo%MqLwRqWsV zJyQ8abV-#2vw^V%6!jEKOp_o#WC6bjC8R>tKeAj2o0^`sINj}sSyXLf#za2X>_#!k z1{-P>$(>GeRqZ!LVKnOpXD8^vi6SX58drrGVKRxiiX3Y!&uD;pZcJ-Pjy#F;&*Gsj zjL=d2>&X95#bhq%e}7RY5=Q=wLgn~UT=@Hog4mb8KT(X-&;I!(F?aK8mAIn)vlNY`h#pO ztFRP$VXuzCSb0g0C6oYO0k6Cy2dz;kWnN{vXWCH0*XLBq6@;QIy_FM)Bi*hR+EJ*EJdl9!-$>dwXK`j8G@-fsz z^dTq^gW*DXsQ)qKk6SGF=>Y8t89qKbN&~*43pC%Y4+&hkOAwP2?|@a=PP!2=+f>4S zcIh7}jF4kqLfhp{5|Z>#RokY)S!G0Af-}XkY3)bMVGfeMH&r%4M76!Q5v`5j#*KI= z{(lUmEE~;&W{HoX$hnojDbqg#{@n+ZJxWFFTW5ux6_Mt5l?HjE&8d3DQu7~(P#ASQ zUbS6_^VpdQmT4wT0B5ARzyA%`&|QaGXfRAm9dWKpeVOU7VO}EWXn&nWoS0KT3`p@C z-Krq-sXA=PNKar8z`cqFI+g@;<8ZuM3H2LmvYU?2mti;MT8)N}!| z$U#C$J(rPrlm0q$XC<#a4d5b_9|Np(#oTvp;7ue)8kUM9_^xU_d1+9;kZKhv;8bij zkPPK$JPx0>sz$@*i+xIF^8^|y`hmED)_ep-@gE?lgJ?infQ|iZzV?~;5qy!r^J~Ai zwzhgQ-m=4_NP$ucN(3HOUstDH>wax(XQu~WhOhc31`Jv(A#+}S93zClQg=!KKzuAF znYB<$C<}|JJyaKLmwu$oEH9@+p3rFtVG{Kx(S+~DV6<2tQvv8FexU9Qlw^$?>cLi* zFfsMu`wZa0qNk>&^1=0~*r>Up+nwwO%mJ`}N#O&l?T&VVcBcrB;9=gN{?S500F5|Q zXrM+ER8>{ARy>W<8pc|iD>m{xlVG^mBmuZYCUkKyJa_;V3R(YMX#OdB1EWi7U}+JB4U3i`LG^-~ zw>UZ2eAzgySZKZZt`$1?AG=@e1d71{Y6SU{+kX?9=1F6ft5=t@d>&sVxeenvCttrI5^nc*2cWA!U>nRUCC{f%ljZj z3t#pFd-0;9qoHwuVO|?%93}63zZTR`i|$KG$jTqV#*kgfg(@Q<7^2^o2OiZoM*uZ9wo{j+jqSf;{^&jXQGKA&)ktW<^x&iL- zZH28xNrN^>*kq7F$sn{pjFsEWfm!j;VyTCfgv*f8gfHs@xE@-Ciz6j@Km+b?jlj%E z!rV)0Xv9sMfZ}Kc^Fm5U$oUW&zP$5sad0?cq0_&q0tn**b_RMT;aMbj;^E+8QMGGn zX%Ur;sxHMmRZs|nAogc%;67^m^M`T!2$x(y9~?9(Fqymz$gC$WAk*Q?ItTgVp-QQF zu6KX${((N*9wOX~cm7 zdwY3x0;INN?CyiQoSB`a1$pe|?jB+n48GIQB8Z?s8vcU`*P&cZ4}hG9CR24(s~NtX zP*4Efs;dK|VJ9^(Ox1uIa)L!cO{1-XszT`g3gU|_1n!8Pk~ zzJT^ntNG@rX$zB6@i?4CJV+OO%nwljqG_))BamhexQ*Glxg~HRy1-$xlFwFE0Y~HK zpnh|EJIme))Pw+aGk=@O@b7+w%0dzp{nEh0DP1ibZqArC&DySc={By{lN$K))hmfr zK~B!s2qD~3h7j}_CD8z!^>_M9B)_&LxqJo()8Sy!!@m)>G0;=USS#Oddw1O0($Wof6jT!VKt^Q$&h@cs$p&s7s0mrV3&{E|2#++V6#I(<#C?2T z?*8YG)g+5grcVEDla*;!B^vy9z6&76@^prK#b+n2+(nv5ig&?ShGK7dx{!^GWpFwhXxKZjQlLRtWT zO4W#V@#4(tYUa$$dk4@wL(nY*VS@0C-Ic*tU=AqesDDBfPh*KzuWhc2%SGgUDBkvf zTuX&NRjfuW{D+5JU0m`VjxB+{=s+V@{a$cTP&}Zq4wUL5*tEQFGbtuQD5n7)iw?ad zN`T!_NHZM*8qgLN3&qf;@o_aUO_%|hEsV-H-4Tp}p%M43A;B0@3j?RL7Gdn*YdOUm^Y{x8E?YajW zlS6qQ1Aqf306hiPlC6A-Op|=I{B;`e-F3kIgmEPnurEgBJd&{Pei<7Z17GeXBoWBI z95!3;;R!OIkt4nw(owZKUZn;udOuhnEL>bgFRRXsfn@^Z0LX^ICjf>js2TxQ;()p` z0DFdRtr#{oHn}oOgG`mO*U+LI@yIM0<|`jadt+iNkSw|M*HVCzuS`vU*3{HI1P{yt zmJNKRSP+d=G~Zi5HSd6cexMzsYLwQwkgAseM{FS?zlDXRf(!gtJNGl_`9c%j4g^U$ z46^NNL4Q6p{8a38Nx-tCN2Um7Jro?^Sg4Ms!XZ#m2nEx-7g|(cB}pQp2-NqC!crIb zVSsJVk!MZ_fc7)w#$i4A%hXFO?*~Ak=@l$B*sOaKq8~XKWYo~naqyE6PQCQ)jjAjR zADQEUhQ-Q&EL2dnqLpO(2SEx!8^)qP@7fFKS-!K*l}^l|``1u8KbaTog@#)G-JVyv zP+9$9rTcfDzO{bk3=a7k5s?Pgm0F3naXnbeV$cNA0Z#DE+qdUdOqHdf84###lnTP5 zo$1$}|B-5D->;%ydnQyr3@bz6>_Ai8G~?S}D34`C$Cj6ql=Ow%*bD9tFt+N!S>#%% ztQ+tzSVMX5eLJCo5~Xq(d3SJ7)ovGMOJe@%pEL8?TL{`@0= zX+Z$fBbO__9KwnGM4|qdeej<+`G3ZR_&@11BT*`-i8P$qsNQt1^RBe0LmvB#U!Yb^ zuIZLBit#&`FjP8w6!9j+SK==#lt9sq}O8->m`TPpo_qmPSi%bXOccS<|etl5< zBd-O~trJuVL#VG4>Ezo{DlQW0caTpigU@qMc&y2+jk%ik!QYcH|2K^_5)aOL;gM3r zeWT#KrKjNd=`GEKi~L`cJz>3i$=sh+pI0~k`g+7NeL85kfZ-`H6^1NQ4K!b!c=y$; z9giB!-div1W88Y>vzfo^z0mmY+tw^Ln_OnK+XbXrL%fM)!K5vFHnz#-g@>O#{{F(e zH_4A$?mj7Qie|9>v)Q+WH9-2eHnt}a{0#kI8MtfkbA zpZ1PU?Z-^7?s4Qj`}0|cN@hwwo766iV9w~Gk{=O`Lff9aSbFrg>8pEeMVm#Vr9d8y z5&P!Bpmj4{bLTG|)$mCnhwm<%khb;fm$~7@5$)`~D6eeJ_RkMAYkyxZw7q}UJ$d>+@BVG;mmg1iKUF36M$^KN zGeZ7Oa!vr5y`X607RD7Sy+Esb+@(+MolzdCy2)IS*X_OT-7?jcC-<9da%VpJ?Q6L4{MVunYUl2&UAj|_ zdsX?-b>ct^9j+d@#I|74np-p1iwT!&yxRX}*ZQf;-CBR0I;-~g^Yr^$a-!GWi=X~B zL)tEX{=amO;JG#H_wqfPd-b{f6RUTAJ065I1|E7QV_O_vd)99M$w#c-+n=ubzo)jV z@=m;d>Gz9`cQ!|De?DW|+y8I7V)cO*Hmo|B)}#3>`rUtJQ`1o3)PUYv&H~>}uC?#q z2*tF`lzs9BJT@G%=+l|Mk-+H@5WqKrOk&yX_26Y7aIAR;%P~;FcHk(7P=nB&`>Xmk zdlzu_fLibk-8-#!GaLv#YV&UWtE)LtTaDw}`$a8w&(U7zm|NZoEKF9`N?Gm}0l7=B z1y}|)u1_yLTfeJw^J$O}!}LR!K(#Fc1DPY@B>D$z6_$Z@DjD-GOls+}Wnp!yV0#Wc sz1d@U?4~Q2)3BP^TN=VjrOdW}@(BT}OjkB<2e&{yUHx3vIVCg!0P$oYDF6Tf literal 0 HcmV?d00001 diff --git a/docs/documentation/server_admin/images/spiffe-add-identity-provider.png b/docs/documentation/server_admin/images/spiffe-add-identity-provider.png new file mode 100644 index 0000000000000000000000000000000000000000..7baaff0c962bc63aaea5041fe455b131570d8e2d GIT binary patch literal 25602 zcmeFZXINEP+a`!*sa3`*%ZLIhpprzgB0)ve1Cn!Ak*uKPjFu&eBH#f;GLkcrM6!{L zWRR?qa|X$CFMPkR=b8@FU-w+yKYILA6z6cx-YY!Moz`}fmA zEOgEF^h_-b%`C^(7mDCbY~)R1=6csGjm%6BDH`3dGAkb>UrL)<61`3`aM z3G(s@p5#9yCa$2!Y37+uLvx6Ra^ak!ZP0MLjjiX79E$fp+_snL*yIgB`dsG{w)f8$a5RyGUe!DVMRJ22= z{5eNm@EMzxOp)c3Gd80^fB*e=h?M~Od!armonh=svzdC@*u|hGKZZAP;)O*{!g12t zZjWkKcC6YoES(WLBBApB2#3j-k(yoq^T#fZOrM7g&NK3w_k426lu31a^r(8S(@!!I{C_aGgeQih=% zpHc0FKmjxUDR){v3I4#!rBi}}WyQtCC#uH3eP}3jahV!BHYGZ5)SMQ@WHi-Vd8gN3 z$S#d3&UtwuRlCZUP31`F_d1@NUrt($wD5f%N>EO!t&NggZ4e;?_G4^bhCTR{9rJms zqTpAOLrSe`4NvsBS4S7R7}Txb=DaPco0K@WDSya!QO$<&oY=$d4PW2gZ-|j$5EmC$ zlkf8sU5Pbq&oSz)@PA&v*KeY$nC;|AS%v5;H4O*+EN{xg-(ceV zC$8j&uC5}Vj!{o_baWUu#5bgmlBvDB`i8eEXMO3+#h!yzIa^ApoEqvg$;-no`O=Rb zK77bzR7zz|YrZ)-H>VP>Sn4U+Ug)B;WeEhKhjVaW}dpP35#h(n$H0gMzyWhWmKY;&MypGGV(o|oSN|c0eh(u?Ifl`99Q==AH z9^=2fx_R-#g6=irQv*KS`T06CMWOZCCbN=s&O4rZbxx<7+mGEfc3cVEGrH_B`_90G zGof|ZVo+o;DBgJ?@UfHQh4LM3K1}mwo8=ab3@m4)BaNN!oF9n^_GRLGVJjgy+g_c& zNiKf=)9<&IMqU?f(3Y#@ls-PL`eO4Ap+vq*rp+@iKYA4oImt(7%?%}l{lOPxDZ%V| zuqKdawfa-wj>@5@M?-6yG|o3H}GmWcd#sgT*?@aic%H)!)pyz78#jkO)1f@_?&YX~MgUHf<@~ zUzDZg^(~VVTB>=rsU7x1NxLd}c4nki<^INP^2-Y|R-AN-*C|K=0CY2&U~R8Idj9pI!y!Zwy)T! z=)5jT(b@RM*uMDv;K}90_oKq{p@N?STB9BXaYxlO?vOAx-McsUHBYo;R1$-aqHt4% zeWA1It>v)DLBF!_&ke!D{7P+hM>XddE)Hb+rGK*DvA-^=HmBf|m947LX#?qqi{3KL z+p71D=D$p7*;5~%^<-d0Of0iN=x~$Je#`5TxxLmL;Ytt9jJ{O4j3iY@=%0{sxW4*m zivWYM&h0nqDkY{(`qLIH!JHA&p4Ls_^x{^7Wlp(5bOu36B_o%U##GL)(|TgKIA+89 z-A(x5i8jZuN0-IUjrqzZY;JBic1V@cNxQb=ooP!;VPx5EOWDC2&gELU)(vm(t&b|^ zIdIW^-?O~OOqBtAk|Qmdi$fuT*7a0o$%=Jjs2>es=hkOuXAk_C=n6PvlkB{@Y?C{Q z-#1})Gwf%KM>_H~{CNx-XNFSE0#0B5_?uR?x%m84p9+dT-;I(#IMmWE%#F4`$?`lV z9aKF%P}lJKR_l$0UVGS8!%)4K^hB@tbud3fWDP+Nl2O>OHmDm{4c=r?h-N$7JYp1$WR3#VRMM z$D!^Bx~$~6ZaWZ-0@IL3zZ~q#p`pBK2YvnBb?bR8`(f1rqt6uw;Cu^OO% z(rHo2D(;zN+|AU!IlF^*FNYRIS2<0wNfy;xr|-U;K?T-!3t9OfwaMx$LdMh(zM+Mrfwp_l`vZ|$294{^5-BK{I!C}?@#QFn0 za-Xjlbq5@~Z{K9ipR!6%`|_>swS@w)!@ecK+C7^E4KEhI4>-8%NY})$Tbo*Kd|-^X zTJJkXv3E@jB_~%lhwyUlb-2o$8lrjP+694t3oc6&54RsY6{e!&q(t>$Q#pa%UUzW( zgm#{4l%${X>dLY&= zO=gFi7kd13y1Tj}Vq=eEvrAhI)~B`#nb$^AdiCA+^XS(vjuoafryC?(|Md7yhh(y5 zb_Mr_&AT4m5w`zO-Y@fTJKgneqnhvsS|NZHMa>~ko;)e@VPT}0o153Zf3St`Rts-? z{-VvH6tm6(3BMD;Oh%L4rL-rn-lgR;X1a9gl2VGc)?de@>#@F=DOx#}HE6Yl&x3^> zUSp~4jL>p%aoKk8l&n+$uUzyMf5mKbJv6h5yaKdP-xFHuW`)bI&3nq2IXOAE?dQI* zva+I2kDq-xbwoZp5QH>-J?)04E9nKV<=Y&N1{KcBW{ru~diA)h?qr~!xP1CxmuUx= z6RUXi)!s$P=Gu7mnk%U3IqFI!FE==(3}rnVbvvQ+ktKh{_WJy#mScbaYLFr<>+i>1 zWLR}ri}gW=n_@?zQNtJEgx=wtXc4O*J}jwQ13KIn5A-DqSC`N86kYbT{?;p|SNcLd zLRl+Kl2fPp+_kyY&DSI6FLmE=&N>qC>f2)x4F?L4RYOWh`o+Q(`S7ttis;h#{UZ1M zjFicl8NQg_V-1*&T|0MP-|iam;K749i@whbQ&pms?<{ZregD2v+6~I-Q>U2X+Rs1O z+`LTf$TU&Gm{HIbp40EB#)f|pDJUi;*3;d+t8WG)X4F~WG|`x9J8>Ob?r2=Q;r8v@ z%K`;bu#93c)f8%Nw3LbVYL};IeYp6RTy8Xj1_qaML*{#~f1j=$_&V=k z+#SN#ICSE49ZR4X?bFFp191zt#<&1){bh40{y@bhz9-nSZEuTDMvC=~#XB85Af3~F zCFa5Eshp|zl@D_k4@qQmFV9?dXs~X~-Lk4U;JCl%yN~t*^XMmXGB1M$hG*j+B?ag1 z2ek(a8?srlxW$HCL#z`p)Q*fR3p-n-=g z#UCh@Z$DFuLhO6mLf>kvLyKRd!boJpmOb?^#U3gaIxnlXvM9!SrRkMN9~N^}wKl^j z(r9me&K}&~=c}Qsti$a`yM%IbD`thhIy3o&Sd7@{&=AMV$BxrY(~CWuOb6|ML|kYX z3p)MuJ;Q}hfucIEEd?EB?r8;#u{CEddft|5*%z*z`CWA2T1|?8<*_3YJC1D2&+39TEQLQ@t^7)yt~c}`EgD-=jz_hJkV@F|Vgwy5$iKe;`mFlPCkjc!ua$w-^t)i`gJ zl>oPAEKbJlPJb{zw4|&CL^O2?m~{w=ACpeh%2ifNyOFwu`!Y2mB0@dOG)XO8KTiC~ z9zn++uZ~`M5r&G@{^pJtkUsa+o)em?=v&H7$y&SV>61%JF5}%t8-;1NeyHB7j) zGQj_mnuy~M*>mU4ZQi<75pVRiVyKb;xB&;+wR?AzNmKH`Q-KayywcO(zt3bv#A%_w zPDZo=OM#hE>_Ml18JQl<9Sg7%v>J?juw}3DyT3OKwq;u+&g9KBYS8lNyYt^_VG{26 zaR=}2wbIei2^MiuC;RvaBO^0~P?Dzys#gC5v8161IU)JWwv=6#)xZ#Z)|GmC_6~*i z6{lm)pRNmRs*6cAs#|2v?DM>xKV5UUXSLt!7te>x3n~jYx5v#StC;TI@2ILIy3Eli z)Gib}?Gj_gW>uw=IXJEpBX#4li9-2gv(;1wV}mE7;U64jCl#+%aP=&XhncoJMDmU8 z^0W|rxYg)ZOIu;&?50j%i`Dy+0k`F!wx=6kP*~i5pdAn&+ob0}vB>Wp0}4ixtJH;= zHZ8reES=2aVA&#v9-W21I$#ohhX`ETyi?R~#PbSdnY4Vz4Y6_&)3uVEEa)5y z;~#eL8GJryk^L@xx=NTfTr{;bRJ0JY>m%yo+>oT9g3iG!v))Z=pf)P=_P6s-8AP=~ z!fHu}ODSAYN9*I7>IN9z&8p~?kYM62btuBl*4FUb`v(i(pK$sJJ6O*Q)D@e`JjRwa z0X|y*ck226JsdR3xU1-?M6lqf&0m<>x2qcipS97gtS|~zEr>B&7*t>CNZk=T{lm6A zJ=8}ox#D>u(>nH4n=x%{df|7%3}iigwYy&G?%LN7+QeWue=l%QopH2sk-R{2*Gl_K z=y>P$-x}*VUM{4GJNHyfzwbD@_F9$iUgv>d*M9slmsc%$Z0*Olg-`x7d0_u9+kU>r zO%xUUyQ}v zfNHlBS$0$Uc$?H-PVM@lrw9J3VA!)KnrvLmmf)T5|CqMDd3i+qaY=i-mbSLG@t0RG zAsHB`90dX$Y0dIX|D0h|7k|NRXS{sWW3uOWGE02X>U?$WzMYIoW1`&rWY1qpW;d-z zTA26l-TU<5X?frew-YL_uAUod&sCvPH5)4{r8HjOq{xe|nxGxd%(j{hpCydTWKteI`i%pia(QviuTnof zet&uJsXOQC&REw2>G|-PC}$egU8JX{H@CE`$G)_j?w3o_DbzlE_%Q8h^GNH_wz$(4 zy&q%y08&(-Zj97|Ax29l+tb&#*F<=9 zbTnS}<$3pM5S6mJI)x;SEM;5UHwBBMXPhQWkGYNNXwDpEQi@lM*Uq=6mPcg_KRJqJ zAZXrQ@>8jySu#+4ZFwE_f*OfdKTs*qsrZ~-Ez*TO#+IJ2GwO7UNlNpE{UP0hgM^D8 zKXmBqHd@}x<_A!FmpdF?dcjRTGMqV}DoDHrA z1o%l~<)hnQgLN^UtSZUuSb%o+_JbdGh$AWIqDikgy=qU}7dm;L5V zNo%VHk-I=Qb$v8auRjP14(=HqPOPq$l?oPA0%5I_3YaEViLPowpzwHRGye6RxwW-2GzTEz@M|Aj{j27R8CE4e%f%q>$PaIq6rz65nbM85Qvqd zlx5m(*x^iXepLuv7w;1YfCOI$fW<^h1xBN&1U7}V)#>8$dpj6bGaTkj3EV?j;w2~<+R14S zjn`KQ8uU6W=5thvRw-8Y9M&V&)+1<+fAuZy%NG#uDf8{=?TrRd`DCYqp~98#)BU{? zgPw_AQt8igNp$5$gpiQXbs=vcAOQP8tdLX@&b8grD1XrK(c{P5ewXrQTTIHl4&P^r z!zyJ3oCSe^N))cT$=dsb&@u+{S@{y1H3(Pu2$Q$OyI#saqQ0x@I{9l@-hM85X(ju<{^3nbSj*`6c^o17j*L4-$fpDY{J`18se2CF}1kc zTwZ_*tpZ0ils#pLaOS-gMsruf=bjisiWU+U_B|}NaW{uLZ)qpdD`OH^)#fe>ko z0)6LsuFY5o_O)*QY|SNx0jzZy<>o&bFUG2*X#YODNFf)8zBCe|b?=uA-90@~q{g9} z5jNjj8Mrs%CKe5*;z*Rl%p7Yd;Q7p8gCypKsQlzwAv(Tj%C#Cg3Q|u>3@EG;R!Psu zND{`$5EqwY(dW@y70SR^{fAS)Wl*O2Ji95|F_!GHuh85p4}AbUYlxOQFcpxMm9@0A z)QvxdUTp%&0eYyR`|HKok%V{mHx;*vuB~}x`MgVF(>GoJ-mrzJ-quYaOG-aNFP(>) zso{F#<7OM3*S3`6{uDSY0 z9o`_<=aSSjsq}?eG8V<)=^L!Va@O z^r798GH9-iml&LO8FZ5I_^KvZ-@#Xmq7GfpGP^9}I2C1jraND?p{^rJA z;W2jwOxsR%oNE^)^?3(_2!#6|KO!R+t;09D%52~M0rm9Shm9PXZ)ES?yC;YiwQ>8w zeT;@X{Rm*XQA)*N#|y$-NyqA-nQTV0saa^w1sKB@k6r{`6&CrL6HTdJg z=cc_PF^dED`08ht|%4IBnjr3p4W&-$xm5XOZhY98sW zEX_Z5clV(mYb>-Js690WCLoS`>6O3Re@<(fcKYMv69(zc*O!@FB|JPlCMPDId3t&h z^Te!R{^C$m3K3luV`UHL<|U}4C_}GgAG@EM>yS1m<;&_DuaXjy$gd#JABWN(gDo;t z=F9eb2=`77L7nqs($kZkuU?(BcsmLdfEQ5DwTODU-|*4)M8za^C3KpJ#z3mg$();n zp5DLzm#=7)!$0KW-xjinOCAf42{_h>(W_kbSczJIWJ`%>%n7=-FXv9zMQT~}NAE(- zP%K{^lR5FZukY4t<=ZPg)}1|n6ID9$Lf)C0`wJERJgt?R4N*;)j9OpcB8||I)Pj0oqY1fL-@*L7KLa+qoq!ELY}Nx^)QLJz|@YK13t(&FcBT- zHh~@^>FFo?aqqMmkj1pET9r3mkH(sm^fchE2o== zllU$Y^W|S0$PcTr$lT`*@69jOOHqZu*{Ppzj?c|CVNXXEA3H0=g6-QozyK@mq(KYz z#ZkG%2iU07Q&ZlR`UlGy3r{O-A~%xwJW-eyXrNNZ9HrV+fJ2xcpkE0K z)e5&k_L^D#%yUgGEdrdM(w$KTfNB7sg9FJ4>97C$rzZq16fDoSstz6Cy8aJ%Nfe4> z0{Ve{U$Bj0oILY`hY#7%RnQ%H1lpg-WEwX>YT8tZYRIOXSdF!aGRM)7tfj#$;Zu!m zXF2?Zi$g1?KB%TT%dB&+Gfx4k`mN3a;dhQkwUKT!A0N21$kOoBQe?Shflh~qi zD5V(dzxWcE)Z-Q7rh$Y@ii6swK}Z9s1xw#uSKHu3Ptq;|`D77Oq_kG(m)L=G19@7y%qb>RoO0vG-*3X zkxiJ`qot`y$c{zhy_lGo$Gcdl{j&;_+pPgGA*I#(={Uy`$N~MGYZ5YwI4GF!{rh6! zi)*q$)%_bB!K$b}O#Wwn9J@HJXeFG=5?QHVM^rPwVnx(BD9G9e_>3b{3Kk?#`UINZ zuX>}UD<`VHY|?RQzrv;v?QTCi9JjhyxLRkDlK;Gak=XRuTk#-<@prn4She%saO+pZ z0@TNWJoTnD0Zd6-2LI4N@gbrOSQQ1P{}r>gH>uA#bwc{{_pg+emrD}Lh6x&}4Gs?G zgQexPx;%HMKy;y)>p8lvr1>IXFa$O+@_TbDD_?qs2kOb1r-2&Jty{MaE$#PnYw?Ix z3jc?b?gs6@=e+>ONnpI>5ew7=qS~E4x}EI4uR31gT^wt?izej4e?4Wfpa1?(x#jt_ zi~r9A#{X_*qc*(IFC`Au7c`l_$4$soDIp_P=@iR0V&I*MBRO@;`e8 z{~mAoU-Chbc8zp2iRK_12JOVNps{^<1KhS0QrXuB)F79&slWSzx~O~NUsBuuw<;Qo zCBiFK1GVDJlFxk#3k&^C_qks5ILKmSV*`>n??3w|xu_KmqY&%$He(%17cTshW>B?~ z5%^0;4%C*C&Q6^J0;WDFHB3gsUs7{Ohr8K)WYeZiJY(>YGaTp5D+2`xDs*Rp^0 zV>@){?Wj5$;rsXRD+(DI8F%mA?OS`a%gUtnDBaXV?S09;yM(TXeV!hhQf&ROx<^Jv z#tFz6Sr`2lEKA>`QWd4=?nIGY`1VPK{yx`dZSO(f<V8%Y78dhJ=Nnu!JqW{S~>wzS$DnvN^OlqOP+&Ufn?c97VaS65rEl2vS6V5lJUO zXcmKunw+LzNopEuh(=k6aIW*hz%gia@o2TQ+&3NpUolZ23Dxx1L}WTGT7%@&n#ydX z;O&9NP02~<2dz=4oNULBUxpK3hw7OG;zn9Bnu-Fx9R_Dl%=iT|%ZKK7@)SLmdVKLK zN%Npy)`R$14S$h)xPze)oWH9=2UQ;pTgqOj_1ecre?peZ;Wqf32#Re4qN(2jtuEH6 zE*e%W70esN?Rbc5$!|7kB43`(`*nrfEyrw z#*rgOEQcC7cx1qP+uGVPfG?9Yv*pnfl(9#kVdU?dA(|Vw?&SD*HTe2&=rUZoMX`uw z0X)i8g$P4ji-8%oVZ#Or6*M6hZPN&{9wDH4d3oJhW1arr< zhAHK^o&!GoHrl%n3Q34B$3%7SnfL|bS-d71W`Uy}KvOK7P}(!riJSMZ8}=fnknHH> zglGc)?&Gp&Nw5XDO_zO(ga_f602?G@1<}`+$3U8hpGe|(aPh2N_euga|L#)tOEF@n z^E&>xO_6_gL|if7-U_O0e>rENB0j2%1E}1Xw5r}t04!M$``2cj$sndIKt^TH7$3qL zkJz}4_RFn;y=M8%D}wFeKQioG+ON89EzK9tyGqhSm{2&b8emXfSV?fvi7Ne3<1>DT zK;M;#KYgK`$X&ktNb4%2I)JOZ;?H;=CsjD&8nh&8Bp^n)etIcP6tLyZ+qN~J&HG%P zFZbh2!1$3?O*9!9k@*YMU4Q<0m;#ENHriR30&HJaT1vrPH$qyVwrZUP7i$7R=QXNj zB9a*J2^E`+-?Z&VN`_f_bNA?IvX__FzEIShRW>KGsPD#bsNHkL3Wl6%7q6Bc4ae+; zb7P853RoDk@%%?X@XQ;fJ4uzon7B=tOknU5fpOWGm@ZiKR@8vhC1Qaw#pK=%MoEjm z)%u!D3m`wVo|aQnBDUja*;JAhAsNfJnF8TLn69y%<07r21!gMY3Hj$l5@}U0F__`A}NENiye@Gojj#}<3?m&em);iKb^3>;~C4{R4Am0N2LP#Cwt0SlGi+;kWHnVc`FbGA~MjEJsj6H!99Wr|3{Ir9qMmN z2_;Jc7&;zW3{l(cIB*##HNg;xh~T@OPB0d^9eb=fa-sH+Ll75iNYj%%edbI8R{!Me ztTLqD3L#Q}koPI`<4hsYQcg}TK)@`7TQ#HU5~R$ATpKfz!yvpMcdQ@*ob%XF$v!fr zw)D+gKb#D)I!43BH0R!A2y9i4qDEv7$u;AjW>vhDPB*IGR+7A(=I*gS|1H*fZQxh! zeJol(VZ@IE|K?utT>5X|um2t!i!zmXhDNm~*N7+7YA^ZDuMZ~QIXHQ17NJW_DBAx7 zZYzDSEPq0o|3aGfe+k_959NFRyRPV8caHXis3^Jf@$;qN(o{r=-)><(z4{yZ9Ss-r zT(RbJ>9wC}{$nZQ|Cg(f?}u1SGOrTP*;yd-@wA`ZN~At$*>K9Ict#knlY0I9gw{f0 zF4>ZKx8XukP7(?LF9=jkzvWA+uGQk~Eo8#Pot>Ta7yfU+1xcZd$Yp5TM4rVS;Hr}j z6-ff~9fHvEJmZ<7-wCZ+(e5JOgdk$c%F0?s6^Z(Y(%19t+e^3@qC?5# z_Mcz24m%8~AH`h(pGkrkQ!1?hDIY4P%Ggp$^wa$rfS&kF+f+qYm(u+WAm{;rs24it zGsWo?I$P_7EIF>s_qlzZs(Kx|bnw*ex1-u{jB-y+wcO;-pDbf5b-FS^G*{_h!6+2y zkM_&3@wh^C&|Y}4MT8xHjK@v0q|)*lhGFPL>qLaMKuw||*?aKd!HSHoV$TG-sopa0 zW1eX@O0WBk4h+QM23w+HK7y_@Q($H3x4Yw2@=TlNOJTkz6WDfe%xAo}B{j z!VlzhuqlO;g3DG350#R?0%KO#e!3blam>k|1_gLw2wzJ;Etx!>qqTI(r8OSbzj`Gtfj>r2<~8`h1s=aYI*(gC2sZsqLDxf)Ah{wtZC?U<&H_ z+n?^-RXWD~z;?Qqxj`^Z{hYgswgHOJ^>#uT;=#ZSPyXZTN{blOMF<4jz!veD`>F2G zVBi$(gQdgAwBKcA-XLh?*io6Aw~iIT9@s`Hav00^>rSK0V9;o(?l2UK?S*-H>%DHE z?R+@l1f=51^r5_bC~j_|up2V@@4fR2Ln%*DulECn^W*LewjSWGU>5+p?aH6);JNse zRxb|==OQG_r#2mS#lLOa##f%Ao!^2mWq?1?NUcNBIrf8!dp^^KvHJn643=5Zn>$_Z zP@iZazFovda0g}#nCZ-SXo}U$PD9Uh-{;hsZr~{g>_gtK-vTxL>F3}xfi42Z^(8;B zWZaQ?*$2m*j{u+H&ce=95OHfD5k4P6f=1M!+~zbgFa;djjlL3DJ<;JhfkkA z{kCPxlQ}!wqd-x9N3KnkDt3t+R3}|<0y3yi(cSjpk4X-LG~ryqi=Onirbk)@-i;Z4 z|LDfmf`EwSFP%ShAd=_@iRniUBWv^#Okd?>9R{TWRVi&P?(@(=vfcFPe%v~0H{c#5fBKn!6S?8w^K+A zT*HzhjdJs@<6&SI0g?wW1NyyBv|aCXm;6boh0v;$Ykf8!!_v2Nllbtwt3h6U|-*lz{_;79Mj#E2jka zgRkI@nHS~Uj=(O0ZiDGnB6T$pm-zH6_K9D((2s7SAM*C?S%i;C@%jM}aNG z!Amc}$NkH(CyE+`X?Qi_)>ak4XH@WQN`SsyPSGR@f>o~s>w~28aH;#bZ+OvjrjSrs zv#CU31Og=F4o;jnK|0D*PU0A!MIPcRFj@;Mi(|Wy z)CDb00LF8(cO?rk{dwY9F%+@2^u`M=F>nuW1Z)WoMPd;_%QGEm(Ds_3Q4{03dv@NR zbf%*+A&GMx4xI1u_MXs`MI}&7ROKS}FcjTJ!1wO{{#c^rkz@zG%)?GtrtZvi6PP;> zCja&I0v)zuosLsaiN7{BmV&;gfI?r3YBgLo@+DOas^bIFu5iZ*D2rHReyCYd7<|$_ zs3g@JEb5{yA|kT+x8Gz_uYV#O4@2~^IR;`t>4y(uNP%afyOH0&diCl;XI-83%%Bnp z3*cab`R&`XD9L=*!>YU4RjVsNi?v8B9GjI@Hta5GX;?7o+?mTu^HVJd<18&NE1{(I zKr_V>kpn5MtYbyNh#;|Nn3k{D92TY#cgvuFO`fcS)ffrV5)UoX+K$*u_%sPBIis_6 zKR0pjBzy-`Tt-RICE}82MdhZ}Op};TPxcO>QPp;x8$}gh-~VNHwEYZ4(sSn&9diT1 z4vJ9{yQP9o$zflT6fKr{EOGtq&=sQqSBSz6LLmp^ltd56(uGQ%n!p)XB_POQFB*uV zL6{6~M=Z$6+S;1G^B!20A$Ckln%)x>yrAJef>)L_z%zx=n8DN(8JO9zPEHCEa+w9ID-P+JZabNG{qaW_QdS@z>Z!9InwnHd zmV4S()B^(X0QM-?#`jechyw5;LT=~akZ|_iFXlEjq$DbaUvRT6$L~yFv9gGSn?q$l zk#V!C)QmR)E!E z1v#H-0~4_DU4z5oXBxmn6;K|0m~iqe4##syYykh@elSvy8-Bp2TeNlUycQ}0B&SM& zVsp|@QxS*8@W@aQC~uL^Hii1ts3uP}si^ zdho8W$-g83%kLk5$7IUDB5MK+;l)LQvya7P{geSrPefc!1U@5Y)rhL-{~EcB0frcv zk4>iMjnKwxf#G|Gh7wTqU&LfxmIuB-h)W}PiKV%__N4o%6z0A&lhf1gGyZ~tf&nAU zN5B5rY9ZnNPskW{Z-&*7veR6<4ao}u*Tj&pbS+W!Vf8i|9%g61LJE!uY=S8lXN4#U zW*eKieRjZ>FA{bCNPt&^LK1Ua#=KQJvHx8oisbi-uC6Xd2!*&Z2?$+vt!9N}QIN9T zJOaT+0-!n{>J^E{1g_5_Nsc*(sa`1{t`kKxT&YE#3@MOs4RHbk>&G2l3<)nY=T=pD z6U_n+xpC|3q{-gO1Sly*ryn_uf4!%itZDRl;j&x5(`gi!z(_TE;`yM9j(DU530lRs z5B$Xfio*7EKhH&Y8$^Dv`~H}I$CrprBX`_5ZO0?o)zbRWd#sIs=^s7gd^y%1Is%$s z+^mlVpMikSzH+$`QmLH4SV&xUM4vBFGn@OJlflk39Qq*|4ho$gy{OEN9XmE`+7uJ3 zjZyq+=L=^N3F}yNuvpuP@AhN)b3{re$J7{{rk}N^dR1YgH}OJ@*cbZIH0OmE+Br${ zfPmG5&XI9LOspZ#84@0e)M8!cprM|A!ie2f+cnTf%|Jd2?lb@A<*np!i(JG-BLp!p z<%+;Ximz{~S$rJ>zCd|4>MnVP#!`)vIbC$X?6|?_ph4h-v{4T9QD~pO2PQBhHhQ5p5@eZ&mWVwms? z4%Jt0+t^cqe0y6Kfz}4vZ94hp-oHUg1{gPn7@jl3$a$i{$`hZeEyfVQ&c}0C+qazvC)$#JB`xZHWnRdOu@VdzNX>I5twLwvcPr3P zWX@O*%OZ7dIoVAShOUKaw@!Bo;58yEwj9b4k@^r3Ah`r6P5t+Gh+Ljde3Xo+T5(4!&>#bBZ6$!A>l5G(KG!_S_!~%e8kIhfE1`lzxap#eqA`6$103*p9 zJ{%{QVtU{+*qW6hA0wS~Z~dl0&@6A{r?eeL_y{n!Um9|Tzzu7i*x%>_ml114vB@60Y*T2|)C zGeqq`q%48lAvqNzW9B9agMy?8XGYsKaJ}*<5;LFAjJ?VlKqL8hE3`@yNFlr=q}Cizh|jqGGFA?kfNO>XumB0LIn6d3JZ~h5(bqzjY~92@-NAKt z_n{=Q2;cFEqYoAN(`hMMX|y9h0b6Z|927*Jnj?XTYj0PhSIx#gcg4rgu6h>kxWE3l z*h8OLShxRk`dMsT(=KuE+5<*WQPFWtWe1(3<6ic732^+C>%_G?d;6c^yVh7{R;XS6dg#%S+s-bULMj*jyv_D^N?+Hzu609+`LhNL4>v73HL3@Ot+PG*z}1xy zug2w_R4O$C62yn5IaEAV$j|cF4Ctx4{aWc^E5Tvhnuka%8rZ7bkD zm4EwJ4*uGIM~}ZuA>w zS+h0`-_a6wP{#))%uesc4-_*En*J0h4?3f%D)`!~1RJe`K8g)7bo<{8vBMg?@T=?3(s{cPCVmsJF#`@P=Ku zbLUPC_7HNkiT(YC%*T%HwW5#_mt{W%WggLHXdxM(Hd~gjC6``LRo$Ah{rE5X>1qUd zXxn~!5Po9KpnjZ*2vB)bQ)OSTwEN`?2f~0^7t-UOUn#$>I!sw2(lG~EXVn5e^aE`}i?M5=2GT@MepXhptJ;JM3wu|6-@Ex0* z#4MH-`jc0P=6hF{6HT-U-XVJcw(l*xN4% zC!Wmu@5Er_W=A z+|lEh^P9F|6o})6Tju~X7>ap@nDwh!BgF5o9QB?lM-)>=c*X}KXfQ$^4#A2TY4iWC9_)v zP8VSZI7!>yVvRTykeIZm@azi&u*SX+7#wDs##V7|U|?XOwR0u<&6`upT@0($V6D68 z=#q%f2eap~n;WFMC?*P&dcvKUC`2kDAs~8TdqZ#)V63@YRa^kgngVnn(=4)~2dbP% z6KtE!Lwd{$4Yjtej^uvYQ(zzZ@+i_-QW)^PlTH244 zT4H`G)06ml}LOWMg)#KsxjqD)X9 zfGq>5aU2|qIjj5i-E)8cIP4MPhT_o%wW2E%J0SW>Q4z)D)4Orwa`QP~CIWD9yhv72 z(T9mB7-iZ8Ux$X+FtJV(pY{gejDZKvEnq*BoYmXZM&Fs+B$p-`HDq&3~^+8W`BSMq&(hrT-IxeA%0IN87 zLc;UpFg7Un3=YNh4prI0$t9AY^WumAVGw|`5*D>ErBMu13VWo5u$ z!NeRNN_>V?=<&mc&%wS}7*4OMPdAVOP}3w4KB5da!_BVB#I2LqBeW=~f!nYec-2P^#U_b^$>W8@qRMI9QahgBDMXw7XLw;%zrGHppyZvPD3;_W7d_|Rs13+l6HhrLT9vG0hIg#(A)z`u_d9B6713S;@IaY9x#&F*JtLrrT8zt^;KpD0#+6E9#sl zve3`ygjk~dZ08eV&vNEZQ;A=U95HydOloTC+DVFd#4gAgCJ({7+FG)7zzQl_W)Z&~ zKnb@Wi1IU^e(K>tvcs8pG>D$Qemr7Cg15ikg(F79P5DQp@qruoIi1X%K9Rn7cx zci)QSXadv-n?w~V1dwQ8a3h!}L~X>VC*pRsjf{-4JH|kJGz>%ucfoxi;F)tPH_faO zSUd%++z{Fv$;ptpLrLqHsG5TyPIiyTkFV>AuTIoV+>joBVAQZnE3`@yttLl4FhoSD z2Dq*VNl5HEh_wnutp?vmoMv2Z`RC6kiWiSk0C#aB;q1M^jyHEALL5d`kmC!mtxGr+f^d#JvJ1PAYDL}dXn27uk%b%CgAa!?W`vUsgx&a}Mj>dTGpRRIQQNTJc=-T+gWqHOARg64C0A#NO zDj%`*7(IoKP>5uSQWS&d6vcx}ll&0EA4>4EICKiy1f>aw`s0s75Z)-%r%#{4c#S|i zHwi_5r#o$a0WY)4wnK1HhPz}@;ZFLu#N+dv?jA@LLj}r2R%sbd8`0;G6AH&27$S2; zh@?+`O>5uW zzf!WM8d4m!xXmf8zgGHsmuX0R16j5M_S+#iFdse2dh{r^79V*F$*_@ns*RJW5Q_i= zY+AcG_B=T+CPvPYYP4eM$6(90--)O`VDP1_?fHurv5;Tmu}#Uzv(KTTDd;_T%#S7l zRz4U)q*baNPH;`L}M^XbP2?q-M z92=aLgR*E3V2+Nnj2drxjU*iL4ycidiR?ts!lNZp;m{?TbdZFLuH9XDCh8f6hcz@> zg^CNDKX6i{rKKMXT1;h|wXIvVHf@V|3Gb*y*)^7y4++UjN@^T56qg2+uPf7 zD!yNAGGO@U;X~4^YDmKmU0njeo_>bD0kQlTFeA~<-f^3i7Cw!jC@jRpMTxd#9c^M2VH@;++N+}ok%pX7BT*?p$QlCHvO4S~ z(X2UdJ7GN#E2SF=2h;@(zt`ParWk{;NVaj; zhEk-W{u_a;7+(t~kc98Aiye`AB1#b!77>MTNStH`G2XJ!6mOWBr4X;Pb9E()ScuTH z`f}+}H0S5%ji4crdY)r7WImkZ!UIeI6%dcP5hn_la*B4+4v`;c$yrI%?9EHghg|Tu zf>;zL|4Mx@ISqrOA~6Vb zRS+SckdS2T={U@;{Hy|pw#%{=(V(drF00O{b)R!ab+YUhKDHCkfe+?|V{@>aZd5Ua z37T2^!UB0-0_jO}Cr`eIGCqxMOime)Q{o^~TR`Bv>db56!_A z%Zbb@4q}jlT7#X1g&=bnMukl{fXakfP`GDIPI{3xj%8=`_U<}zJ0Z&u^sR`eLNp)jV(gD22Mz=} zI>mduH$rzNSywc}(x#@SoThvE`S~;6x6$dvFJ02`v_o=$*r&qi%H+WlU^Lg9rcM4O zg5q1^P|W}ho@3u7Da^qM$OP{FR9r0Cd>|S&mS}NWU|^`owO>*Au~y;`6EViAh0JB? z8CHjR888GCu9t+LsHv%emsU-@smQHCEyY0^MI;mJbv=cn@7|>$k;CGx&+_-VhQq_dq^YA_3}*L*@Ff1+B`4M1 z=!*Y-jXy9ca2_vp_*q0pN0))Cz*Ei=Y4~dTv8X5>wqZ+_S*Vq|3sN>Bt4kK75^Pjl z65aDe9EL49Cp0}*xGLOP3=vuU_uqft&~j)urupo|9VfLJ>=(d#`LA7D_#)Q5%}>Qc zG=_8;ed#uWk&;J(xrX$?^(4MIK~1I`MgH)(b#kYqR$&(F*1tFU90w%zW2%IS&c($gu0@z7&8`Fgl0z&%U>gXaD{<6z4sI6VHF$cAV>qm<#*hnvfQDA=R-l{B7~S zr3m-+-oq0V7#LDAGI)h2OBltq$YV@#9bxCI48atjAJlOaB4eQ%%Y{}&>hjmGU*A9X zEk~k~P)VYbcNPbowzvqoRBp5SpGk##($v>J@v%T|?&&XhY6XP!i^;QugIB(CO;cqD z$wAsctY87CDFGhJ=Iz@XacI&%Mc1QnJmcU20i^|h1;Li2d?Aqq#UAyHyz;WOBOJ$_ zM_CPTqah%tai^heJq(_Z4kVi#?6;>V1zLS9OiEs&Pq?UKdUQ?sp%Ka$ZPxcf!{PS7 zf!VYRckR4f)IGig6 zsSlFbi{OwqI%`{ddjp6d(A2wy79`R2xcz;oRP*8hQsx1RC{!RiqUwGHt+z@X)-sM~?^slY3Z}wd!6V2>KApr0V5Rs31+i1?zdhKy z3y%VU%R$NsEcSAa;x91TiID;@JA_yh1f+C8^+OaghM;l8Um(^10KOt@Vz^40UjxX2 zF8F+q2tGj0;BawS6-uePVGwhXjlaz4?H{Lkr>S$jX5C*Z`c8Ck{hYd#Ty?=aP-%bx zhN{S+L(I4N^zU1@)%fwLZmSS*=h(IM5J~r9N0F1eBvb=0mYk``5hBk( zAWkfa2O(_Skv7`eKpYE{777(rmBfO(hn!w<=$zZ$!&dUnB!H>ZvY2u00+0J+Da3;9 zc=T)s6RS#hK>#XhSZ_CI(Q_skAkk<09J`-gLLmqz(GcvIiHQm0X70X_-@s?!?wS-7 z<)$88`>@+K_^{(hZWM^l6sn<^F_8x;u~qK_VdW02Y<&9?@g_)5r8Rw67jP-GUk?6^ z$k8@Ex3>q+z$JVc6MPh#wpl$2;LllBjH5h@o2XZcARBdU+y*p_dI z+JLnT)R#gmUYmXVAp{M`XU%WlJW4iX|?_~2%Myy>u%|6$EMX3M(A24$N zM-M_#a_klwck>QMDP5J|#zx)JoZBoBvE|tYtY@0zp7^EfZ)}v^y>~JE#M-G@^OI`q zdnD!duG{zR(}qH}>n_*j{O)w-eN{N8vo%?vUXQH9v)hTUmO5Z)F6Vb!NBCwF@eRXl z4;h|yyCz+Z?l_w8aKxT0#9cf7eUbi;{&4pm|MrxarWIwDDiMW{xad#ojXSdfyjlec zqhp)vb;Y#^!jL`EyxVHs+xy0!yaer&#W&3S;8h-S=IuJ6 znr6MCb((^T*kwl&8 zZ;e~TwT|Ee?k@hbf7@G*twuT&4Nqp1$s8WRh2$)Z{J{Gt_wW-#_c8_^siiy!tsmCr z<1I@u_h{NEa(J7m3Pn1qloum-_u+u+yaA9}maE6QbXuCO+fr(&dUjI(}__VV)cqJA5N%heLzn!v$&c<9ZPz#ol_{ls)B61z`^T z_bdBm(#$?-9{yk@W$csb9BR)enf^MYsW+lj(DA5LgXZwe_43E|V*|!HD~)`i)>k;^ zbBtF*{j3DJwDzm*c{(63Ud7KAs@wLJ?v8qa=($ZYTFOs1N7WZ*CLFa)VD+X*NLJOl zSN3I&%2HSIUL?=0LEaA5qY)`SU%OTJ$D6JOI9cGjo9 zOg|{;>+a4uVIG~vF0ZtA(UD=Q$a}PLY_%gX&-n+V($IEhquaTwBM&C1X5zl7tN+*D zi?Gj+;;Xv1e9@urYA4oD+mZrfdgkR%b^Td8r(No=kDCTu)fOLgSSxjn;^DKv2n#&))Msk# zV~2IuU+td0?LSU`a{}UJE_U_r6wA^%C9#^K3XJlk${+5JE zCGC1g=dJDi;&Qi$>;CKo=i<(lzp+n0&YEjGZH<2W)nK30{>)Yq=d0e<`_P2c} zUJEW-_GYQ>@q5)K_2Qty=|F&L@;|eL33Y2@zdrT%+;3>3omW@&Ee_*bs~peoZaHn!#T9<< zRz)tHvi1L={Qp5QpG{aRp)>2&n_*icpQA%QJR1DT5naMAmgpSmLFl7yM9&oUN!cR;OCZx zQJbDG3R(}GftYDh%KI-A=)2%h@#?+6#9aFSNx1H>^YLCgXDyZgzei{O%j2bLFK^ja zf|3!#AAWE3hMeYk1(%m8r!7stSGD)>CV9QAs`IZteJ{E;E%{{Cv&#{>bw{1=_hzs7 ze`MK%;r9$); zKbK!0@hE*d$S?d%laD58K3sj`;|2rXzZ+M0?|82>f2#(h|EJJC>FY)EoUG?SFThKrDiR2jb%uf(qDaj%HFl0%H=h< zMtMGOC9v?L|-q(*3W8pT$y9DPOp%g>MOJ@(Cq QV;;zIPgg&ebxsLQ0DV0yr2qf` literal 0 HcmV?d00001 diff --git a/docs/documentation/server_admin/topics.adoc b/docs/documentation/server_admin/topics.adoc index 2cbd1ccc961..ae774bae247 100644 --- a/docs/documentation/server_admin/topics.adoc +++ b/docs/documentation/server_admin/topics.adoc @@ -47,6 +47,7 @@ include::topics/identity-broker/social/twitter.adoc[] include::topics/identity-broker/oidc.adoc[] include::topics/identity-broker/oauth2.adoc[] include::topics/identity-broker/saml.adoc[] +include::topics/identity-broker/spiffe.adoc[] include::topics/identity-broker/suggested.adoc[] include::topics/identity-broker/mappers.adoc[] include::topics/identity-broker/session-data.adoc[] diff --git a/docs/documentation/server_admin/topics/clients/oidc/con-confidential-client-credentials.adoc b/docs/documentation/server_admin/topics/clients/oidc/con-confidential-client-credentials.adoc index 251a4b18e00..35a67278388 100644 --- a/docs/documentation/server_admin/topics/clients/oidc/con-confidential-client-credentials.adoc +++ b/docs/documentation/server_admin/topics/clients/oidc/con-confidential-client-credentials.adoc @@ -14,10 +14,10 @@ The *Client Authenticator* drop-down list specifies the type of credential to us This choice is the default setting. The secret is automatically generated. Click *Regenerate* to recreate the secret if necessary. -.Signed JWT +*Signed JWT issued by the client* image:images/client-credentials-jwt.png[Signed JWT] -*Signed JWT* is "Signed JSON Web Token". +*Signed JWT* allows a client to authenticate with self-signed client assertions. This enables the client to authenticate without a shared secret. In this authenticator you can enforce the *Signature algorithm* used by the client (any algorithm is valid by default) and the *Max expiration* allowed for the JWT token (tokens received after this period will not be accepted because they are too old, note that tokens should be issued right before the authentication, 60 seconds by default). @@ -59,6 +59,32 @@ https://myhost.com/myapp/k_jwks See link:{developerguide_link}[{developerguide_name}] for more details. +*Signed JWT issued by an Identity Provider* + +:tech_feature_name: Signed JWT issued by an Identity Provider +:tech_feature_id: client-auth-federated +include::../../../topics/templates/techpreview.adoc[] + +*Signed JWT* allows a client to authenticate with client assertions issued by an identity provider. Example use-cases +include: + +* Client assertion issued by an OpenID Connect provider +* SPIFFE JWT SVIDs +* Kubernetes service accounts + +Before using this authentication mechanism, an identity provider capable of verifying client assertions should be configured. + +The identity providers which support client assertions are: + +* <<_identity_broker_oidc,OpenID Connect>> (support for client assertions must be enabled) +* <<_identity_broker_spiffe,SPIFFE>> + +image:images/client-federated-jwt.png[] + +* Identity provider - the alias of the identity provider to use +* Federated subject - the external client id for the client (value of the `sub` claim of the client assertion) + + *Signed JWT with Client Secret* If you select this option, you can use a JWT signed by client secret instead of the private key. diff --git a/docs/documentation/server_admin/topics/identity-broker/oidc.adoc b/docs/documentation/server_admin/topics/identity-broker/oidc.adoc index 06894528a1c..95d7c7f8c5f 100644 --- a/docs/documentation/server_admin/topics/identity-broker/oidc.adoc +++ b/docs/documentation/server_admin/topics/identity-broker/oidc.adoc @@ -85,6 +85,12 @@ If the user is unauthenticated in the IDP, the client still receives a `login_re | Define the query parameters to be forwarded to an external AS from the initial authorization request sent to the authorization endpoint. Multiple parameters can be entered, separated by comma (,). The parameters available to forward are any non OpenID Connect/OAuth standard parameter or standard parameters that are available as a client note from the authentication session. +|Supports client assertions +|This setting enables support for using client assertions issued by the provider to authenticate clients. Validate Signatures must be enabled as well. + +|Allows client assertions to be re-used +|By default, a client assertion can not be used multiple times. If the client is not able to retrieve a new client assertion for each request this option can be enabled to allow re-use of the same client assertion. + |=== You can import all this configuration data by providing a URL or file that points to OpenID Provider Metadata. If you connect to a {project_name} external IDP, you can import the IDP settings from `{kc_realms_path}/{realm-name}/.well-known/openid-configuration`. This link is a JSON document describing metadata about the IDP. diff --git a/docs/documentation/server_admin/topics/identity-broker/spiffe.adoc b/docs/documentation/server_admin/topics/identity-broker/spiffe.adoc new file mode 100644 index 00000000000..f8f34a7ed41 --- /dev/null +++ b/docs/documentation/server_admin/topics/identity-broker/spiffe.adoc @@ -0,0 +1,32 @@ + +[[_identity_broker_spiffe]] +=== SPIFFE identity providers + +:tech_feature_name: SPIFFE +:tech_feature_id: spiffe +include::../../topics/templates/techpreview.adoc[] + +A SPIFFE identity provider supports authenticating clients with SPIFFE JWT SVIDs. + +.Procedure +. Click *Identity Providers* in the menu. +. From the `Add provider` list, select `SPIFFE`. ++ +.Add SPIFFE provider +image:images/spiffe-add-identity-provider.png[Add SPIFFE Provider] ++ +. Enter your initial configuration options. ++ +.SPIFFE settings +|=== +|Configuration|Description + +|Alias +|The alias for the identity provider is used to link a client to the provider + +|SPIFFE Trust Domain +|The SPIFFE Trust domain (for example `spiffe://my-trust-domain`) + +|SPIFFE Bundle Endpoint +|`https` URL for the SPIFFE Bundle Endpoint where the SPIFFE servers public keys are exposed +|=== diff --git a/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties b/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties index 8ca92bce3d1..aacd84c2ca2 100644 --- a/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties +++ b/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties @@ -936,7 +936,7 @@ custom=Custom Attribute... keyTab=Key tab addSamlProvider=Add SAML provider addSpiffeProvider=Add SPIFFE provider -spiffeTrustDomain=SPIFFE Trust Domain name +spiffeTrustDomain=SPIFFE Trust Domain spiffeBundleEndpoint=SPIFFE Bundle Endpoint permission=Permission saveEventListeners=Save Event Listeners diff --git a/services/src/main/java/org/keycloak/broker/spiffe/SpiffeIdentityProvider.java b/services/src/main/java/org/keycloak/broker/spiffe/SpiffeIdentityProvider.java index 165255a52e8..c695223a968 100644 --- a/services/src/main/java/org/keycloak/broker/spiffe/SpiffeIdentityProvider.java +++ b/services/src/main/java/org/keycloak/broker/spiffe/SpiffeIdentityProvider.java @@ -26,7 +26,6 @@ import org.keycloak.models.UserSessionModel; import org.keycloak.representations.JsonWebToken; import org.keycloak.sessions.AuthenticationSessionModel; -import java.net.URI; import java.nio.charset.StandardCharsets; /**