20 lines
990 B
YAML
20 lines
990 B
YAML
---
|
|
features:
|
|
- |
|
|
[`bug 1809116 <https://bugs.launchpad.net/keystone/+bug/1809116>`_]
|
|
It is now possible to have group memberships carried over through mapping
|
|
persist for a limited time after a user authenticates using federation.
|
|
The "time to live" of these memberships is specified via the configuration
|
|
option `[federation] default_authorization_ttl` or for each identity
|
|
provider by setting `authorization_ttl` on the identity provider. Every
|
|
time a user authenticates carrying over that membership, it will be
|
|
renewed.
|
|
security:
|
|
- |
|
|
If expiring user group memberships are enabled via the `[federation]
|
|
default_authorization_ttl` configuration option, or on an idp by idp
|
|
basis by setting `authorization_ttl`, there will be a lag between when
|
|
a user is removed from a group in an identity provider, and when that
|
|
will be reflected in keystone. That amount of time will be equal to
|
|
the last time the user logged in + idp ttl.
|