keystone/releasenotes/notes/bug-1809116-b65502f3b606b06...

20 lines
990 B
YAML

---
features:
- |
[`bug 1809116 <https://bugs.launchpad.net/keystone/+bug/1809116>`_]
It is now possible to have group memberships carried over through mapping
persist for a limited time after a user authenticates using federation.
The "time to live" of these memberships is specified via the configuration
option `[federation] default_authorization_ttl` or for each identity
provider by setting `authorization_ttl` on the identity provider. Every
time a user authenticates carrying over that membership, it will be
renewed.
security:
- |
If expiring user group memberships are enabled via the `[federation]
default_authorization_ttl` configuration option, or on an idp by idp
basis by setting `authorization_ttl`, there will be a lag between when
a user is removed from a group in an identity provider, and when that
will be reflected in keystone. That amount of time will be equal to
the last time the user logged in + idp ttl.