From 5456f0ddb44f8b737c5655237958ae8ff4f05366 Mon Sep 17 00:00:00 2001 From: Russ Cam Date: Tue, 12 Feb 2019 15:46:59 +1000 Subject: [PATCH] Remove adding role claim to SAML attributes (#260) This commit removes the details for setting up a role attribute. This step is no longer required as a change to Azure now 1. sends through the populated user.assignedroles against the http://schemas.microsoft.com/ws/2008/06/identity/claims/role claim 2. disallows a user from configuring an attribute with a known claim type offered by the Federation Metadata. Closes #259 (cherry picked from commit efba4c42873ac2927e2dadee214370c696917e32) --- docs/azure-arm-template.asciidoc | 22 ++++++---------------- docs/images/saml_token_add_attribute.png | Bin 15009 -> 0 bytes 2 files changed, 6 insertions(+), 16 deletions(-) delete mode 100644 docs/images/saml_token_add_attribute.png diff --git a/docs/azure-arm-template.asciidoc b/docs/azure-arm-template.asciidoc index b4c3c85a..ab39d6b6 100644 --- a/docs/azure-arm-template.asciidoc +++ b/docs/azure-arm-template.asciidoc @@ -1135,19 +1135,8 @@ upon successful authentication image:images/saml_token_attributes.png[] -Add the `role` attribute to the User attributes using the Add Attribute section - -image:images/saml_token_add_attribute.png[] - -with the following details - -[horizontal] -Name:: `role` -Mapping:: `user.assignedroles` -Namespace:: `http://schemas.microsoft.com/ws/2008/06/identity/claims` - -Now, the role(s) assigned to a user within the Enterprise application will be -sent in the SAML token, in the SAML `role` claim. +You can add here any additional attributes that you wish to be included as +claims in the SAML token returned after successful authentication. [[application-manifest]] ===== Application manifest @@ -1221,10 +1210,11 @@ Elasticsearch, for example, the `superuser` role, etc. Each role needs a unique After adding the necessary roles, save the manifest. [[assign-users-to-enterprise-application]] -===== Assign users to Enterprise application +===== Assign users and groups to Enterprise application -Now that the Enterprise application roles are configured, users within AAD can be granted -access to the Enterprise application and be assigned one of the application roles +Now that the Enterprise application roles are configured, users and groups within +AAD can be granted access to the Enterprise application and be assigned one of +the application roles image:images/add_user_to_role.png[] diff --git a/docs/images/saml_token_add_attribute.png b/docs/images/saml_token_add_attribute.png deleted file mode 100644 index 4523c2a20149810bb458e58c53333b60fff56d84..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 15009 zcmb_@by$>L_wFbviV6~fN-3x`h=2$Ps0<-0-6`GOZGnV1i6Lxaqj}cjIRC5T#b;J|oBL(N^r4hG>@vV+&69}j+T~|72wU zBjYtCinuYMlb6Ifw$28`m9JqvSbNnUi2Wc!R^8~R&XR*qR}{TNXk&v8R_u4a|D>U$ zYAiZK$L+FkeQU!KwR1{ZvXzd`X5)7b@A}^1r7`RXLisAUIBz?=-obyR`9h<0JBa80 z%F__HlncxAOG9H>)#vOmn`Z;CPNK_!H9@9USf~6ewNar}+K<+`mhVXf=j^}<73pW$ zT<5k7$F#laLKxZD*f=>m?8CFOv6NQjH%R<;Na4`a)7!VWdGB7h+rR{KZf>rLiHUCR zP9QI4Wpi_hxA7J0J!3+0QzzqZ$;n3t>+Npa%Y}~DAF>Pmpl^6zw$t-ch@NWXfjGW+ zoa%8xQP%Kc2zTs2pR-}yK-5x5Wm0_Qq}lO+Rk&Afd9lG6=ddCk4b)Cg*z3${rGu8Hghy(7olEHIDuOq!Uq?qr-mI=;}t zl4Nsh>%nYduV6*(|CZ#Us&8`rJkJ0GV^%88)M42 zU*_yeM|`e9&{ap>KhgR^l&BMX)tKl)nZ1SHPuSUq%OJ&a(Gf=1+@8xPO7Q({2<_6zvE{wmJ1{XVz4I@S4ggXs#+JzDX2+ z?msVpT|FB>Dt%zf-N}FZ;sxMDx+b9{vv@vN%HUULh(E;D%?XiVeA+A!TK#ZT*l3mJY zUv~4St6rw3`xMk`E{pR9LsBk2@31<9otrGRPrG?0p#nSVm z?EA|XuEpr?&15q#cTNS#HDvBdEumXn<^(M}7zbZzED0{pRZFkd5D6c2Neg?weR~QY zKR?u9ZL;Y+IqRjfr%Vgg5<7D0FwPT!)zuGUr22mSlF`;4b)tt{J9q9JauSQx*4Cya zCl^EBxN&2qJudFP4PBJ;#%#ySmoI5OcV77>KaaYnSAT(y-(kMHEk;0fMn*^H2JtNh zhB!gDto6vRnd>BJKTsfBJF^{ z^=<4xbG>LQTda8u9~`G$rl@jtg1pNb-scp^j9Bj_kzGmH^w>yuGL2OES({n+*)piT zhd0!M*STXa^5^qFqb--Wb^Gm}>$X~ZwG_RpUT5dkuSE;uam-{wuuU5N`BbXHVKucP zF~1^_%jr=bt2h~%to9lY@knps=ITZM>hw^z32WgCDl4wf_sdQZo?a;4J{#b)`lS~0aq*5E2ezce#cY=$6}1*x z5m08bpGf1cE3Ec<+UQiPOR+7sK}_I2q=T8~q4$2_h_fLrF7$08P81V(iO>t;rEhr- zI~!^nul44BnwhoiU32=T9b_2`@R=^Kr%ZQ^nrg%;wsy19H<4l=S^=!0LM!tk;1y#7X?bo4^_{QaMrUDjP@wfz4WE^$h zbya0RgYm@TR(HY zBci>X@ZrOy-V^KH^3op1huhxX-VoEo#KcH4N=g|+8iS_w|gVp1s$6;=t?sy znuI(CqdYBGI68~DhfAHidpJVbu=jNCK25M%7>p6bV;iKtxSf?Q(o*WUGo!Y?z=6C; zaMp=fn5xJfUp+5r-ss4Gn24Uvw9;M9DSs=g$gGsF5@saBtf7au`!IfvsA7eIuJfKk zkmvoPviym?cEN*tB&XlnnG=MnV+wvnN?nah`MrCnJSAl#k#s)B#ZQJedRrfu6*np zA&iX}Lu&C>RGVjewKu z<|~SaF((Uja>zd1f#D35<>sLd2_0-Ih!;z#8!IWpoIWp?ndB$C9<-J>cwp77CNwlS z&X(P=45ipbyDB>67Zpdpq2(hUDRt(C_|Z@@vY!K{>LSI&#B6Lh>rp}R(lTDJuZZoNCr9@ zU2+J`xb{XdLR)a<>gHNd{;zX)_4368elER+yxB=n{uOfr&(a0Ja`^T$;CI|^1KTpn zzYgASC2J3?un5c<>SP(Z4LQ+o+nz4nIkjJ3>1esG+uI_6EEFB;zmsmYXm(&3kI8AJ z=XOcQPMl}iK8Wf_G8;S^vu;uip3nxI#FRQKK#(8GTs@VT!zY$9mgQNr+R(vKYsk+wHz)PviNe(7V9T5+R9U2cQs+Z-ztqPF>mCda$4%p*-{D*bfCNH7(O3=O6N_E;!5h{CJvGAZW#`Rb#^3_67;E!n<6I1 zE?(8|j_J~HX~uL6&@axZQv~NRnK!uUZKZeHJH78OE6Jx}3eItURrWccO96-=P%pc! z3yVwCeG}*Ab3MjO#8JE@Ma#M=({V!5g$`52g}kWGZsxsby)FY`lKs^!RH;xxJuc1U z;w9O%FTeAIXkXF8@G!t!sjd&}@>X!9VWzc_bE1EMmWK((;PP_cGV~(ll3Or3^4gA3 z@?0e)DuU(L09Q^~zDTx-?dmzltqZ!On`{>;ijszVG4^CZa{{()D7L3+W^Drk!3kcK z_HO1?*kspkXT#AZqC`nd+}+u%Y?voP_T_|^*19v^%2&Fv0&TNoIa31;bOdLOVqPb! zv?)M!m0!@M^coOeNgwHcD3zO?oh`$75PZB7T=3_pI@-*ZOH)YiA@KeQ*+EA@NJviL zjqL93uI2Yc(uGu2c~u1tD;DO-FkT=eyq(bWi6NLqu(Z59+P8oDwshX!tOhk_7c0F3!RCc?kRsa_VPZP9L1r;IEQ6Yd|LAX->lTnrBhTiqaZ<#FF!}~U4c4h-uE2Z$3-p<}IC~vpScL^=W>$&#J>9s$vwH-+< zW%fqe9X!wByq#ET*oFQANUO2us@V8Da8X%k0r3Lwcp^^g2f<}4z^eV7pP*)dfQ=jG zGAks~y0E?v(W|%dnBF=$BV-$JLMutb;k5FeX(`3qSSBFw&FXRv?Qq6kk8wblo3J5ge&PGbDJ=E2Uwh_bq%x6v{dbl< zOh_fsTIv&7T-1;bYPdjA^!4c3^c}I{Jes>4IcU3OaPNZ$uSJ9L=<_IpH;*#1zGUj| zec_w+sET0uaO}BQq9}f>G2I$;bGx21aCo-<^rm07dUn{=3ev#A87|X#OZ?E?u%G5B zd$V7Adc*o6+z)@9_i~-}7S1g-v{VYFy>1@f!So`HNLiU1E|`(!a=n9a(iDq+C}m@9 zogG^DV6BCt>fo+&Uxos+yqsKKUY?4kT~*+z)2G8CBHAN) zSU|-wFwFe)J`eQrg#$WS$Cx|P*Vh+#XN*)a(6Y$L$ll&wcqb!+wNNcnDcvs>g+isJ z`StKX0bU1T=M1&lPa;!kW^yv;M2VZuyQ&64!yhB1x=Rmz9s^CmmHlm9k;@*#4MMdl z9;vdM#YsaH;vDywEj_LetW^$?Ei0kjto$#d*2H&z%==h*5DjY=Kx#TzfcT_YIx`Q*AZYEP?_VXfv}d|i4hTVD!6#EkHxUWjrK{q_3NX*H2BWG259jYEL6V6 zi~YGs1;rk_=ZuI8ELs?$gNP*yH8atZ2DUPN$KKf$EnpOZgq!^6wWhZvm7FFNV+ zUwwE*%q3WZU70zIz&oM%^xFEmyuAFoyEhjsDd0P;Ex%o)-QC@vJZYjm-VuLl7_2!6bb@tnnzq|S4sx9{J--#BG^v;ilMlsT=teH7Xmd&8z)w9(u4 zh0Exk73QFh!f;3LlYrB*My_sMMKK=H$6HUsfnn(_^k$xX^-@^#`X%#`QiuBYSD%J| z9w&N)hj_`HK~ByuG}>Zoae#b;oVaPqHb%;6Z^I<9ya5Wq#`*dm@!3_P z$D4iHw0yRc7!g}r+iRS76wB_Ol$*7P>gYH zDJ4FMc#z7vAC@7*sG+F|@`%H=e}_9rowy!Moq3Qt}<&BM?N%m3t4CHIc~Lo^<7afB<@W`Z(v` zejs(4nMiPDfbGP1I|k9$*qPIBB?(V-hGvC-4l|Muxq7c6VT#>PfhiZnhxegHCom|iS2 zJiNEBFIzSLHXq;a+Ej~t^0P18CY@m{%CTNYyTil7^YimCwETK%YHB-MTfkKiaiwKt z!PElbAtAEb+5p;ea&mX?-t`X%82D(5a$g!O1g0vNW{)X%Ir-{3BO@adQ`)z0`U80e zkK?W3(|kiT$=OpeF)>DM(M_$b<@R$QU5Ere2O#O@^p?l`-L635>NkDNR4 zxkyMz2tyWjS-bfW@*^Pcg_pF7NgsA?v6P{juYY$SfTMDD26yx|OdFyjdoUO+6_wNu zNVpQfN*Y#G+1-xAJ7 zp8!z$lb#vgTHFqJS10C=;r#^D>Rs(GiL5FuWQs@}o+ z`TNr)063D!s;Uma;-pB$G^0Isry|;81R}!1>a=KtJ>C1VG~rmB0%R;yTf(Px|Jq^f zJKLG`bg0;>&$O_@;wdAUWKw5d-rb@DKT?L_k&&6!FI?3!G11Xb2=AHq|C-Qv^-xAj ztIbY=c07wf+^c=< z(hif~+|tq>%~zup3lo2^v${yQo|BVfGf{sCkbW@5!pv+rQd)OJd+nMUT;$`GWcV~K zEv?w1uD-ssq=fA9<=hBx*D74rZwsU6qaa=+lYUzTWhW+145RE0n3%)nx0Z$`8iHwG z?6<<@)YR3tv7_zJ)4qR)m@OT09Q#qdjPdvNWn{)3@Z?TK&3PQm$!!WkuEfX3XJut2 zB_$0b1q8}cVqL#yWISUe8ypzm;pX1B7XAh=0`Foisq};KnVIdml(@Cxsrh+R1=;SX zprD}A($ZH}%Rs;(EfU27O-)R$?x;ygNr7c?fcF^5AJf*;<1iLj{pOX|cJD%Vl@tIp;+)zc}#uH@%t=H~B%gJ+x)-1p{E?tXdi%P$}R!2>zBlioixw9XO{7(0KP zjKHnz#)IqEU;M81!v&b5<2_!^+qWTNd1Pf}@tWKq8R5V$&;t-5h))0hJxjX^)7v|} zxcJ~hAwNIARP_B^=hfe@tj^L%2x2NW=hL&Nr>E&QVIYi81MQvzCc%7)(Tg)k$8KzG z1qB8Qx~%ET%XcLP3pK~>gX3rGfQBr<-5Lr6tzJXWl8w5JjSWE3ty{Ma{6P6y8XI5P zkx`~Sb@I`R7uUU-H|DymMk^1YbQ^PDd-brIqr`JI{+(FhwH`fz%a<<;2?>d{lfNEs zU6eL8JX)waYS~z3b9_fphC1Z%+70-!1=Z-tPjoGo&u;oX8lnW$ zcMbSK*8-E%(_2PHVxoFFI>sj_xvRw`oE#mcV)(<{LWkGeg=uMNy~e6v0SZ8%D<~@q zA8vGEFc>7a#UQu$;~!Z5&V@~lVx>oq9%*Wh_+Mrz5l)PkVT3}mB7V*s4Vde>H^5e(+2M_JngT&uFu z(r(jD+zsrm&*a~#+FuqhGMWLBGLaOa1#xX^X?X_`wD z85sc{1-uBVxt?7!M3c{y*7 zI2D@@{2m*#-rrh+R)g2!W?%9-Iu*@P>17lyq82Sm@+>g2`wRh~*IK?PoFHzcVlR zoJ8P_Pc7AW4Pbf~)~TTzarVfb3|9UBip~5Vsm}km5AkcNymp38(b0W(6@2Y`aJ-&E z93+LbcMw%@O0gWSI(~trqf0QW3Rp5VTiq}AAWW<$>Bz>mRgMhLZg&(D(o`Z9Dy9e8 z>aUFwRoZNvyPhz=;kA^JO;WY3{L1SNagToGw`0YrPeo`Z#`nIa$I;)))&jPND8(h| zd{d8vzlLlo86APzMhTj-kFM13s@5qJ{IWs#6c|EmE~o%tMjhx_wjpw zX}Sc;GGQ~!vG?qkTZwTVZ+tD8gsV_SZ`6lb^o};!=uD56y(}jU%FwPltyY*D3E{L= zmV5KsR3)%A+1hw}+`*NpLRaNd1wFL_; z7anjRzX{5BuZ&s+Ux=MP?DZm*9r7k|*s}eBOmm)^L3Yco+Kp5(oWK3n_jpAZ`7NDa zd*7gt>rBt?alg}!88I8?zeVhTNzL}eYKxr}-}SQn z;A>foIpASylNx&Ds!tYH5L-Y%YDLn6oh28(v`K?ui0H0l(;_G%cQGov6gxHmhg21 zBHXaiEvtORXrUh0N_%0F`d3TM#wa>{p~ztZcS;Vo2!?AlN?3)L5cl$_h$a_2^b>UR z080kC{$IZI7dRB8r`prPePztkDJ5%n*P%BMN9?ORW%@3_W6^IZjGekw&mDMu z-3t`tO;5|qjFC>oR>d(TEp3%$LuD-_l(-2g5%6i)>UVJboZAsb9rSUTSZ)3`ooG~z zH?b!6J#vH_PEq+1U&V08D)1`hbGzPS%##_61#hI-0p^KOiHV76m@HQ% z`r}7B62I0fxLZTSCCx`h%u{*V&hE7xZRvWnOTX@2*o=*h1<>ZkI^r(wsuxl^9Wr9? zfZR?wdFcA;C{nXn-pMIA;BbQW*m*Ix;a3B0LPcumyu#B*g6`dS$UC;Op1+y5V3P|N zm8=zo}SM@~;0=Bl)Qci+?0Oz8p% z)*_DUm2dL~bn}d6LTN#1u#*w^%{GS6KaF75EVhh+YG_)Br|QuVMBUWXl<`|UvBUjn zcc!qgFg)-IZfqisKsTV`Do=YUpmco--<)`Pq>Qw(_&=VcgMA8^Jy*5AX9rl zdAueS^X5~$nUVQJx7zY33p70euZz9YfGY1j1mcc?cj+`(E(ZthbZc8%mL?_xB{uX? zm0ri5US3`(jW#V;i0%D-Ac&eta%?I&)o65J)ag6V?w>1bkoqNDk)ZQdBw{_ajUk-J zk@PU9DY2sN$6)*k#6zMBaczq2hap?X*$yI{in6jHA3nTTVnn!Zb{$hM&35xV>fM^m zTafz6Zd9B_>Sb5uY4ELZ;w0i_tZIH1sGu|?_U1}Mw3um~C2ROH$KUabR8Ubd&Jz2i z(P>vWH*I?H#g3hQ<bGbPyBp~X#$t==Hm zVY2sX=C8t0y&egHU#+B)|5q3?s*bzhLKLB-lWMkXZ_8s<2H`zzfy3xA8Yo)n{zS&3 zG4MJeNwA2R$bU;)BB@PDm36>sK- z0gxX6Gahb%ehXcx?UcWZ9-N67%a_nxZ?r7sPuQ1#SKm8Iv z_y!im?{tyLiD=4aK&CHV)x)2#g5V1z!U`;MB3z6C2 zz|N!P!}f*4^+>oDI0g3%TR-E9(k(&oDfsPYKPWH<`uWWjpRUlVvYV0GSjF8wLUqLj zeOPKe{u%=XviNS?_%V2+ z`tbRkIX=2h&EXL&5^99c@`G%?aiW45N|0)IS_e>js9N{hqjm$n*H7AW{q_b)M>2bq z&I3I?^CER25(*Cy%>%}Wmfd4zMl!Hez?%V#1vkgMcOc(Lky+8iB<*qhbvl4bFp~0( z+HDg>ZBgZ^sQ{&E3d~7zCfv8UxIW>isjb5|0&NLW?lxx&)jIY1ZA$%HS%set*lVZ&G{lRZlrt8CEvv11^9(8$J>96 z>W!36gZ%<729&zo2pCwq(EcKrVL-RIxVRvH2nYy#8{6B1pX&!)rl1fP7bgwTU~g}2 zefIqM=Gq$gJ36F(67e$6qVIFEu?1$fg|tkuC}-)bD=?DH&CMAY7?>;R>+8F^@)K7; z2a)wOr~kLg%F1E~)QU>m%@7G+Mwol>J`YxTlH^p?)FPol>&^D5X{U^+=IX+GNO|sYEo5 z*Stf0dj~$MLYe|td)siVt;wbLkluba#{YJHVZqOMsyR$dkR4}YgvP~5BO#zQem_P^ zCgp*n2S;vhM@vf!_s6SThR}F3A1>*z*CeMIQj(G)jQSiGhn=3T=lA!OV2>z6p`cv9 zq%G=LuDO#^RuZ+jcYW>zq6B*(V1_4Kt3r(~q*4E_<=2#igvYkx_Vxv`r8WA7hV`|z ztQsXUbRh}~3YTOZ9k=L%A3R2yM+Z2Z^;k#qf~m#FYblC6apDAjOpt--;a&f4`T1Q< zO>zy*`_m3Ey8BxojtUD3tnn-W8^Ha8 zV7@m(Uc6s%8m~rjD5MbWMqWs*YPR$ciU9is2Ti+2kA8ra6TzXKC6{(^c<8`Sz4|?v zK`Ocgtk6H~p(%Xa-|P9*%uGO?ZkS|PY%FGQP}0e#LV;QF@#Dv^3d$VOVPOtn<$JEJ zqIpLjY!BO+j{xvv5_kgjuP+$t>zANVHg2IIAss^+N-P!y`)>qt?rfBHr({qAWf-Q$ z?E{5{PH!)Fn~QO_b@m1wIAT%vEbf+efRTfs zk?<*>=`+H_TU8ZVGK!q@%7GzNpSkGphe*6Eyt3y;71c9s!P|6er2Hao&+ITgfM*p) z`cHS*X~Sy=mr!-1upD=!4bCpu#lJI^&hr(ur2?9?|+Y*fUXsp zwD>p0P-w_5_z!XeXlm7~_HQ(GACvzF(f?bDS|_B`FhpXbZ1j-*)-CTSI`RO(8E9Nz zEymrowKA(>Uq;`8pr9c1K};})aNmeC=+_QtXwnGNxGi%2RT=M$S0CjfHSH7?!&F#f zVTW6mW?6|JY+vQ$8|do#j8H>*~snkJo`# z0~(D+hJO4=a_Q1TBy^)N5c422OYPHS7`x}}LAN2vNJ+c8yEnk@CF!X2*e9gsuVt&r z6h%TK=jdSfT+y`Q%F>QYq_eYqm~K zRW=i6A_g}4^KKF1mh=KCMAhD0G1GB&c>hDFU(kdCIy2A$jZL3-@3Pg4vrwonUNy?J z8?J}2b1~3WS4H?2bQpfrqn-h>zJMkt+_A0)A98YPst0yDShc{jKgX*VMsR9$F@%B2;IhC|$qz0#k>5)Y>q4d3hUCuQLjvYl*%;@Fp| zp3-4lptkf-X*5?)+}3uj)M3Hbw})Q%XlKG45zr%qf98y7;h<5h%WY215JmpJ-d=JF ziuO2RujWvuV#^U-N?de0IY~dm9U!ENG}HrTlz<~X$oboP^G$`0?ck3KAOEnz-QNKm z{b+5l%Q>uQk6N~hP8@o|4D21Zn-x9#ONp%5%($SXtNxX`KL$^Hex#~;b-4+a;HBr) zJvUahzq|k{fSP)b?TCPBGj0GI_rMbm&e|5v^%BAzFHZ_CB_6g8u?tO|xW97?RO_=V z^(fO=X!HK9ed^-=`jux_)@V|awKMeFCRcIKp-P0z54xjd_yZi^Y} z=m?3ixRMeDv>9|ea2nRj>8Hua$Y9%-ZP|-+P^&N%ZpF`Tr)OtZrPsI>pK&?>qoCH0 zbbWnY@WBIeb`8c5iBL%(3@lT&E~ciY8X6jEYJ<>292p+I%f;nq3>@Y!pPj@^! zlr8FUyl+5&dX=Z37pJELa-;Jphs9vQ6S@!}6Rhe*t>pr3M%aEHC&i^nzGBwmb3iYn z_bapbxVi12le2hiiyCfeVG$M{Exj?2@rd@=q$@es+yrzw)K}y;rF1Bm#7+8n>oe^X za3>TLv_kGGw?9E;=H=xr3Ijl#wJ&XKY=o9Mm<}I5egsPwd?heRu6jeyrl7uFEL>xG zv}zO%TTP*04pSP^2^7t z41qGhh(g#}#gf4gfedV{EPw_6^hy57lXGVG?%vIVp48W`FDdbLqP_~?2_BpX4WSp$ zGboV_rs?B%UKxWtAJ7G>0M}@gAnhXe!;jS!?{#5cUGV4{u(& z)B(W^ZEA5O=l}~76CC#X=>xkX@P17>@u5lIoa{C$>mszSR73iwIg%+9m6j zjVneEA3lW6KaeRyLqqrr^czVxP+-#al%wLC4C6F93Ml055D6NW$q?v$(?mRxkVs8U z?S~>cH*Qd(Lr?A)9Jtah3Lcr7+O^}^tJGdlK+ApxumrH zX!=#ib?>X7E(TpRP3#@@ptNj}wHW046)Kho*{H%o9tMVYzCpCYQb>>E#c6VOM#lSI zN9E6Mx3sl+t~D`$jtLY~>~~rRhTsc(nWR78d6lj)9c*I_?cb1?81zNlj^kj60@&oi z90ss#2E_&_HxgQ$#WoXSy@qgiV6l35c$k^7n7!T9GKan-lWd-^B|K1CC)ktp7e{`UeSV=kFCJMD%QSq{XD+EAtLsdaR z_vom0yo|GpOIUb#UJVYXA|m?WZ)j*OhkJOFKIFQ_TI826Ut(jAQiKoZvIt@UZa^CB z0*>W{hQyrolpz0obCE{i(eZ}A4>6%;TOxm)N^k%3jhfrRTjcmH7SKLCW1-T`Lqxb> zI3{Vl>mdw-41Tb7mN@qn<xR{$5)hbEN8- zXGr)#=-@9b&}sD%k6b+f@)K7g%Z$=ko}2^-Gq^hdGHsw2wMOkJ(bLnTrKL4JVnDYy zcN~<(?67sATM)Il_o*dIpv)l#v*dZ$+~{Tn-ZHCBNgoe1g!9_Yct0j4A&~>1=-J*- z?}!c!Eimh2|ME;pO%3edeW~;P#bf0z>t|?iZ~{00>Hj$XQb1kuP{oj2*IrOQh{zi^ zUa{bPklDS7+zXwrl&T&pHucg*TJ7M2tT?a@6wVK~9=tZ-SmxtDlrIDGLnXrQ9i*wM;p4oc=9#e;& zD3@E)<@Vb*Z%$55>KhpWM&9%38R9YrxhK3kNt&i$s^%~h1-^8yN`_ooXIIyNZ&-&T zcI*BI^$cusYH4nU-8Kr$J!aVzTac^dWMq@m(|K%=K_Jxv1=+iX;+Jh2z%SUhs15B{ zWk~4klw;T7cUq2?N?~DQ8Yf6Cwi@*W6a-o4DVkqgT&%)sI5Z{s9i%0YqPVcILXZ6| zC{DTG(}3@iTR(pMlOfJsPD2A0w7au2&tu=wkr7(&?;kTWGVUDhV+V3?C4etkCMZxb zx17h)dUZ%7JzyEXh73YF;HU53=!I;wN z{=R=mCA5HWW3P)THFWsrhH#xM;pzX-!2ZYhR8fzle-pSg!WR%vM5T~fk6*n09}L5I A5&!@I