From ef3100964c4f12ed8f9d7df1c9cd10888e2217e9 Mon Sep 17 00:00:00 2001 From: Stephanie Aurelio Date: Wed, 3 Apr 2024 11:10:14 -0700 Subject: [PATCH 01/12] update jit callouts and add step --- content/faq/security/single-sign-on/idp-faqs.md | 6 ++++-- content/faq/security/single-sign-on/users-faqs.md | 6 +++++- content/security/for-admins/group-mapping.md | 7 +++++++ content/security/for-admins/scim.md | 7 ++++++- .../for-admins/single-sign-on/configure/configure-idp.md | 5 +++++ .../security/for-admins/single-sign-on/connect/_index.md | 5 +++++ layouts/shortcodes/admin-sso-connect.md | 3 ++- layouts/shortcodes/admin-sso-management.md | 5 +++++ 8 files changed, 39 insertions(+), 5 deletions(-) diff --git a/content/faq/security/single-sign-on/idp-faqs.md b/content/faq/security/single-sign-on/idp-faqs.md index b5c0089941e4..4d5cde0a049e 100644 --- a/content/faq/security/single-sign-on/idp-faqs.md +++ b/content/faq/security/single-sign-on/idp-faqs.md @@ -42,9 +42,11 @@ You can add a bot account to your IDP and create an access token for it to repla Yes, bot accounts need a seat, similar to a regular end user, having a non-aliased domain email enabled in the IdP and using a seat in Hub. -### Does Docker plan to release SAML Just-In-Time (JIT) provisioning? +### Does SAML SSO use Just-in-Time provisioning? -The SSO implementation is already Just-In-Time. Administrators don't have to create user's accounts on Hub, they can just enable it on the IdP and have the users sign in through their domain email on Hub. +_Optional Just-in-Time (JIT) provisioning configuration is only available in Private Beta. Otherwise, JIT is enabled by default. This feature will be available for all users soon._ + +The SSO implementation uses Just-in-Time (JIT) provisioning by default. You can optionally disable JIT if you prefer not to auto-provision users, or if you opt for auto-provisioning using SCIM. ### Will there be IdP-initiated logins? diff --git a/content/faq/security/single-sign-on/users-faqs.md b/content/faq/security/single-sign-on/users-faqs.md index 8f350dada8ec..9535c7f5df21 100644 --- a/content/faq/security/single-sign-on/users-faqs.md +++ b/content/faq/security/single-sign-on/users-faqs.md @@ -57,7 +57,11 @@ When SSO is enabled and enforced, your users just have to sign in using the emai ### Is Docker SSO fully synced with the IdP? -Docker SSO provides Just-In-Time (JIT) provisioning by default. This provisioning only happens when a user signs in. If a user leaves the organization, administrators must sign in to Docker Hub and manually [remove the user](../../../admin/organization/members.md#remove-a-member-or-invitee) from the organization. [SCIM](../../../security/for-admins/scim.md) is available to provide full synchronization with users and groups. +_Optional Just-in-Time (JIT) provisioning configuration is only available in Private Beta. Otherwise, JIT is enabled by default. This feature will be available for all users soon._ + +Docker SSO provides Just-in-Time (JIT) provisioning by default, with an option to disable JIT. Users are provisioned when a user authenticates with SSO. If a user leaves the organization, administrators must sign in to Docker Hub and manually [remove the user](https://docs.docker.com/admin/organization/members/#remove-a-member-or-invitee) from the organization. + +[SCIM](https://docs.docker.com/security/for-admins/scim/) is available to provide full synchronization with users and groups. When you auto-provision users with SCIM, the recommended configuration is to disable JIT so that all auto-provisioning is handled by SCIM. Additionally, you can use the [Docker Hub API](/docker-hub/api/latest/) to complete this process. diff --git a/content/security/for-admins/group-mapping.md b/content/security/for-admins/group-mapping.md index c70a1c81450a..f06de028b77e 100644 --- a/content/security/for-admins/group-mapping.md +++ b/content/security/for-admins/group-mapping.md @@ -37,6 +37,13 @@ After every successful SSO sign-in authentication, the JIT provisioner performs ![JIT provisioning](../images/group-mapping.png) +> **Beta feature** +> +> Optional Just-in-Time (JIT) provisioning is available in private beta. If you're participating in this program, you have the option to turn off this default provisioning and disable JIT. This configuration is recommended if you're using SCIM to auto-provision users. +{ .experimental } + +If you disable JIT provisioning when you create or edit your SSO connection, you can still use group mapping as long as you have also enabled SCIM. + ## Use group mapping To correctly assign your users to Docker teams, you must create groups in your IdP following the naming pattern `organization:team`. For example, if you want to manage provisioning for the team "developers", and your organization name is "moby", you must create a group in your IdP with the name `moby:developers`. diff --git a/content/security/for-admins/scim.md b/content/security/for-admins/scim.md index d0be5f998e6f..73495eadf1d6 100644 --- a/content/security/for-admins/scim.md +++ b/content/security/for-admins/scim.md @@ -39,9 +39,14 @@ For additional details about supported attributes and SCIM, see [Docker Hub API > **Important** > ->SSO uses Just-in-Time (JIT) provisioning by default. If you [enable SCIM](scim.md#set-up-scim), JIT values still overwrite the attribute values set by SCIM provisioning whenever users log in. To avoid conflicts, make sure your JIT values match your SCIM values. For more information, see [SSO attributes](../for-admins/single-sign-on/configure/configure-idp.md#sso-attributes). +> SSO uses Just-in-Time (JIT) provisioning by default. If you [enable SCIM](scim.md#set-up-scim), JIT values still overwrite the attribute values set by SCIM provisioning whenever users log in. To avoid conflicts, make sure your JIT values match your SCIM values. For more information, see [SSO attributes](../for-admins/single-sign-on/configure/configure-idp.md#sso-attributes). {.important} +> **Beta feature** +> +> Optional Just-in-Time (JIT) provisioning is available in private beta. If you're participating in this program, you can avoid conflicts between SCIM and JIT by disabling JIT provisioning in your SSO connection. +{ .experimental } + ## Enable SCIM in Docker You must make sure you have [configured SSO](single-sign-on/configure/_index.md) before you enable SCIM. Enforcing SSO isn't required. diff --git a/content/security/for-admins/single-sign-on/configure/configure-idp.md b/content/security/for-admins/single-sign-on/configure/configure-idp.md index ccbc00e03d36..9884a272aeb1 100644 --- a/content/security/for-admins/single-sign-on/configure/configure-idp.md +++ b/content/security/for-admins/single-sign-on/configure/configure-idp.md @@ -41,6 +41,11 @@ If you use SAML for your SSO connection, Docker obtains these attributes from th >SSO uses Just-in-Time (JIT) provisioning by default. If you [enable SCIM](../../scim.md), JIT values still overwrite the attribute values set by SCIM provisioning whenever users log in. To avoid conflicts, make sure your JIT values match your SCIM values. For example, to make sure that the full name of a user displays in your organization, you would set a `name` attribute in your SAML attributes and ensure the value includes their first name and last name. The exact method for setting these values (for example, constructing it with `user.firstName + " " + user.lastName`) varies depending on your IdP. {.important} +> **Beta feature** +> +> Optional Just-in-Time (JIT) provisioning is available in private beta. If you're participating in this program, you can avoid conflicts between SCIM and JIT by disabling JIT provisioning in your SSO connection. +{ .experimental } + You can also configure attributes to override default values, such as default team or organization. See [role mapping](../../scim.md#set-up-role-mapping). | SSO attribute | SAML assertion message attributes | diff --git a/content/security/for-admins/single-sign-on/connect/_index.md b/content/security/for-admins/single-sign-on/connect/_index.md index b2e515731984..b7910fc664df 100644 --- a/content/security/for-admins/single-sign-on/connect/_index.md +++ b/content/security/for-admins/single-sign-on/connect/_index.md @@ -26,6 +26,11 @@ Make sure you have completed the following before you begin: ## Step four: Complete your SSO connection +> **Beta feature** +> +> Optional Just-in-Time (JIT) provisioning is available in private beta. If you're participating in this program, you have the option to turn off this default provisioning and disable JIT. This configuration is recommended if you're using SCIM to auto-provision users. +{ .experimental } + {{< tabs >}} {{< tab name="Docker Hub" >}} diff --git a/layouts/shortcodes/admin-sso-connect.md b/layouts/shortcodes/admin-sso-connect.md index 36d4fb5f0d2a..ad3b80f5e123 100644 --- a/layouts/shortcodes/admin-sso-connect.md +++ b/layouts/shortcodes/admin-sso-connect.md @@ -10,7 +10,8 @@ 1. In {{ $product_link }}, select the verified domains you want to apply the connection to. 2. To provision your users, select the organization(s) and/or team(s). -3. Review your summary and select **Create Connection**. +3. **Beta feature** - Choose how you want to provision users by enabling Just-in-Time (JIT) provisioning (default), or disabling JIT provisioning. +4. Review your summary and select **Create Connection**. ## Test your SSO configuration diff --git a/layouts/shortcodes/admin-sso-management.md b/layouts/shortcodes/admin-sso-management.md index 993a41903b69..d26e00a895be 100644 --- a/layouts/shortcodes/admin-sso-management.md +++ b/layouts/shortcodes/admin-sso-management.md @@ -65,6 +65,11 @@ When you disable SSO, you can delete the connection to remove the configuration > - [Entra ID (formerly Azure AD)](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users) { .important} +> **Beta feature** +> +> Optional Just-in-Time (JIT) provisioning is available in private beta. If you're participating in this program, you have the option to turn off this default provisioning and disable JIT. This configuration is recommended if you're using SCIM to auto-provision users. +{ .experimental } + ### Add guest users when SSO is enabled To add a guest if they aren’t verified through your IdP: From d53de567032773c5430734a5ab8382dbc1200b19 Mon Sep 17 00:00:00 2001 From: Stephanie Aurelio Date: Wed, 3 Apr 2024 11:45:16 -0700 Subject: [PATCH 02/12] separate management steps and update callouts --- .../faq/security/single-sign-on/idp-faqs.md | 2 +- .../faq/security/single-sign-on/users-faqs.md | 2 +- content/security/for-admins/group-mapping.md | 2 +- content/security/for-admins/scim.md | 2 +- .../single-sign-on/configure/configure-idp.md | 2 +- .../single-sign-on/connect/_index.md | 2 +- .../single-sign-on/manage/_index.md | 34 ++++++++++ .../admin-sso-management-connections.md | 29 +++++++++ .../shortcodes/admin-sso-management-users.md | 63 ++++++++++++++++++ layouts/shortcodes/admin-sso-management.md | 65 ------------------- 10 files changed, 132 insertions(+), 71 deletions(-) create mode 100644 layouts/shortcodes/admin-sso-management-connections.md create mode 100644 layouts/shortcodes/admin-sso-management-users.md diff --git a/content/faq/security/single-sign-on/idp-faqs.md b/content/faq/security/single-sign-on/idp-faqs.md index 4d5cde0a049e..de14e867ce97 100644 --- a/content/faq/security/single-sign-on/idp-faqs.md +++ b/content/faq/security/single-sign-on/idp-faqs.md @@ -44,7 +44,7 @@ Yes, bot accounts need a seat, similar to a regular end user, having a non-alias ### Does SAML SSO use Just-in-Time provisioning? -_Optional Just-in-Time (JIT) provisioning configuration is only available in Private Beta. Otherwise, JIT is enabled by default. This feature will be available for all users soon._ +_Optional Just-in-Time (JIT) provisioning configuration is only available in Private Beta when you use the Admin Console. Otherwise, JIT is enabled by default. This feature will be available for all users soon._ The SSO implementation uses Just-in-Time (JIT) provisioning by default. You can optionally disable JIT if you prefer not to auto-provision users, or if you opt for auto-provisioning using SCIM. diff --git a/content/faq/security/single-sign-on/users-faqs.md b/content/faq/security/single-sign-on/users-faqs.md index 9535c7f5df21..61f74ba0e078 100644 --- a/content/faq/security/single-sign-on/users-faqs.md +++ b/content/faq/security/single-sign-on/users-faqs.md @@ -57,7 +57,7 @@ When SSO is enabled and enforced, your users just have to sign in using the emai ### Is Docker SSO fully synced with the IdP? -_Optional Just-in-Time (JIT) provisioning configuration is only available in Private Beta. Otherwise, JIT is enabled by default. This feature will be available for all users soon._ +_Optional Just-in-Time (JIT) provisioning configuration is only available in Private Beta when you use the Admin Console. Otherwise, JIT is enabled by default. This feature will be available for all users soon._ Docker SSO provides Just-in-Time (JIT) provisioning by default, with an option to disable JIT. Users are provisioned when a user authenticates with SSO. If a user leaves the organization, administrators must sign in to Docker Hub and manually [remove the user](https://docs.docker.com/admin/organization/members/#remove-a-member-or-invitee) from the organization. diff --git a/content/security/for-admins/group-mapping.md b/content/security/for-admins/group-mapping.md index f06de028b77e..0a674cd32175 100644 --- a/content/security/for-admins/group-mapping.md +++ b/content/security/for-admins/group-mapping.md @@ -39,7 +39,7 @@ After every successful SSO sign-in authentication, the JIT provisioner performs > **Beta feature** > -> Optional Just-in-Time (JIT) provisioning is available in private beta. If you're participating in this program, you have the option to turn off this default provisioning and disable JIT. This configuration is recommended if you're using SCIM to auto-provision users. +> Optional Just-in-Time (JIT) provisioning is available in Private Beta when you use the Admin Console. If you're participating in this program, you have the option to turn off this default provisioning and disable JIT. This configuration is recommended if you're using SCIM to auto-provision users. { .experimental } If you disable JIT provisioning when you create or edit your SSO connection, you can still use group mapping as long as you have also enabled SCIM. diff --git a/content/security/for-admins/scim.md b/content/security/for-admins/scim.md index 73495eadf1d6..36f52f0960af 100644 --- a/content/security/for-admins/scim.md +++ b/content/security/for-admins/scim.md @@ -44,7 +44,7 @@ For additional details about supported attributes and SCIM, see [Docker Hub API > **Beta feature** > -> Optional Just-in-Time (JIT) provisioning is available in private beta. If you're participating in this program, you can avoid conflicts between SCIM and JIT by disabling JIT provisioning in your SSO connection. +> Optional Just-in-Time (JIT) provisioning is available in Private Beta when you use the Admin Console. If you're participating in this program, you can avoid conflicts between SCIM and JIT by disabling JIT provisioning in your SSO connection. { .experimental } ## Enable SCIM in Docker diff --git a/content/security/for-admins/single-sign-on/configure/configure-idp.md b/content/security/for-admins/single-sign-on/configure/configure-idp.md index 9884a272aeb1..ed9bfc335ad2 100644 --- a/content/security/for-admins/single-sign-on/configure/configure-idp.md +++ b/content/security/for-admins/single-sign-on/configure/configure-idp.md @@ -43,7 +43,7 @@ If you use SAML for your SSO connection, Docker obtains these attributes from th > **Beta feature** > -> Optional Just-in-Time (JIT) provisioning is available in private beta. If you're participating in this program, you can avoid conflicts between SCIM and JIT by disabling JIT provisioning in your SSO connection. +> Optional Just-in-Time (JIT) provisioning is available in Private Beta when you use the Admin Console. If you're participating in this program, you can avoid conflicts between SCIM and JIT by disabling JIT provisioning in your SSO connection. { .experimental } You can also configure attributes to override default values, such as default team or organization. See [role mapping](../../scim.md#set-up-role-mapping). diff --git a/content/security/for-admins/single-sign-on/connect/_index.md b/content/security/for-admins/single-sign-on/connect/_index.md index b7910fc664df..7630d71797de 100644 --- a/content/security/for-admins/single-sign-on/connect/_index.md +++ b/content/security/for-admins/single-sign-on/connect/_index.md @@ -28,7 +28,7 @@ Make sure you have completed the following before you begin: > **Beta feature** > -> Optional Just-in-Time (JIT) provisioning is available in private beta. If you're participating in this program, you have the option to turn off this default provisioning and disable JIT. This configuration is recommended if you're using SCIM to auto-provision users. +> Optional Just-in-Time (JIT) provisioning is available in Private Beta when you use the Admin Console. If you're participating in this program, you have the option to turn off this default provisioning and disable JIT. This configuration is recommended if you're using SCIM to auto-provision users. { .experimental } {{< tabs >}} diff --git a/content/security/for-admins/single-sign-on/manage/_index.md b/content/security/for-admins/single-sign-on/manage/_index.md index a265f0641450..dc664aa99c05 100644 --- a/content/security/for-admins/single-sign-on/manage/_index.md +++ b/content/security/for-admins/single-sign-on/manage/_index.md @@ -45,6 +45,40 @@ aliases: {{< /tab >}} {{< /tabs >}} +## Manage SSO connections + +{{< tabs >}} +{{< tab name="Docker Hub" >}} + +{{% admin-sso-management-connections product="hub" %}} + +{{< /tab >}} +{{< tab name="Admin Console" >}} + +{{< include "admin-early-access.md" >}} + +{{% admin-sso-management-connections product="admin" %}} + +{{< /tab >}} +{{< /tabs >}} + +## Manage users + +{{< tabs >}} +{{< tab name="Docker Hub" >}} + +{{% admin-sso-management-users product="hub" %}} + +{{< /tab >}} +{{< tab name="Admin Console" >}} + +{{< include "admin-early-access.md" >}} + +{{% admin-sso-management-users product="admin" %}} + +{{< /tab >}} +{{< /tabs >}} + ## What's next? - [Set up SCIM](../../scim.md) diff --git a/layouts/shortcodes/admin-sso-management-connections.md b/layouts/shortcodes/admin-sso-management-connections.md new file mode 100644 index 000000000000..9c375bbaca70 --- /dev/null +++ b/layouts/shortcodes/admin-sso-management-connections.md @@ -0,0 +1,29 @@ +{{ $product_link := "[Docker Hub](https://hub.docker.com)" }} +{{ $sso_navigation := `Navigate to the SSO settings page for your organization or company. + - Organization: Select **Organizations**, your organization, **Settings**, and then **Security**. + - Company: Select **Organizations**, your company, and then **Settings**.` }} + +{{ if eq (.Get "product") "admin" }} + {{ $product_link = "the [Admin Console](https://admin.docker.com)" }} + {{ $sso_navigation = "Select your organization or company in the left navigation drop-down menu, and then select **SSO & SCIM**." }} +{{ end }} + +### Edit a connection + +1. Sign in to {{ $product_link }}. +2. {{ $sso_navigation }} +3. In the SSO connections table, select the **Action** icon. +4. Select **Edit connection** to edit your connection. +5. Follow the on-screen instructions to edit the connection. + +### Delete a connection + +1. Sign in to {{ $product_link }}. +2. {{ $sso_navigation }} +3. In the SSO connections table, select the **Action** icon. +4. Select **Delete connection**. +5. Follow the on-screen instructions to delete a connection. + +### Deleting SSO + +When you disable SSO, you can delete the connection to remove the configuration settings and the added domains. Once you delete this connection, it can't be undone. Users must authenticate with their Docker ID and password or create a password reset if they don't have one. \ No newline at end of file diff --git a/layouts/shortcodes/admin-sso-management-users.md b/layouts/shortcodes/admin-sso-management-users.md new file mode 100644 index 000000000000..5f4916b1ea48 --- /dev/null +++ b/layouts/shortcodes/admin-sso-management-users.md @@ -0,0 +1,63 @@ +{{ $product_link := "[Docker Hub](https://hub.docker.com)" }} +{{ $sso_navigation := `Navigate to the SSO settings page for your organization or company. + - Organization: Select **Organizations**, your organization, **Settings**, and then **Security**. + - Company: Select **Organizations**, your company, and then **Settings**.` }} +{{ $member_navigation := "Select **Organizations**, your organization, and then **Members**." }} +{{ $invite_button := "**Invite members**" }} +{{ $remove_button := "**Remove member**" }} +{{ $provisioning_steps := "This feature is only available in the Admin Console."}} + +{{ if eq (.Get "product") "admin" }} + {{ $product_link = "the [Admin Console](https://admin.docker.com)" }} + {{ $invite_button = "**Invite**" }} + {{ $sso_navigation = "Select your organization or company in the left navigation drop-down menu, and then select **SSO & SCIM**." }} + {{ $member_navigation = `Navigate to the user management page for your organization or company. + - Organization: Select your organization in the left navigation drop-down menu, and then select **Members**. + - Company: Select your company in the left navigation drop-down menu, and then select **Users**.` }} + {{ $remove_button = "**Remove member**, if you're an organization, or **Remove user**, is you're a company" }} + {{ $provisioning_steps = `To choose how your users are provisioned: + 1. Sign in to the [Admin Console](https://admin.docker.com). + 2. Select your organization or company in the left navigation drop-down menu, and then select **SSO & SCIM**. + 3. In the SSO connections table, select the **Action** icon and then **Edit connection**. + 4. Select **Next** to navigate to the section where you can choose how to provision users. + 5. Choose to enable or disable Just-in-Time (JIT) provisioning (default).` }} +{{ end }} + +> **Important** +> +> SSO has Just-In-Time (JIT) Provisioning enabled by default. This means your users are auto-provisioned to your organization. +> +> You can change this on a per-app basis. To prevent auto-provisioning users, you can create a security group in your IdP and configure the SSO app to authenticate and authorize only those users that are in the security group. Follow the instructions provided by your IdP: +> +> - [Okta](https://help.okta.com/en-us/Content/Topics/Security/policies/configure-app-signon-policies.htm) +> - [Entra ID (formerly Azure AD)](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users) +{ .important} + +> **Beta feature** +> +> Optional Just-in-Time (JIT) provisioning is available in Private Beta when you use the Admin Console. If you're participating in this program, you have the option to turn off this default provisioning and disable JIT. This configuration is recommended if you're using SCIM to auto-provision users. +{ .experimental } + +### Add guest users when SSO is enabled + +To add a guest if they aren’t verified through your IdP: + +1. Sign in to {{ $product_link }}. +2. {{ $member_navigation }} +3. Select {{ $invite_button }}. +4. Follow the on-screen instructions to invite the user. + +### Remove users from the SSO company + +To remove a user: + +1. Sign in to {{ $product_link }}. +2. {{ $member_navigation }} +3. Select the action icon next to a user’s name, and then select {{ $remove_button }}. +4. Follow the on-screen instructions to remove the user. + +### Manage how users are provisioned + +_Beta feature_ + +{{ $provisioning_steps }} diff --git a/layouts/shortcodes/admin-sso-management.md b/layouts/shortcodes/admin-sso-management.md index d26e00a895be..691d4349ccd2 100644 --- a/layouts/shortcodes/admin-sso-management.md +++ b/layouts/shortcodes/admin-sso-management.md @@ -2,18 +2,10 @@ {{ $sso_navigation := `Navigate to the SSO settings page for your organization or company. - Organization: Select **Organizations**, your organization, **Settings**, and then **Security**. - Company: Select **Organizations**, your company, and then **Settings**.` }} -{{ $member_navigation := "Select **Organizations**, your organization, and then **Members**." }} -{{ $invite_button := "**Invite members**" }} -{{ $remove_button := "**Remove member**" }} {{ if eq (.Get "product") "admin" }} {{ $product_link = "the [Admin Console](https://admin.docker.com)" }} - {{ $invite_button = "**Invite**" }} {{ $sso_navigation = "Select your organization or company in the left navigation drop-down menu, and then select **SSO & SCIM**." }} - {{ $member_navigation := `Navigate to the user management page for your organization or company. - - Organization: Select your organization in the left navigation drop-down menu, and then select **Members**. - - Company: Select your company in the left navigation drop-down menu, and then select **Users**.` }} - {{ $remove_button = "**Remove member**, if you're an organization, or **Remove user**, is you're a company" }} {{ end }} ### Remove a domain from an SSO connection @@ -30,60 +22,3 @@ > **Note** > > If you want to re-add the domain, a new TXT record value is assigned. You must then complete the verification steps with the new TXT record value. - -## Manage SSO connections - -### Edit a connection - -1. Sign in to {{ $product_link }}. -2. {{ $sso_navigation }} -3. In the SSO connections table, select the **Action** icon. -4. Select **Edit connection** to edit your connection. -5. Follow the on-screen instructions to edit the connection. - -### Delete a connection - -1. Sign in to {{ $product_link }}. -2. {{ $sso_navigation }} -3. In the SSO connections table, select the **Action** icon. -4. Select **Delete connection**. -5. Follow the on-screen instructions to delete a connection. - -### Deleting SSO - -When you disable SSO, you can delete the connection to remove the configuration settings and the added domains. Once you delete this connection, it can't be undone. Users must authenticate with their Docker ID and password or create a password reset if they don't have one. - -## Manage users - -> **Important** -> -> SSO has Just-In-Time (JIT) Provisioning enabled by default. This means your users are auto-provisioned to your organization. -> -> You can change this on a per-app basis. To prevent auto-provisioning users, you can create a security group in your IdP and configure the SSO app to authenticate and authorize only those users that are in the security group. Follow the instructions provided by your IdP: -> -> - [Okta](https://help.okta.com/en-us/Content/Topics/Security/policies/configure-app-signon-policies.htm) -> - [Entra ID (formerly Azure AD)](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users) -{ .important} - -> **Beta feature** -> -> Optional Just-in-Time (JIT) provisioning is available in private beta. If you're participating in this program, you have the option to turn off this default provisioning and disable JIT. This configuration is recommended if you're using SCIM to auto-provision users. -{ .experimental } - -### Add guest users when SSO is enabled - -To add a guest if they aren’t verified through your IdP: - -1. Sign in to {{ $product_link }}. -2. {{ $member_navigation }} -3. Select {{ $invite_button }}. -4. Follow the on-screen instructions to invite the user. - -### Remove users from the SSO company - -To remove a user: - -1. Sign in to {{ $product_link }}. -2. {{ $member_navigation }} -3. Select the action icon next to a user’s name, and then select {{ $remove_button }}. -4. Follow the on-screen instructions to remove the user. From 4009ac1ad66a3136d6f012ab7b6bfbc125689864 Mon Sep 17 00:00:00 2001 From: Stephanie Aurelio Date: Wed, 3 Apr 2024 11:59:50 -0700 Subject: [PATCH 03/12] update conditional steps --- layouts/shortcodes/admin-sso-connect.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/layouts/shortcodes/admin-sso-connect.md b/layouts/shortcodes/admin-sso-connect.md index ad3b80f5e123..60d9acd5a2e9 100644 --- a/layouts/shortcodes/admin-sso-connect.md +++ b/layouts/shortcodes/admin-sso-connect.md @@ -2,16 +2,19 @@ {{ $sso_navigation := `Navigate to the SSO settings page for your organization or company. - Organization: Select **Organizations**, your organization, **Settings**, and then **Security**. - Company: Select **Organizations**, your company, and then **Settings**.` }} +{{ $provisioning_step := "4. Review your summary and select **Create Connection**." }} {{ if eq (.Get "product") "admin" }} {{ $product_link = "the [Admin Console](https://admin.docker.com)" }} {{ $sso_navigation = "Select your organization or company in the left navigation drop-down menu, and then select **SSO & SCIM.**" }} + {{ $provisioning_step = ` +3. **Beta feature** - Choose how you want to provision users by enabling Just-in-Time (JIT) provisioning (default), or disabling JIT provisioning. +4. Review your summary and select **Create Connection**.` }} {{ end }} 1. In {{ $product_link }}, select the verified domains you want to apply the connection to. 2. To provision your users, select the organization(s) and/or team(s). -3. **Beta feature** - Choose how you want to provision users by enabling Just-in-Time (JIT) provisioning (default), or disabling JIT provisioning. -4. Review your summary and select **Create Connection**. +{{ $provisioning_step }} ## Test your SSO configuration From 614c7a204a92dd6d7ae4a13750fbf47282a58471 Mon Sep 17 00:00:00 2001 From: Stephanie Aurelio Date: Thu, 4 Apr 2024 13:18:38 -0700 Subject: [PATCH 04/12] add diagram and add cross-links --- content/security/for-admins/group-mapping.md | 24 +++++++++++++++++-- content/security/for-admins/scim.md | 2 +- .../single-sign-on/configure/configure-idp.md | 2 +- .../single-sign-on/connect/_index.md | 2 +- content/security/images/jit-disabled-flow.svg | 21 ++++++++++++++++ content/security/images/jit-enabled-flow.svg | 21 ++++++++++++++++ layouts/shortcodes/admin-sso-connect.md | 2 +- .../shortcodes/admin-sso-management-users.md | 5 ++-- 8 files changed, 71 insertions(+), 8 deletions(-) create mode 100644 content/security/images/jit-disabled-flow.svg create mode 100644 content/security/images/jit-enabled-flow.svg diff --git a/content/security/for-admins/group-mapping.md b/content/security/for-admins/group-mapping.md index 0a674cd32175..f32e35abf114 100644 --- a/content/security/for-admins/group-mapping.md +++ b/content/security/for-admins/group-mapping.md @@ -21,6 +21,8 @@ IdPs share with Docker the main attributes of every authorized user through SSO, Docker uses the email address of the user to identify them on the platform. Every Docker account must have a unique email address at all times. +### SSO authentication with JIT provisioning enabled + After every successful SSO sign-in authentication, the JIT provisioner performs the following actions: 1. Checks if there's an existing Docker account with the email address of the user that just authenticated. @@ -35,14 +37,32 @@ After every successful SSO sign-in authentication, the JIT provisioner performs b) If the IdP didn't provide group mappings, it checks if the user is already a member of the organization, or if the SSO connection is for multiple organizations (only at company level) and if the user is a member of any of those organizations. If the user isn't a member, it adds the user to the default team and organization configured in the SSO connection. -![JIT provisioning](../images/group-mapping.png) +![JIT provisioning](../images/jit-enabled-flow.svg) + +### SSO authentication with JIT provisioning disabled > **Beta feature** > > Optional Just-in-Time (JIT) provisioning is available in Private Beta when you use the Admin Console. If you're participating in this program, you have the option to turn off this default provisioning and disable JIT. This configuration is recommended if you're using SCIM to auto-provision users. { .experimental } -If you disable JIT provisioning when you create or edit your SSO connection, you can still use group mapping as long as you have also enabled SCIM. +When you opt to disable JIT provisioning in your SSO connection, the following actions occur: + +1. Checks if there's an existing Docker account with the email address of the user that just authenticated. + + a) If no account is found with the same email address, it creates a new Docker account using basic user attributes (email, name, and surname). Authentication with SSO generates a new username for this new account by using the email, name, and random numbers to make sure that all account usernames are unique in the platform. + + b) If an account exists for this email address, it uses this account and updates the full name of the user’s profile if needed. + +2. Checks if there are any pending invitations to the SSO organization in order to auto-accept the invitation. + + a) If the user isn't already a member of the organization, or doesn't have a pending invitation to join, sign in fails and the user is blocked from accessing the organization. + + b) If the user is a member of the organization, or has a pending invitation to join, then sign in is successful. + +If you disable JIT provisioning when you create or edit your SSO connection, you can still use group mapping as long as you have also enabled SCIM. When JIT provisioning is disabled and SCIM isn't enabled, users won't be auto-provisioned to groups. For instructions on disabling JIT provisioning, see [Manage users](/security/for-admins/single-sign-on/manage/#manage-users). + +![JIT provisioning](../images/jit-disabled-flow.svg) ## Use group mapping diff --git a/content/security/for-admins/scim.md b/content/security/for-admins/scim.md index 36f52f0960af..e507acfdb249 100644 --- a/content/security/for-admins/scim.md +++ b/content/security/for-admins/scim.md @@ -44,7 +44,7 @@ For additional details about supported attributes and SCIM, see [Docker Hub API > **Beta feature** > -> Optional Just-in-Time (JIT) provisioning is available in Private Beta when you use the Admin Console. If you're participating in this program, you can avoid conflicts between SCIM and JIT by disabling JIT provisioning in your SSO connection. +> Optional Just-in-Time (JIT) provisioning is available in Private Beta when you use the Admin Console. If you're participating in this program, you can avoid conflicts between SCIM and JIT by disabling JIT provisioning in your SSO connection. See [SSO authentication with JIT provisioning disabled](/security/for-admins/group-mapping/#sso-authentication-with-jit-provisioning-disabled). { .experimental } ## Enable SCIM in Docker diff --git a/content/security/for-admins/single-sign-on/configure/configure-idp.md b/content/security/for-admins/single-sign-on/configure/configure-idp.md index ed9bfc335ad2..a8310911827f 100644 --- a/content/security/for-admins/single-sign-on/configure/configure-idp.md +++ b/content/security/for-admins/single-sign-on/configure/configure-idp.md @@ -43,7 +43,7 @@ If you use SAML for your SSO connection, Docker obtains these attributes from th > **Beta feature** > -> Optional Just-in-Time (JIT) provisioning is available in Private Beta when you use the Admin Console. If you're participating in this program, you can avoid conflicts between SCIM and JIT by disabling JIT provisioning in your SSO connection. +> Optional Just-in-Time (JIT) provisioning is available in Private Beta when you use the Admin Console. If you're participating in this program, you can avoid conflicts between SCIM and JIT by disabling JIT provisioning in your SSO connection. See [SSO authentication with JIT provisioning disabled](/security/for-admins/group-mapping/#sso-authentication-with-jit-provisioning-disabled). { .experimental } You can also configure attributes to override default values, such as default team or organization. See [role mapping](../../scim.md#set-up-role-mapping). diff --git a/content/security/for-admins/single-sign-on/connect/_index.md b/content/security/for-admins/single-sign-on/connect/_index.md index 7630d71797de..b82febb0ba91 100644 --- a/content/security/for-admins/single-sign-on/connect/_index.md +++ b/content/security/for-admins/single-sign-on/connect/_index.md @@ -28,7 +28,7 @@ Make sure you have completed the following before you begin: > **Beta feature** > -> Optional Just-in-Time (JIT) provisioning is available in Private Beta when you use the Admin Console. If you're participating in this program, you have the option to turn off this default provisioning and disable JIT. This configuration is recommended if you're using SCIM to auto-provision users. +> Optional Just-in-Time (JIT) provisioning is available in Private Beta when you use the Admin Console. If you're participating in this program, you have the option to turn off this default provisioning and disable JIT. This configuration is recommended if you're using SCIM to auto-provision users. See [SSO authentication with JIT provisioning disabled](/security/for-admins/group-mapping/#sso-authentication-with-jit-provisioning-disabled). { .experimental } {{< tabs >}} diff --git a/content/security/images/jit-disabled-flow.svg b/content/security/images/jit-disabled-flow.svg new file mode 100644 index 000000000000..5ae3e14e1310 --- /dev/null +++ b/content/security/images/jit-disabled-flow.svg @@ -0,0 +1,21 @@ + + + + + + + + Account exists in Docker Hub?Update profile (if needed)SSO sign inPending invites to the SSO org?Is the user in an SSO organization?Create new accountAdd user to org/groups according to IdPSSO successfulUser is not authorized to access orgYesNoNoYesNoYes \ No newline at end of file diff --git a/content/security/images/jit-enabled-flow.svg b/content/security/images/jit-enabled-flow.svg new file mode 100644 index 000000000000..e7f65d7592e8 --- /dev/null +++ b/content/security/images/jit-enabled-flow.svg @@ -0,0 +1,21 @@ + + + + + + + + Account exists in Docker Hub?Update profile (if needed)SSO sign inIdP Group mapping?Is the user in an SSO organization?Create new accountAdd user to org/groups according to IdPSSO successfulAdd user to default org/groupsYesNoNoYesNoYes \ No newline at end of file diff --git a/layouts/shortcodes/admin-sso-connect.md b/layouts/shortcodes/admin-sso-connect.md index 60d9acd5a2e9..6d2eac8afbc9 100644 --- a/layouts/shortcodes/admin-sso-connect.md +++ b/layouts/shortcodes/admin-sso-connect.md @@ -25,7 +25,7 @@ After you’ve completed the SSO configuration process in Docker, you can test t >**Important** > -> SSO has Just-In-Time (JIT) Provisioning enabled by default. This means your users are auto-provisioned to your organization on Docker Hub. +> SSO has Just-in-Time (JIT) provisioning enabled by default, unless you have [disabled it](/security/for-admins/group-mapping/#sso-authentication-with-jit-provisioning-disabled). This means your users are auto-provisioned to your organization on Docker Hub. > > You can change this on a per-app basis. To prevent auto-provisioning users, you can create a security group in your IdP and configure the SSO app to authenticate and authorize only those users that are in the security group. Follow the instructions provided by your IdP: > diff --git a/layouts/shortcodes/admin-sso-management-users.md b/layouts/shortcodes/admin-sso-management-users.md index 5f4916b1ea48..1b3826a25f62 100644 --- a/layouts/shortcodes/admin-sso-management-users.md +++ b/layouts/shortcodes/admin-sso-management-users.md @@ -20,7 +20,8 @@ 2. Select your organization or company in the left navigation drop-down menu, and then select **SSO & SCIM**. 3. In the SSO connections table, select the **Action** icon and then **Edit connection**. 4. Select **Next** to navigate to the section where you can choose how to provision users. - 5. Choose to enable or disable Just-in-Time (JIT) provisioning (default).` }} + 5. Choose to enable or disable Just-in-Time (JIT) provisioning (default). + 6. Follow the on-screen instructions to save your configuration.` }} {{ end }} > **Important** @@ -35,7 +36,7 @@ > **Beta feature** > -> Optional Just-in-Time (JIT) provisioning is available in Private Beta when you use the Admin Console. If you're participating in this program, you have the option to turn off this default provisioning and disable JIT. This configuration is recommended if you're using SCIM to auto-provision users. +> Optional Just-in-Time (JIT) provisioning is available in Private Beta when you use the Admin Console. If you're participating in this program, you have the option to turn off this default provisioning and disable JIT. This configuration is recommended if you're using SCIM to auto-provision users. See [SSO authentication with JIT provisioning disabled](/security/for-admins/group-mapping/#sso-authentication-with-jit-provisioning-disabled). { .experimental } ### Add guest users when SSO is enabled From 842f81d663c5d2e2f5d5a6f617f0304686959d28 Mon Sep 17 00:00:00 2001 From: Stephanie Aurelio Date: Thu, 4 Apr 2024 13:19:21 -0700 Subject: [PATCH 05/12] remove old diagram --- content/security/images/group-mapping.png | Bin 68958 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 content/security/images/group-mapping.png diff --git a/content/security/images/group-mapping.png b/content/security/images/group-mapping.png deleted file mode 100644 index 5da45819d90773660e71ba258b12c0306c78be60..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 68958 zcmeFZWmH_twkQl82rk_u5WI2M5ZooW6Wlde^3{(PCI5;>AX(@3PI5-3C;jTsyqZLDn!o9r*8S3!z4x%6G1MoW!fio_OC0eNRI$(=(h z0~)2Ed6s06(UdBPG!`1J8bB_|*UpX(AaPxy2YAuM+Ri(In$p`5zvZtmew9t<+rG6!$oHc<>;wIMUBS5S($mL%WVM{HfC-Ei$ycF&U~3_5mv-e`t}r z7foZk^=gXVA8x&IdC?|l)R0P;yTM^uKr8AWK~$xg4|yD6cKv~P;J=1VVpX9m0f*x5 z_=ZTc)7sw17>IA2eA%bu*3;Is@BS53I(#B@*_`rn5nuSU^!Jc?p;x|#% zbA~TO4&*54Lcwd2FG5LQq<>?z(F-vO;SFB`ToXjV7Vls1=_hogtx zBg4UmSi&K|?%-h;0qlZ8vR)$7^C|%WPz7XKcpoW^4aE1diX07j|oF=4=FZv$cUZ z@wy3+|J8#RcK`gEg&h1>7iVh$a!q+9u$Y~r8JLrqm6?@X5ETpt^E;ZF^Qwry|JQKX zlK}ZgXJ>m}78X}mS7z6@%yy0zENnbHJS?p2EbQz|upUfK?ht1qHztS^#eV_$Hym*@ zClg0YduK~K2>2PUk+GeNvj92y^F;ss_h0KYbF=)F8r1{spe{cNPKz^3zt^W-b|Aptj-og+qh|16M-$WBc6@2<*0|zGzCoL|b z<_3SDhm@oyG2Ie}qh;8utfVU}A`Jf({89-)y0JL)uq?Fk%gz^gC;hk9?=^HUTs2-H zzJAg8#V^OtFMyUDO7$C``mJyJUaP=6`4QIa{3eTS-PT=?@{ZD?iJ{`6Gsx1HelGG? z;+lpQ-~aLUKM&FGo? zg;mHID}Jc_4ex)SB^SZ>#eV<+|F(8vO>8h75O-FK?(c8^wsw_(w*MUo;$TMPn0REg zgOd1v68yg>ru(__H$Z$5LJl7K=bZPA-$fd&|mWT0oA|2i{e9(nt-U85% zJj&$NNny{Tr*r}n!~(Yntr!284iS7jh^2L!OGepGp1$AR+sPb8Nz)G?8Td;;143bn z3LGH);Xj-R8=WnZ#UB{B&@pqDACqJczxM7KBDnKe(Aic?qW&)ESqI4RpPJrFTML>-g=m#S0ZfbIKB zcQD;Q)&dL=uBf$sHA9>>dQzuw;@DS-(q(2s@Vp{FWCS2=77>KFqJL<_fM{V_WR$w8 zZ`#S<#5}1Ql$)vl!lXZ{C``8^!pqkDV}>nB@MK_MZM}<3^`a*z8uJ7Ho4*!KkNUiY zAjXS-Y#|=a-yR5pd@J8i0&BQ#f5ODW(Z_k#jR9dWR2t?;>-__`h{(UF%}3kVU%VL~ zT*>Yt?C3sK!T+xv2*Z{Hr}ReR?;M6Lh`@YzkOiYOVe3nTg5=Ks?tu(|;V1x({KH>J z{`amCko=`6DXT4>>3i-^=P?lTUnC0fd#0|R)a!pNX-jN%q14@Rp#xnj@l%1<7y5b* zBEw-4m2Uyo*&fd={!4p{Qv$%0%#Zv6Z??AR$tXBqsK)FW0f`dF7%!ddH z4cb~K%k-L*`0ZfhvBRj5|FKwcFcEUQuXt`+g>u5?L>O)nkw;Z>;L!Ae&$RjX$^w!7r9OSs(nf|HrGOKO zQkCY72MuHpa2Yj~)Cm=R3;l>=I@Nb3ZJUr9--YZ*TV>ul@S2QLgVeA?!30oN^i6qgGOBrwIXnZU@rJAs&hlj-}|(4ybw)1vFT!q}e43zJv zS@k6*5iNsyNsJDpLE_WFEZL~bpPCt&L}op&TQ?DeB3>9572R?TKK>0m-~eoHC-amN z`RD^2&VJMxIt&xDJ-^K=+~`n8=0faHC40QR$8aZSVd)oKncYZV#8Q0u*LCSowAQv+ z_Fb|b3z+{TE>oy6plfmwxh^_Dpo^|6-c_c3Ab*yy8GTQAUe`lL92$jqkBhy&Kop$K zUsyu%O^1!L+r#M$SBp;3)i!hEP~cJPU0I24g9^2LikcLuU8wMf_b^`k@c3zt>u+=v zM+SWT6Bt?5FLR8p8gkOn2) zCbz~5I?K3>4Ed20XysD}yS20u2aXZ2h2Wj>N$e3*|OYaQ*mLK>nE$c68jW}y^syU>&oXe_gi=GHXxE=k*g_0l2` zMS~o~!BxPdbC+N_okX0uNOZ^j>F>m#w83o2;61=Z8^M#sS#0l%cvo-y>wTxAB@2$S zrQZyh-4vsEZUwzQ2;*q{i_-inM2MncuuV8(7eoaH z3f<1Q$i>)^+!V7Abbe-#VMidR)HN0vh|yJ|Bo_({>Wm>1JLn_)$V6l)c)j|$%4J{O zlb_a0R@YQy{CExnrf{Y2uyU}862P&BESe$1;!_wezx z?FoK~UHh|_MK5;CUVZJMQoeUFR>`xAJmw4&g{j(2u+mpz?F3viY#hCb#Op7wB}wks zPjdRnD!)7zXTu$Bp*>c1*zFx^N;uOlVjx19@}(4Se5d_D zBk#q$ZQ`^+8iXl7yH;|*s$iGEieFTt`q5IATIbAEp;gz}O&&osTG+(_rZ-JRxCPj_!uTK)}NBJ9%KmE$V zeWd*s7?3cdgaXG@oXxUi=P9X-0C!r<>|15H8zshGAW>b8;V*^3RD99IyC`VYoH{b2 z&eD+MjvbKX2PgE**V&R;jj$tyspG?1@96kt@{QPMVKAtpCLTHd5Q2mv&!B|{M2>(R zdF}PA3C|}Wwj%3acV?ibIOewBrZqwB~tLsVGuKzlRuXHFJ7t0=&+Dms1eH8e~ z@|-`@UWY9#ihfKKMFT?UlUz^yhXPF0ugrqQ!PUqyF|_#0VCruC;;=Y^uJ{r-C!jw& zxu1JbQ~IwJXvf9GCg_b>NmN&;aPl*^nD1!*bp~VWA{bI-2O@Bou$5DO_LcV!MIGAD zvm}y2pu%4qo!*f2_^2=Mgm)jRDk|Csh;&*YlnU8)s!K13627VVLz_P{&*e*eC@|0G zaPToZ8U-v#1~bn5Fqvede`E|Q-$EHh5M-j;V;QNwP_W7v5XxfvkHg52W+$+yCih8BerzhM)agK-P{WgRaE0jIn7;#Rjx1mB$P9 zBfM$^>LxLG%RW_a68tJLxFlq0{~#R63H_AK4HErL`KXS2KBp$#b|5oq0|k9u zl{LnJ`Nsvf$n7%ZF{-jph)qJE!yLVd>WC&c$rR`d0-QbT57wgUo|e-&>vf3aoB;v9wa?Jz%h zj%pP*xHdHIu&|QdQaQMJoJ(um@pQ}1z@3!y=f1)$#~8f%Y?ehACO}4IXRNxc4Ml$9 z0Fu(pMhVyw$y%LKcdxEsd`2hC)kj zqax};ra$pcNOW_m796ebTfY{g7_Fmz(ZCynIp&cqc41ZEkdda+t0L}lv)|sr^!vI% zn5dM}4-kZ`Mg%w}bvXIGD^i@LxaYonpvcbB}o=@fk@K;h08|HX5VWq06(2LI1RZS6|g{($fQHP=V^St zGZr9(ydD#Ujr%GkPyO|p4c~s*{j-&H>Kk$Z58K}dIQR>iY&~T(1ib?5P-n(lCau*P zg;DlK`x)oRnbE0i2gtJU4DAc$aKuuLebE%1;g%UUjCUB`s_b3z4APAYNKD~MUAClk z_O$fqVZ!!6+Hx`38I_zUBY-|1g%)(E|4GTGbx=Ez0?XH+LO4XVH^kHPG484MC}xwS zKXLorH!3!2nH+Sj3L!p&VDB_$q_fklWL4;(dX?tFoL=&c<5nV)*~CwPY6PbFeoxzN zzLc*?cC2Mi`B6OhA+@Wof%JP{ZW)TB`Wg2(9LfW-1}CH7d(*w9`&opB^I10?joQMy zC_8quny^ekRte5LVkmWR3AanPe-@lvcvx1u6qU$(VQHkL{_H?RDRgZm1pEW5k}|Jz z$h((OdNj}UM?ixoK6c4I(gxGw8{(Z*Fta*2$!fact=GTj38XKQL_zG_H(rjMkZ92v zmY;F6{k-S0U)3o8Kx?tj`bShyqb}jBW=T{3BPoac0J%O2+EgUA8QDCpE>e-?{?vUh zOuWUxZpiJ~RLciQvSrtw$p8`Tj0bjHXpiv0Z~VFf`n@(>jko7*=1ins)(patIdr8t z<8%Gan*0(C)h}cl|D~ytrX-|JJ;?WQ11G|$%a(?^h=A~x&^U{rGrLuUX??3@kWE_?9QI{#dym2W;5DjHsf2}y>l!W;W2cU;tm&P)@Bi2GjZa0R87+TE~ zGf-3>#BL1u4>s%x=nR)0>}G`Ka0xg)Q;}?#tY>EDY$vto$e*XX*>flZZfoC!e<|jr zk$Kv7XLnVNx_7mWN;4^;H6F@xK(Y)u@ArHbls6g6hmr;W3m)l=w;2Z4GATHc_?8UoY zgd+ga$tO056kKAGaPt=^W__JFTz>!uD}rAh@q2#mO}_-#DNv-dP;ix^aa0olLJD>5 zL$!_GzB>9=t1MO*UBstEsFt}s<{A8~h5k};jMAkQf%W5>{OHz%G&F=33HgNNt7%x{ zrb1D(w4$H5b=XhkNPfhMSrLY#a1ZI))v5_&LtIbiq>dyxF1@8%CtdGFbnmqqbq(k3 zwd1()XXupY37{r_TKU=dCCSoPj!rc-gr}xI>j#No`t_M*5>v7PO?3;IuaRT2kOlLm zKA7~;Zti`-ypw-+a*){ox7(y>4!U>9DCI$bly7KWde!>^<1wVhc-sp2iwkb$K`^^x zx!Y(UC^5#5nekeL=$hs5T{M%apl*7rwVl8`=g>ZB|RyYpbaT@@=$^YN%TrD{}@_P*;nThoe> z)82IVye5M})_2}pisWq+t!jj7{|}vRY0RV;R9q@*`g(#Q8i0sc`_lRv?=Lk5R2OI% zYC{*r#|jO6iR$4DFk#J9 zj*Ij-jS3O8{k$Edpm@`+BOK3tJd?du%^XOdq9Ha^`~Xi~fOD0CL`FF(u&$b3msOvS z4KtZ}5mtqaQyloUlmqf-i-jx(D7s^}($1`At)>r#;>t1TR{QG~PEDou-P~&osvLrM z^W4hLBBy@QwEga_Xz70X<@bs(*@S)hvNSR17Sn@+Amn~NvrBnUwTsBA>hHo zG$r21URGqjomz-pvNtSl1x4gTG^w zw=mdQuaFJz;BdRLvAI(YOll#F3ocThjIrLs6`C;;3gaFOptQ?y->447X261EedJ;= zXMi>4wPe^K+c4upT_}+%gZ5sMEqLXS(FPT0H$U@>d+grGb=k-)t%%|L)WylFS2_|^ zCr0gKkeUJlERJ;{l3iq^?BAfMe3BAvG$jf1N2i{m=EPt!PEG`m-u)(?>~MW?nJ+MK z$d6w?93BJac6xLc7JT*3qX>Ky-by&+HfXF0z(s*QQbMoiI3T9Bq$m|60Diwr#KUGkc zo*Gnti`e`54mpe&BZo=E&yxy=BRWA+JBzzhOjkgL5=^ogn(#|NTpGD_p!8SVw^bao z2NV=}mw}rZwu;{5oIo%5B25ciy!E(_)3=P%5+OU)^Hlz!VH{AFaL zYfzMwnYg{a{ELIxS_wx-CsR8}S|=5?Y+bNJmFE>CjHf7hsLX|dEt_|dHO7Z~eEjXy zQuA{#aMd1RbrjU294ymFAPFTLKMh|jQwIL|Xjf}-4k2Q2@*Vm5uDdRfVOEsA-aSp= z=SJKR&$=%oU7Arw0s#dIH3g9o^E(}$4yyb&G#Te_fz0Pxb`lgypa483ukWX`TjFK@RSxCQC8Pa&IdozNRDYJBo;k^}-IVIV>;+(2$ zKaAhXgvHFW+9vh%*c8ORbrQ0f?z((3^(_z~KIh<|9B-hARHHXEoaG`GO*=ak&!K3g zbfRV2nX7zn+^hG;!H-?`tv<=EqP7+KOrOhS^t}ny_5Hm5{U;9*i0@&WAR0>il;fkv zISH9Fy*rz2ziI0Sho7(jFD<}d={9Y4LkA) z?kYL6dNZrJrk0fq9w{D-{RO1?wwl!)fI?(6 z9U|Ee=NL;yyhkbC*N!#5d44sqDI-R`>Ne6w@|%bK9J&EAy$rV5z0*%gJ6VR;vLW({ zvca=^hw)a@FCfOv`>S-O<+%J!+sH_ac^)xWTFjfQ+EMYJD7#&m`DnF^O0Yng1RMea zBgxbruqV6&6_g_xVMVkqVyr|@13;{8|N7&>=C3e*RzFM`zw3R$*q>Me+!yiL7hyy5 z!ov5%l=QSXeDc^}y4gwRGJAS_xI79Z5!jj!i`%R>zt}3oGl->A6fipBxvYx-5L#8g4qQbs6&7W481pt{^)SV*(E-J^V28wE@>w5N|=Pd zFzTNa%QaX8*vwXlK%vmhd7Z;}Aq@PF6Qit&X%%kxizQfSsnuwQC%Urly^^m#1Pf5T zkPKU=j0~0@yL65s9qhy3*iJ^uqo|Q5X4~G0+73p3a4=}~YNJs+)QKm%s}e{)ZkB$x zg;7qHoELD{HUM?f$)=7Cj|xjH4aWBVWcG6!mq@E|o=DHb_~AG+7~VL*hnjzdLa3M% z0H&SHMCe7LqM1|?Eu|M$8GRDpx?@7fi)Szpnl=8**!(Iij5k;I6^?hBc211;+LfJ! zMN$2sN;|`S8$Vgdx7F0lytiXSutFUNOxeA1l`EGipmB-=qUstQ1@pD0odid)>u|JY z+Bwp^ zl$gq(g^%xe*zmjmjFd4(-}`nTZlrbfN3~|1(YI!SKW$JQiVt~D`*iNxyZM_-EUmE{ zQAhN4t-K#zq7yLw#v~;3y*<;!XEm!(%{*q>|!lG4gpRMcg zAb%Ro2T3rfJ^b;<&kO+ple0#?zAk}4KO8mw8_YPe=LW1%QjVs)dHdoWQD8eOz_c@N zpvv@Ga`%&G*KsWg1ETFasm~MWWDdXU@E!LeUR3!!ku{9l=v5fM5+2FYvivk4k^jvY zlY-LVnof2+qHs2RTXX0MgLC2iEoG{OT)dY_FJkY0v14xW9OlVZOv-85+_r;RkK4`1 zmYy%)6pZ8Vs~5zSW(Sv}6}dL0^y1VB2O&v_t-`A~fuaaSXaFmbY#m-SC8j1bB4W_ zMd4UUdS^;AMMwsXf!9gUeXWgurS3SjfthHlAMeyxkhOTEPvAOtdZbtqAw6#z1>|X)cOs zxollgqwq$+IF#|;Dq}L7(;W4E+2g>Q!il2KHhMRu9Mk+|>i%(a<)-b}fESL|DRQEV3I8DF@h zZtN^vn^c$jTr+}70q68&j{^$QF?~ED>@W=0+O%UcN8LwX8)fY~^VK|CbGJ{g^x^&? zk=8uTqNP0(6>A!T?lyD%-Ony$w{1()I!w(3e+@NFJ;SUPviPxtVRf_0GV)`?cb%Lx zi*phE`#G`DX4BsAbo?9kcJ5}c8|PmLVuNRR;)QLKikFkI@Ds4KCI|<3OjUtGCMjG> zvsg+*lV%?fonWm>ZD%H^X3!UsyLMf3#T)Dhn?!Cbx^1kbj!IO~PGg7X$oYW%wVTeO(Z_zAin zwHe-z4;kl1NyCr%2T3#ict2|^S9xOY{A-ypmFu=(d%W<2*qq7yrww9PS+CEywJo%t zTSXSFsa!eBG;JoXMG!*$U|B|i(;uUag6#xtkz~LOUM4Lcwgu*GLKQ?EM&XhoB90ME zsf;izO2sP$Xyz3OG=Jz*Y-&(Sq&Q?qa@q{*=m0mib6$W zDB!U5RYN9UA>Aeof+Qj+;|8RaqY9~GDoOt<8D0t;?W%^z!o6|(=IVThd3u;?ry26q zUYqBtG!bJhhEhI-v(D||_!kza#W%HN$ucct=tgarh+WhpV_MPY#`62a4_u^7Z{rd$ zI+HN!h|9DN=In0+mDU~D4d)S*>Uo$Y^KC)y3Dx7P%=7O^p_;ity8(U1~s>~8%RxhKZZfg1e zWPKMm^(M8!fQbtxfYj$YyTqVP|M9vKo5qi>XbUlI)6THq@<_%q)0gzq>u>QpiXDB*Z~+zB7g7OA$ynJ+r^RTQ9PA?Qi2>^5HS z>mjKbtB6;UjxME0jA+#?BN6D=cIoWt8JNV2JVN>QA_2t4LsA?gpr7xgjk(t4+t5K` zb~{a2E_2)3ayru{AG49db#7~>jE1tB=fmxX?`$%{8wBH4EI8pVEH|o6 z4r;@%r6WQvKn%J~K;8sT2r(1=DLHg`pX}Z5cBumM*}wo`2wd7LeV>~x$H$xB1A4AY zTh=StVj-rJ1jqXmNOPK0wq z|5CIg0lqp}`9A3E?U46LxR8e`uJ>8Z;^peMD!VJ@-Nm9xMXY{igSM&Wxwq=b!D^#j zyyu6U>e!xCS{`);bo-x3IWm4nzO6eK@9P^*cyFFBF))u(yL=h8TjlgyA;x?BZVWD4O^eV%k8$Rj1Vx(h53gtvliexgTC)+A^;LY>$Ms1{K%ja0YhtTRbd*!CS(937{>wXo=^{ zh$g~uJE<`v+_LwT9zL6Kp!31(m^$*=(^Rp>z!2985nEvAw`f5tq;fQt=8D0roeqNV zGf}(8Aprzj0R5+*koC3C@E}q=77P`Ez(Ac^)q(dxxF^~nZwy|y44q_+#>K?jAft*= zw*L{635Y%x=Ch)liZNhU&8;NkRGOv&L>2$G)QC9IaPVrv{TN)%?788UrJLR;DIG#B zdE-n=md%?@nsf0nwEnQCx@s#%QBf^}tIHk;kV z?;HOI&aXdXneK&Nh5TX(KBkpf75dF5_FfG)yGGpXCU17w9-K9eQ?Niqdrqs|Y2u0W z2!2H9nk-bcZK$v3hJtXjPkm$JX@!C(g<(-PL~{FI7+k%H20nCG%bw-;zlEM+Uu?_Y zZA1$(_Yk|L>B4gBwdOWweqEhW#C*9xQ zM327K%d!sT(5>5_mdzm`c6t-G#ylRYc($Lj1R~87)SLBmbaS@SidS84m+z^WQf2r6 zY21gGr+;<3$HsfEJzz0o*5Rd8rU6 ztn{OcS4y|R@w>~k+lauGRJFU<(~^_qRi zP`6x9t+W#5{7ATj4zDD>OYK7*Z1jo@7J{6w2(IWKJpe#Z@3(-<`kX&14+RTT{#B2; zQ92njFm56rowM=2{#nUU5cQ^F1QzAO_Fu<7rlGy}miG&-Kd2g@nk*o5cXtoq zx1KJkbZQe`5cpCYZHWl0%Asu!(0~mRrv-d|iBXk+eYN7-X1kX8bZ=ofQTKqWHwd{Pj5IqX;lx==xR1>3DWBo|x4Lts;}-V-`YiefJdG-N z`^;ghxb}D(1V>Q#3Tn-pUn-Wax{`CP7p{d9CE0Tcv6R-ee-gj3qt8Ldv$4tGiM2^) zWDpERj`SD2z!LY2IJ#Bs@;Z%H>D62d9F%<rbZl3F_yy z5ft7}7(=^4k#XNTmv|j>+2vsQudGvwEQFw8VqrnQ2qjq^Y|vac7M^~LQHIB~mIdOu zi1JM=vOE^7RQsjHv?xMAK>J%EH-7IY$TB($``zc%Jhv#kH#2P6{iz?9eeV7^4)grh z+()t*@w>lVu$#65Bw)+PfJtcN{A#*!qtr{a`xwfb$z>B5fi}fE6Zz5go#ISR2b-~j zhpU|`h%?O6@ax9uT2h~5+TjpKj`bRyE6Jq7$3vM_OY^O-I{~HdFKC z^^)U_Sz_K{_+Fw~&L{xIPiARG`rK z42u`QN{?_fKdc_z?w8kn{<1BkvU8hYUtU9mi&#+$hvLsf%$@g2?v^e;Ek{e{)n14G z%K5&4s4G0C88ex`=O+GL@5U+3TTRhbUz06=H=g<(C(F4!TQbp(J^8x1gPx*N&&`<< zZAXQHH%-SqxX~NY{fV0g99mHQfkfp6RSMTO4w(`vowouD^w?N^9Gglrw{%d$TGoyF z7Lyjrp5PZe(70r?I?saFFGV}W_PWAN@t+*n*eb_ecSy}HCuugj??|sMl=r7fX=q;r zth1)cdCO>niKCd2t_1MsO7m@EfCGsviLko6Ic_TQ$?#fPO@#gsQC^-(RG8C44(Fer z;UPofbG-(tL7-uO^)4e`N(7tzokBzc(Oc&~fiu!VKf?(2+N&~n=uOJ|kdflbR_oWg zrN^p%@;x?K)(no}pKK?gPYFC0Lt}xDH13m%q0m|v{?<484^%qKH>G}qKX-|2t=|t6 z!6~rC2IGVRYKCkrXv0nIWkWTMwSAKFDS3&jGn-h%&>ve>=D$CD2l@!v4t!E1R zTqX;(w(OVv#and-8nS2R@@94(!RME!A1e&~zoW_(DE?Veh1A~}S=yASVqf)|C`y$S zwt0s{LDz{RhlN~Y&{OZTB3c~kI5;K!ZgD{Ml6PaiR8}_m&7`47`q(pL-=8Y89usgH zgI;b4tM8l`)`!#w2GQiTHwK6Yk$138A{!RZ!iqn?ThEj^p7xOd6y(ES2!uD{pUx}! zWkd2xvCuBLUgk=@H3>3QIFFAsm+f*nV?O|Ue1tRSr!d(jODGWuK!k1Gp?uG^9+k?9V~s z6hHD8Lc+;Nz|8PQ6wRcF56&iN1`M%T*?D`NqSDBnP3kz0ra_*jZ%(Zm+w^mli>Lu^ zsad$2%C$ zpT-#av<>ioq3{f0gIs-5$ue#GzG~c24SY3^xcd}!B5gu~vikZZ{`%^;$-3F(*oiSZ zHRCR7aYWtpR&Ue3zy-gnRTYu#y>)XXuVfkLmaEzJfSLKAEhK|M6$2k2^a@9gFcTI4 zx*e2@b07v$zGMuHW#FUg1&KYboXZENEio!kJ4?s-miCKYKyAz?P2}&a@r~C}R3+_9 z8m`00#6+2$@EzSW@s%b2?zMwCte$u$^()DFM@!#5E1 zXTfx#=*VoQOz(8RDD%J|U^C^|qUoKTS6NTY?hFjED_ zVu@aGCvfBN3mwO4s^ox$Uz6}hu(E86u%5v|xu2DtGBO7%Z3d6WAwsjZR{r$OjX#Xg zBLh7MdsfvQP6tRfkljKovIXsAqs}c=gk|_ExW#-HElOyj6yvwL$KiFr$8~c}@-LbM z%HB?6;l1fFf(7};i)!Z}+cs-%uJTa_Z%2}MyKmP5KAk|Vh}4P<(WGi`Qr)})h^!UJ z8pbp=Z8*&A4C2X5qTlIgqo0g*YT66$bxTTvUxaK2g9~lPNgf0TG^IlaXJaV1-V}$4 z1gH6B*$E|IiW#Plb=sUD*QnK;2u@yCw)RTEsT)a1Tk50la_h&JDRm;H7zE}lOO=1l z70>k*voWX<0Vf3pqNOPCyO8hYeWTT;BtN$m& zT?6y*Ng3(WSa9T^;71$pxjMVdrIfKkJ?l9W^OGU%T4)}zLd@WSTp#NK&mISa%r=#y zVvo7$ggMM^RI~!QKSH`XH=q_tkV@Tljv+Fth@vL7I(|M6!MOwfl~nX>r>Vix#UP2( zb-b`vHPhIv`$hp1-isD>W5jH0iJba+qgHR<-OFaL8Q$1Y?0M&a4Q+KWiHuFUc94fh0zB&Z3{0gnTrB8_*0 z+x6pEr0A3u!d@&kEPknQ@4x&KgJ9Nz)N6sLZ!IMXiC3_o^$WUn3gW|XL_ml##t&D< z1&244Q*Zc%_h|4z)I(w&>w*IV*wt*g@FjRYY&|K%T)07QW&V^(KRL0a^hI8$n2Ko{ zqTAxIj4+Ly11Uz*po~3}kqIN5+r3EL(DiK`G`kb~*X<(+luKt5uWcmZ|M-;>#4sj# z6eJB4fQ5Y3T$IUB!g6Aayv#%lPdEE&3%Rw4^L5*`crsG2oe(Y8u$Krl#$0|C)#U;r z04Uqq*nxXO4CB8^D5(J6aj?%<$i(67&@;Ifm<;EXlvSqcoZ3wrJ`}4kD>z zrg_Lx_IQ(;f%^bm6qFjc(L8#1zq|QJo&H<=w|{a-!d=SAK9?+IvX~DY;Y|9U3v`>} zvw&QT%JC<8EF#}C<$C6Cm~~fkZJs3`^&%t;FC0^|N-uoKs z6Ienqk{(ybL_t}*LD+#Ob$9v4)_@=t5mmg-G^>S~S?a7u{>U}haK9PzlpseyMy($Abt+S+%?uibzzHRWxVd2>bTW$=>Ty2 z`Nmf&dh(6z%h@PCQtOBs5xgH4@HB>#p+IY3rB}YgwoPrun`Jd-E)q-vb)p zI=wT3!()W`>^rn+b2%<(-+xS8-;5s9fRzlSMpnZ2q;!mEQ_B1-zz-`mNevZ#Etypi z<{{y%L-SOAr5N@RNz=_FG>n@OTok^es2@g;o@4(@;PDpf~JmYGmKdL){`6DRQeT zd(o!hsxsf^78X1f&EtQJIe!=_uJWGIZ?L*YxcgLlvcs;=pp*h`%jR|e^Oq<$MwK#30it5QP(U0@(&fghm?8y*_)Gl!k-~l{h1G&} zMZp_!eUDwL%niMJOxUMHR!^%}@NuGEzbkHepI|u&8x%g9w*lXwviyF|N)}%U<^evW zv}o)v@-e@5N8nqDO3TUV#4%9}j-`}mu2Gpp1o_{_**BfXkRg*CrGHE}UT^RZ5{dvX z>!&i9@NNz~y_~7o-0^U_m9XA;GSVDaU!h;8<37adW(i!wQ?LdxIE4^|@V;+-XWD_Z z9Xc6n&WB8-ZJu-mz|YIkQIv}Tc4taNkx>isb9M3ls74&@;n)ZP=t#b-39akwUuYwU z`$0}=z(2A=4jp){H&Zd}*^Em-N!gD`g%$#Y*L*LR&O22L*Xk}TRbW7(NfqC13@4NI zjhhZq>6=^Cwd*o*j{=`dr?t9`=B%gd`%ud9WuVv_KI3EbB_Tq0%hfVNdD~;-VDeiU zC7ccdJhPWSzj#^&*I1XNA&YYYzNeQU{osn_4TC51599L^RijY>ym*U?tJz6^;)k8H z`T6(o*=~13_~}4dz055pw`_L=k?{pM^9%F*8i%7&_(ucYbux%|=#L&Z$O^a;BSqFL z?Kcy6FJMr+N`0P7KxQ>wg^7uvb4%O8iw~44Q^F?T{3ED=<=_7cppCyV(rK54zm)Fzzov?@+%Zk@oq^?8P>(gb=Bdv85K`KMC z7uI2^cCB-dJFw7?t*lJDI6goYg~(2q=)~|X?uq|zYDT7e#Uwg%&-NWdZcWUBSr*VR zO*EGvvExvH?~OhS!(L*(ugQlh=%J$X+Cy9 z)clN1&lLM-5Bc&P6IDPY?FG;u1ja5w@kA*?O_I0*?(0e(?dmxE#!5uvh@{-rXT+|dO|5ur0+{j4Q?MAdkj$kz!88+NmhVo ziA}|_ZoH8jG^d?y8UzB>AI)dGz>}?Byr`t2PzMp#Bxu@s&+Bj6S@(u_OV^<8ih4Z+ zN1DcQ37y+1jKp!RTno9Io=(&&nzMMYg0a8nffP|o2kW9gG@*0JK)m&TR9GSV#m zCX@;~wUJjH2$P~xdGIyiPQY16J?4}_Y=ta(w}HvdZNaDQzNnA=^hs(7Uq?rIEA?KY zEiT}iU*k5X;0|Ipkyl{kaL-xPnl5^(K+~*=OgOoQ$t$N`Jd&uja+&(|=Y94M!;oi@ zt{2#kvAKd=1iY2U24QPjT;qU3S1j3wR`ee|vWpo3qJXFJJWSey)Lh0!^1_Hae(|Oh z(wQle{pKOBo+Wh4mDy_n6$iXyx8PeeDWA@7C7vA4$~PR#0tDI{tEs&6`W~dM zkVUO)@M+HMlIt}ci`_>$WrsF+D{25dFsT}>nwNYwMj=9Olv8eZv)XIBGnx(Tnh)ON zJFSav&sm^)b$>L*tmkK4fOf&tJtMY%*`vAtk|~70(eJ8l8nI=2O0Zb}xwv=Ye&8cv zHFNv~H`9K?$xI8xHF(p;fF|E%ca?%wm$*#dHm(+tZ2YU*&xZ{~xrBY1h?x=~u`#st z&WcT$c0}jM-er=C;(bk2+{(~VJ?t}WU!mjRYuLAjz`BRQnt0*VHAdV{gkI$PmEc{N z`OQzk(t4eH2t$-DZ~ciTQo!1OCzX543E`P=!y0coY^jpi7BM-y-5&i59`^MVdu3hak0Ui6FX~4;Bk1Zi#yl}zMB?@85D*ukWiy!l z9{`v^XTH(l-=5;y?$(QZ@BHs8*|=h{uL+fLeDF2iT;RC~!Ulu{2zhL2ql5+lf2)bQ zb?eHqWy?ZS`4MUB~63;*X zyuizRbtNQR)G!gzMZ0e??niX

9!^W`A-akbdaZc4?VFb!y+V4&Q{&OhzrCVQ`x`HZpxmxY!kSt(Fr=k7Q?IilISAWj3r&5Hv-eA|)qkfER z%gC4Y-mxy&`a`9!D*BIr-yb~RF!rewHJeA)@UHRFCS=(5=(ep?%WveciGJa>ckS8IEw^k0!r7g)Al-jbqGfaeu9F~4X#6Kms>|weCSQn$po|-O?hgM{-L5|5 z^6BvsAzD)N`9ebu=tN7yLgl^fP<=L!w~b0-sBVOIg6H(d)v0|_e6R<&vWi+xV6uRT z8;Gk&6OgU2T!7%sI-Vh+A|y~J>TCDLenC4TU2x1K{616`LIQYRa%_V2GZE?77S+BM zhIIer+#2#|?<9G{ocQrd-^%5K0WS?ysv;qQXBzw@fRMm*T}7Y!Iwt5CqziJ*hftsS zxYqGf$3m2Mb!lD=F?K-wL&PBu%0e{sjcLyKgM6r0$05D914%r zE2CBw&I$|+_*7(4RLBNc;Y#cyd(ld zp!^8n4I(DYk>Wq1s2)u-Ud_9iGvU=C9omexSA^ifhlvP0)5D=92#NAKXsd{JhFYgO zw{j;fxW?p47vVY~vXdV(Dfw{2p+b`|v{}oz*C>ZF?xYX-RIFa_#K)F1*AT5wCwPaI z@wU%55ya%oTbGtqeVPZM_Q$5F4pR<-cIqV3_Qj;T6GG&{J<_xepKh-X)sH;gyPb$4 zm0FaXKqn$;ONVRyrQ0>a1vJQs%0Ntn3!n1T3kR61|5Qt`-LJCA=wssKpgA35(5!U% z)2Hdu-kjRe+5A-oajh7uA|avQ0k$OAXSOpo*ylU$%`+V0KL+91uYxocJ0_TW9YZwU zf6OQpkFn3x1wp8~5$ag0?Z7=m?-6SKszdLQ&$h=qR{7ui>q5GJS$912?*nv$nD}_w zt8(juPoQ|E5p{6cr%xZj@z|8`AmDD}a2=|Kr!}5hE8i#+PPAAz5hx)7?i<7s771%M zOzI&phlb$oXRs&v*sk%^Q%_m{5pV)Ga^y%75*BUG#}?xyTqiLaZ6`@ZOwMp}hEAN2 z-%eV*6EdAF=|o1;5$c2r*IJ)WsBD}wF~cMYX{rzT@dwc~&s~8o)ai<=8)f{{_1;bZ zy>)3Bous+_bSHC~j`}oS`>gGB+ftdYVOoi|N|?~Weq468;|^o0m8~EGiT1MtWB>n?T$0Yw?npU z*%A?bsuD+n&il=?FUB9y`M>ViMl8^o2;|x)Ow`JuK^&bHpB6K2KTB%CoDQq(tDi%;@-Wsy1bJqr0ImOkZ$h;4{5Fh%A@rmpSH-MBp{!jc)^tTd@BSa&~IwH`wiD%aD#u?`Qy}Uo-K$(IN z2SNe_Yg=<-Cw9XS<4T3@~w;$A2-8ygG(xsJc`SLN`wJYPyac zh<9~po$h$!=0$n!gN{vZ`%owDZRi~{3ypDJqQTZ<`smZ)&8zW++U3Opbwk$!w@k3} zhe+@VfHsv>>eQ(dG1~@8+UBa3566T;a&vR7vr8N=9ZrcDQsTkcYvt>8d*p+4`z#*k zwyG_=(h47&xL~Vi?`lB6@Q*9tSCy`8WIvELk#DsyOR|y<(trWCohQC ziA$l0l1_M>1-zT?n`k)`AL!CamphR{JOpuC4)^W^3-=KJJf7HsPqYDodbBUvF1>ft zv~RYIcQR)cm=9Yn$wP*qjEd@W+X~%PRWSL)Vi;BvASc`-MDYd^Z}5XXL3N*RFf9+I z?}*ZTk9dCJucF>CgOGUVop@U0rAsg$R@u0kxC>DY0nL zqOiX(3@a%C3kO&;+&X97VK{!UYL`fkcVByP3-QBBIuYh<@G2+hQ&D(im{HfH&o&;j zXa8*QgCMUlTRgY@QF7yeRwO7qs097fov;U8c^DL8!U)@4s(* zKnscDzsUND(Z0zFa=Mckoq!bxYc+x6 z)vzZNPB9_44<;#r?HV8BaeN$bQGG(5w~N~Q*?M+pgFea<=O$Z4mY z7ARYlj{~ONjB{jlavJF!Zc#H@-uyLNazgm-syvtk`*&NOwp3JEIJnfY#P?kHF20Ma zQ_CO^uJODNBsvZt)Gvs?PSu=Fqt&TLgnX8&faC1T85u*!7E z{9!!_V}#Dcv&}=wC1wmk@#Wu6Bry@>uV(m1>2{(XWVI2a?)I(;g^q1^xb4#V+%j$-Y=g{4QMxoeP`Gr*A<105KsK&e9Mr{m zpt>R<4%QKP^N0{{JYW{k#?jrI`^w z{+-)APF5N+?KkhXh|>OsLYY5Uzt>QIynA@cYrZi9I&>`Xzs9|e9X8FoFvqou zk^|5I(eX&*QC`Vw9T(lao>B#E(6(s3TE^;jbm=&Vcvm0FX&KdpP}}3?)pXV2KMrc! z-E`HZb>N6l2*~P47ku|{a0z09jxNLhZQ=9{kP_Ele|^~JOJQ+z`GDD~(dTJ%j7?@v z!5_9O7*9mAH>HWho45NUB+C9v1$Owuc8(gx|F%Ip#$A+SxC3S-N-FM&Fw~0LRvt+*xyg9OdCCuVpCmJY;35rgP{O|2# z#Y}YkCo#yUI*`XLuahV{5%Ny1R4+n^Tc=*5++k(B6E94(Aa=s#ZI9Nk6E3u2>%qbV zh)%3DblZw+jfXCX>Ou%{^W)y8n{w6(XmYe*&vJDTorva{XZ)c zdAr7u`Ufj75Xa>?Q3!+td`N(hXxg-?fMn&VL1O(Kz|RC6o<_3VXo&TJEh4Xtb&anJ zSE>skfj+~kOP}Y80md4{x$(G$_{J@-MS&fcOn!(i^f4Z&`0KFakx6&QCFF%3h+D6g zReh*i$3Z(TdB;L+lSe~=F5IIYcRW;`T1M+dUe&GFHuUyI>q8uL6dG&2?Lt~nJHC-d zAp#{q04L&wTf#z0O#0~8f;afsUSJo_CZtph0w8&k%zzB6&7}33w^x#wC@0eHguR@q zDn)VZ(Z*H|Oqw8==)4%}j{q#9b@GB#T-(r@h~Zur>HZTe zo7qXnJtjfEiI8`qqmvt(X6n!h65`!Dajg?G=t4d%gL|#trgTeohtNtn2W+ZmXD8^e7M zKNC7Ogu5+)>hCi%O`cg9c|I`qnBz)SV1XFStwyRh5<@(%RCK(-y^a$)9wAQ06Fl$T zv1ikUb&{C5$2TUSY@zYUj1>!(t(4Rxp$Tp>~<St+Zy-5wFWoN$Z@cfg;cDL^(tpxo@4XWcJ2}Bb$vZL95H%tnMB{YQf;ddFAV|{* zp60U&-ZWf8k4}O#ug2T*PW?9CArUkmLY;6Gs@u`6c~qybPLoH=_+x=G)*8apsqNQL zC#JAGsV;)w&ah#_>|z<)Hy{YV{q|eA^wLZ1eMvsl`YTeMSeB#@#pS^>41FxAxP(Nb zMva7oMA67$L5+nqrE~~%i{2)y|5U3=pR!RLB082K51!qw;JL4hb3E@Mc+UUu+a~$* z$RTpYgo&OwjEg${m@<$*S{U79C3XOG-_*PS-rQ_Ay+`n7#JUTb@N@!qi>CA7`H z5aYRNM`iOXv3GB1Pe^nz=XGQv5OPxD<{7_ukRTxuo?nDR0^!6HO34w>342xFu2CE! zSgc@TuiH6rU)DE}#nn??)8GeSi*ZN5;ZCfyj4$-&)$)kfI#J$jo9Zhr z#G5q5N%z+lm%pl|!72$pNnUy76-!REY12lcqM~HXm@y^lYIU*x!t<*%+c~gZ1B3*^ zkt0Wz2+Qi43CCB0n1Dl6%8?NO!GH3$5A9KWN6uaKa_IA3$1D5H_l`k!Y%$k1&5RWo zA0UYT{__tcwQ&>qX~{xaxqh2n(CavYJYR3}SaJGqX{ep=iQi{l4A=D-eHM@z&UmEl z(J=`+>qv%V=VbfFX2cj%7S1A8)+xE-6k7g8#OWVKS>VPio z1L{|?@xa0K+v@j*z|L16%9=c>X3HXl2vlYSLi!7amBfNg2RwMihqUU-{2c|q?Oq=f zw|-)_(NIc+Ky{h0mk11#Nw;&r`5mORZy;?UejJ7X7MAb6^1Ssep%WsVl<0z6@3pW_ zVB9w%;TnQGnvSw6(5Dkl)o<^;x(nrX>Q`O1 zJw~6F_4Uz|w{hM{AM$BlYz;vj^ZxIj6>=n|_ASywSWSSOm@{XN-O_REt+yVr$<^)o zR?_Vp*m?#F6c7>!DMv;C#030IkeDbQD-aT}E@{%Fi9L!BCsn~Rr@9D^E!Ob}eb#5Z z_Fu;W9V;}wQF6X~{N6h2FcFN>t&Ch!PJt^XUSE68RHwz?zrO)dHlJTtnU9jdAFQ?*4c8w zpaF8{gOA9j19?(AKV2@n;wl+>dM`Qg#1rN9ryr5c>3K5i(=TM)g+pw8GoQN0*Dv(r zzVVmYHlYov35Vpt+i#K)XPzn-4I3omZoJLv)bR`z>llo(xORyMi=FA4&2Pd5Uw>8U zPMbP#z`GvweS^HH?g)gG8F=Kgb)Kyou#&)b0!nxgfR72U&{{%~C_0?9AhTL-*C-kh zPYQ^L()gJ;l0K$;5Wuzr969*-6O(-t5u{i`z`Gdt#|o1cotzXG>ZC^X`Rmb%kEZJc z389h-nx>)V(Fv5Veup@)Wz9YMpc5>FDjIKfns}XnLYFJh<1gALt;0W^_eCRstyk@g zvtImPu8vYtG8KdbedCnw7Xo5JxB8W?WYy2DgampD>l zoULU`M!vlJ<{Q$e!BO(&$6v_Mzg{nUcJ1<6O6YjBX5S%+i}F}0qP}$F?_*zPo~-$4 zg&{%Sl}F$BNM?Wdfh=43i{x(qO_qN7u^h@wmw(QfBac4+vb_8L2QvGM`O>zg$gjVx zli@?plVRiUD%AG>y!wiDNcpenAIfLnERhx8FO?ZHX2^eMeI~niY?B}6e`?2BG+ap; z9p8Wz;uJIgu`pi>Z+)?y=LZoe1p<+<OchZMYYBKJfA!x} z<<P=gYayVMHUGCJh_{P$6WYm)-g}7xjl+b@)#)zmHQuM&DT}taWqo

7xLpwZH%K~0Z7jI*Xs+fABoDVaa# zb2;<${*u_JwX~=iCuf~`rp)-@LsV(=`j4HsSFvNScRbd(D9Pu$UIl|;r9~iQq(r4f zsH!$R#`8e_VBNl|+QV}7i`Ee(hYv(VS&t1Zc`el|Crt34d+s^AM|9%Y(el)jhMX{y z5=@v7V#21P_ZlMJ<};HPoowkn@<24NPWtp-Cx&{Dys86nRu4k&8!Wwdb*c{kvbfj! zd=pV`dvI@w3a1X-D-od~blY~A`hf|YpG})GS^AE?)=tQ9q$;qZ6pui4+pbYO8Xhv0 zzHyF(QrXhg0cLgI&Vj9taA*lU0ttvOkg2emShQ%7wVJ5vTrD?E#5LwJQ(BXU~XdS>fJ!9+R)RkDiW z5YX*2SsqXA#bvE-X&@wM9Z~vk9eyV876@B9@b(dZkfJ7GrLUoSmB8W}e|mh{=+UDs z05H?UTahkZyV-?!o;ewFXXYW9lNfEo`rZ&uui%Z_4HZF@!6RUfH(a#%J54GSqMjXD zQPLpc@X&3?(j|*!Tc$|E#3G{L-YEFTAB9canlaXkF>5`Pn4C$thQ5K zPhZftS6-Rw*_V647)wat7*+U@pml_zS$qhq01%0k!x7*!>u^kh5u<)4;9#^mI*JZt z9Z?jn*vxl-FkZ2!O7A&z2=$%#wb+Pm=Fe z{wSNbY?HQzgi!q;#WyF{wmx`%-nc{J^KxYUPd`X^vz2nw_w(efS6-C+o_rf z-nv=lE&g6k>}PyatX?Lm-OiGB`Dt?P6@QV-ulk$Bn(gV?p3|y5B)*qOM_(Iy`L9+6Du46`1YXq5Wtp$+ZJZXx->rAeV~-`0+V{Y5yB))i3x1) zm^vW2l$w}b5zsgP8frX3omA7=Uzj{sIeaF30w!#;pPu?t?ke>e;p+`4Fji+ zVCx0Kp1peetU0bX6GpdP*G~wrHRJT&S~bHW5Ww?|+ck;+$BD*si_a_vkRV>d&qQ^z z(kTrgp-^Kx2P`MP`Q{sW|NZyn`RAXP&6_vN$tRy&WwsK*caqQY4daekgcr5o#`7O( zv)`X7LkFMhBP1}+9DnK=a^S&-WYdbpGI;bjdHUX)<=vN`k#=p{S~%h8vj4dw<^BnO zmJ0{=mFV~cY2KoR-Dcs|*Z-uhGPy<_`P=XTlG-TMIv~aAMT7eElGk5;QAVECM`{@h zh`M#_$$+!Zl^W(Gk4blbFV_z5D;Wnf3mo z8GE7edtt0EroZu;j51{)#~#;Fh7UZW&{(JKv!U6BqW8#;YlzS4(7c3L$EmBugde3x zpjNF~r7u(gC8F|;RDj-qDx)TR>WO!br3{#nk)c5#J5MA#SMvXPc4+F0;96)M5&SO) z$A-ds0s^99oFOXk#*9J)h(Kr&sBR0vV4+)<1!b`6uF86<%kL4#qn3BfgX2qBO)Ois zOinoA1gQ#E6R`fn=^L`P~rWdv@-Sy7e2FA0Q0;$%#XU^5mNh>C)Qxo4`pTdAl}CjCnzbQ&^OIQGy2g zA<*Mmm3U$cFhKjK|Ln2XQvoE8^SZc8-cb)w89qn<1*Js^v~F$t<;+c;}sWWY(-%_6vd41h#lYg17wg z{6btp!X+G(kicTwpR7;)bnrSf_HOIY1-MI*w`=wOM6xpU`QQUZ=-u?=e4v}x9$EO~l)w(K!y zQBx`w0Zi(#ePdK>vz=pY4jo`tEZo#i1ghP>{fhp|^{C^DSa4Q!+ap;&hzawsQu1L}n6y@rU> zI{ovb&Ue1|IJHJTO34tIG-;AABdi^!Oqn8c=FE|Y9(u?ZUtKP0*M@~r_=TiI_`d_T zAjAlSa{|<(evCP#AYay3GiRFW?O**&&@4K{KYCVIZ4lsgjf(rK`P`})Y~cvGGXHKv zNml804z-#9IRQ~};{5Z^7kJXo$;q*&Ng!WRl37`MW&Qf~_KmI^r)i-MU7|qi);KrR zg};Wryh=!TyQic97V@}OQC*uhu9FT;>dS$c8a4@jB?h(d_>RzpKFEUf&8uW}UK44T zs@p6KN#JK0p>-%}fVL%O?vi*|SLD~Tq=FI;s$1KGcrB-K(68dQUE>fc;h}M^{$a-1 z^JL@flTz^rG-%L3ZomC@>vVR(>Mct5>gV(PQKPKI6OOFK){iAimRLRb{|o({I(4%5KmGKR)t8as{HSe8)%)=L zZwytx=-@I`NVA?I5C|tBfpglQJT+OKHGh#HFP@exUF(I`@ud2hfaL@x`1n33M1Tkc z2LbrU(S>txG*XK{0>BpwXi9Jqz|qlI+*dXUB_W~MU^@q_Ca$^W8aeO0^X$R~?l~-OV-+udTp}2~^!Gde!#*Mye0-Ypntd)EOURk8I?DrxlIdlRI$P!yynA|RkX?4a*c)TgM}uw#EV#HWa$pkl*{fC@-c zsiAi%LTFM01X4-iJO8=&Y-X2DNZBO2n>qY8bMMTVGc#wovuFPI%o*WzZ69T`zxbH` z`@ts)aCqbO|5E0u{SNO6$WY_40SR@@vIT%ZD%X&WzPOU&L4B5maseqsmMg!x_q+x| zLqlom)Tz|8X;YE_kpl({a5Mx!;j_;^qlSF?%hIJw70__WC6_1=0^38PqN1o$rAqYZ zqmNQpSQzcuvq#+nv=Bo43wS;uJ_P`Y_U+r#^y$;3*ss%~1tt7im1c0>tN|Q{*YBqU z6>zb*`Z=;$D5Yhdr}AL|)TE5_qgOU0fa*p$=b@jqBLk@t&X>|Cm^}iUy42T-v%Rd# zvI4Wb38`uMK&rucMNKg35n}?z96TrhOyK)5WHewjkUtIJ`RO|=fwxDU%bx&KD^D80 z9M<^DGX|Wtra{iL>fWYyzvHo@x>Qvp$0ke@$qVbj|H`S^hLRATds?AfB;etyaE>Je6ncY zdm>Tsg0DiUEMNgAa_l*N*5S1PnLD;^rI*J&Pf@iRgI(48>+ne@9#!D-2YpFQCyEMX zpo0N}HB07EJOf0yhFlQ(DE-Dg>bQ~vc(Cipc)*Kmj7j7;#%u#8uCmO%=QV(nLjX(w zIJo1EJLtOWu2ZpHq$MeT@4fewN5pf_Jx8B@`YA<3M9{#21BH!t@7_(f-FBNgE#I&N$n zqS^@!3Lq9wqyI>v$5=)%ck0OwVRV>-Bdv`qT2MgV=1QCib25keip(FQfjn!#8|Jq> zciK-X$UIh@3sXN)rDGTp0CN%pKeFx5QRpQX#o-;1)6iv0$I6u})#69z#lmUaxN-F3 zk3Xty9a4rMeq+aurMYwGs-qb%yX-Q0;)y3HGBWR=5WFCCPY9e2A_VUZoMQ0HFTbc` zKmnuxsECb?rOL?%**m~GeL?^US$N}K7VY}NUanQjTO~lUILEcVXy3f=2tEDKe<=3v zT~xVR4a!WjJe&Xwd_8GAeKhqG^`fR**Jv6u?sb~_!2~*VU_U+1dYSssN0gYDNH;(I z45g%6_3nRUEcNVr72PzrKRx>Nb9D7(U1;Opf9SSr`_tT&8_~R?&t89uPQ}I1f9@PX zZ+-p~wQEyPc|iyu;SP9^G65VQNXDuF3D$>zEZ`LakK||ME-s@~Ew&WLf%+=7YSl`0 z9si$&aKtUZ2~f+HEmgW`(IS=N&w>RDXvByS)T~)E+PQP5%K!cM-yP)uDEjv8t2~|% zh!X@)j8|THMP17?*`h@Y74t%6diYP7GFe-dJS;j-;tVK}Cv_QSU(*1*Blad1|4e-? zg9*Xxy7k4bbJVn4Aa$v3ZJU6HMDLox^z5o+TFFOee$_XU?r#-JYx%ko|KJY$HIYJ@ z^>fa@qFONBb7?7B$KC~xuS}+^YK724ZA;O|JFFi}SDy#`Y~cei;`OyDw2EbZ);EHN zH4LTU3lixM1}N0$)m;33D=st{HP}G;nbZnB$BuuA{={Fu;W8H4I>) zbF~Ps41novfP`oti+z03)A@D1MmVZ)-n@DA5ihcFEwq09dctSs%$cg*z4zWr^XJbe z#H0Yhg96?RAa{U+#IQg)+|uQkQrrWG5CZss6Ac0b1C={ET;9Wfr4L%_$N2)LCr%(Ta%2%jB|9yWk9on{@9(?FwI+=Q&4(^YouV&1k zPrmy}y`g^VxhHt*#YgnOu zD~U}isu0Sc0Rsh#tDfl`H7s7v83;Z9oF$t{{ty31uK1T+smu z(T~Mt{grau3CI!TY6R*PO2{>~G#xo|gueauTQy?*zw;zv`vv|#%d-L5$BrFyG$G}> z_mT7g&xue%LV{c>d2$192@tk+U@M3ao+HGA@iZa!j5kr%h`p&-rY}YV1=IlCnV;c> zzBd387|L~xLzQR4Lku{SW*{P*f7LFl8cg-e1gQK4|5%2^$c0H1!gJ`jPGPk3R3;rx zu>h5ueoLe%ep<`2Yv7w3Q@IY&%>8LJhCLpxW^f`WN=`qoc)=5UCX=ezZx?c^QacW5c^z3`?0n1~65lR~_m z^o0!iTB=kjdiL38>F&GlrvCl=JG#Gc;X=CNiYuso{rW1eU%!6z>#x5$KnVa5*v}5q zJs;#A3qRx^K73fc;Z=23^{8><#wx%i3ZxwI zBQ8e!_wOehQ;Mxl;%$LowfEh3pE}a?V)cE!+<+3k{tcS`U!Z}fmM0Syy52&F2~n?f zARXirHyW0)JR}fX0^2zDGDyIe4yq8w2r2)XmF0bpCv89ig;h8XMS0ExCE7znYzbh% zXI+jpMSh4DJOW!b9Hd`6GK>EL-xq>kN&w6??A0-fV@}|WnIWSAqk$|981INIU3lA- z@tW}bHzEKvbX%XdGZx2-244r85Ht?~F<*S~MaLHeaG+YXYL0unxz$hP03b1I)+{F; z0US_CuJP7bCoG`wf!78|yd;8xf>a$W&=3OyaVCN*Sv*c}{cS)(7UKd)NE?m?JU|Ry zq+4VG60&fYI%m$Fp@?ucs+c4X*N0D>rm)iGs8-#2RGwe-Agx!qobtxtcSdxQL-Pc4 zKi+!y9!d*|pj(Cxq}`30(RUxei|UGG+^3G8aEjHH!0(ri@Cz1fj|EA8aV>oiKtX^P zDZ~9Q`!lI+W$W!e#v?p3R>(koU1#6{b?Vefr6u`K9B-QeXn;VlApBp$cZCx$JV7(q z!v^tN9(m*udj9$6saLOFBwIQlA7Du5&YkJ;#~)YQqp&RkaVFrwG<)`J1z69etb?<{i4i(5`OVD7Hkl$Yn3jT057WTE!#D8m5gj2q5@oE%Y*CSGx7iSF^V8U4+p19M23Hg2SgxuW7@O3~!#)w4}fC+#RAiPn2|NZyr z=9_O;iys8r8#Zj1uqyxoQU3uj2my!yNuF#Ok#ct_PWnJ#K)n6M0ucZS>H(C{Njv~# z5iY6l$U+``0zM$s$x&u|9`x>a6)l}NhblMgNTElzDenvfx*T}*RkUK!uhh9)4{A^` zN_moO3@b;Eb?&J=RUxx^WD0HAw1sAT^#xUI*pk-2`(KVmWCkOG&u4)OXHu!R130k&3J8&YO8*650N{WVL8KhK;8Er5;p)nde9;r?7$Ox= z^|jYtqksSV-wt(5nKH$(z?X%-q{1Zkl1jd7x@prUwdD!_mmwGQ*I$3BcoEo=1n-IO zzyDr6OP_!Kxhe-B0YES%CB@MX@Cr$r$iucMJeL3>5aR`eEfxSIa2kiF2>~`iWy_ZJ zwCH@vD^gIRaYQifN_O7wmakr$N=5@N8u*NZJ-*2C5xkLl^Y)6(3^)iNfj)k@D~O=H{3=G#Zof+fAEba*MMUaO9>v7$S-q~3k|(d|PAC~wmWm8;U56Q?No zNgVSVd;d>UI1L(hom$+6hDT8QPSKQpE|tFf{1f#S{<-JJQTQjHP{T{ws24{745HZ0 zBA7quXX92K=)Gqiq#jLXP-vC9P8}6+0ht0wSYyiCz9Hil;6cVEFWIVe5^W7k~~i9yalBU|~^70F+?LV zE?nAQpFG{MpvJ;lfC%B01v~B?3vUJ_WWg?cC<6(wVcl8x>HL^kJs#J^Wln!xt z8-S;DMuK|#99pFg)nHo)B!Gdmck(#L2w-oDGl7wmnw&&c*<%5K1+Mp>Nu$P9%c{Of z-(?(aIg|l{g~}UfU9Pkvzyj{2KCVF`$91eI)AfRTq1X*86qqFU-kQQ|287cnuwXY- zyc$68S)9Hzefsp`?FhH-6X?KAO)Am9yVj&Cr9^;%g4HyDB=r=rBlS0eV-?j&ct6Uii@(T(`h#tO)iSY?gLUdtLqXAb9SkRzr zt{2@u*S$8qIjku)s~)8y+}150PLKAjPb(knOzrp@RFlt4{PRB@sej8VRGEQ`bl#UU z;L@U&@dQNnOcv+}i+%?(0^Y!Wdlmc=Dxdp@b||hQ@3|wsMUL`so8`Wx?$=DO5v>xH+QPRCn8wK$K>S;y6yALG-%5Dyj00G z?;F4GqiZIuqu7)}h{b_3i+q&&&Pt$D+SUah9fs+4E;WF~nI31t827nUoMH1h4ZtJl zo4r=77@zCB>2Qu30MLZ(2Zjo+0Rbi;NgXR)KeRwX%{H3?sV`rZWr3|0@7kgp`Ldvg zU;!j#0j`(n*RtT(^H5)a30dGH4Y1pS5ofi2^ zdHco#-)&cQAM9DzAw$2Y7ZyyD2Q;P~qdU{yN1|!*$kx;>(n9CQaGjT~Y2;wPwm~_H zxw}2>WN(g{H(o+7U0#=F-`ql#k8W3;R^QW}?qKhV4fl0avi|&c8){<9atN_61~;!l zlWu5E)j|TPbH#8~XH@H|wCt{SsxD*h)p<-1Ww)X6nR>nr}~vw zIe06EBjG?W?hP=JR}C6|Z`J@7t9YA^|L2DMR|D{xFu;UozF#L`f`L42^}{Exg!mD% zEhMjX4S)VM;BH}!#W@JzfRqb(p#TH+ZjgIf>`M=@m37_-ffK1-im z(-Yb;@*>BiMgzX20ne>`3Srdo976#f47DnR(XY2&N{9tfx0DqIqt~>JG;-EX)oRSX zGb(*|STlNu<4W|YY3&i4xZyCho4AIS9Z#Z86~Yz3vHn23Q!EPU_8bN@lGq!eTG>*P z<&?g4Z4=%SQkhnB{lAVTP?M^W^yTfX6;JD0WvEqk>sZY`HA~aPf3;BCNdAsXqV{#l z(H$IfqIC`HxRv^q!l`DtFnVcVV>)ssh2r@%l7^Kd>BHfdIJGA?O{#?R_`@lTqac>$ z0HIaNgwnHDH&UlF{Cy%(-A@?ST-g0S#al#w1|;wWKG`me9%Zn7oTr_o`z3jQUAz+#50)@COZGyN1Lb@Q3l3G32ZPeAoCbGgNR5089X=0K!%d z+3uGc$?%TYbyFF0LP~CwuHpuW7)mK?x{x)QqikmOUb{@JB3&6%Ti&9qfUC z_z&=;0R4C6L0YsUjzZa+;D+|qRV;~vPjpq@4E^g^U_kS#7ErMdr+;Karx=t7&SpzP z$J*s6F(rd;;eeCO_~lxa*}wv>Gcz+N=;ECkr zlrCTZMrhlSBo6RNRG+;m{^A%K1)-ckf=-<}6-4v}5rNUxv}x1mhaY}W=U2b^=9?Fl zk4W^sO7C|MX9VAR+~QKs(>=c@(M^p*XfW@Cy?aR_@ySy3Mc+vJIrbbiEE7b@>?QO7 zgA>zxMNqx6767sRWCl&&aZc5N9$-{G44%Fb6v3bcz_6cV)9Ce$&K?ABMu#hT?{NO- z+{RHpc2p4cY1_}yl)s$$eM!f7)$owQ3n)ew+LFqGT<(!tpg@+lgMbNGxX)j{ zhF%^!hR!CZQsrtj=&{lF(Yn@G(1NLN(AFKhD0cTwy5;}wrMAr)(y)h_@APTv(Y+h3 zS+|b9o&N{-K9qi6FrQv~ZxYqYJWltIxSzId|BGtZtw&)TTz<%?N2zvbDn0$ycnS## zp+@!V(jB88qo>C_KznxnMP(~hrJJrFN~1=NqMv{MnWlgB4UM1jsR9okdGcARQM(TH zxS|i;cl&Uv)u=he?%YoG>({6I9~n#3vK4*x&Nzzsb1|i|y*F&|K!&IwukOP3g z_(7r%0X#%6&;hO`U9)D5Rl)o<8pwkN@PFG|s7OJHybc<%68_b$8oe@qFReS3OzV~& zpcnXq_zE!(cA-|atSu9hcss*CXHr$!=Q~aiKA^Wbu;uU$)oD1#ad>IrUX|B^w^z6$ z#EdA-+ar!Mpx}-Mf3}$(;cXcGFR4tIa=Wc-mr>g?+OnsEPQihJlx(A(l7A{G?E+9D zP77S=>`W%LvQN*l$3_k!-U}{({hz9+fNc>-(K4O4^aR>T|_s(8c zJw(M-c%~i4OW|?$n0b~is~SvCcMPNPn^RSN89wT2Az5hG=}h|9Z;3SdvIrVjFW9F+ z35*dz0Szc2-?mA8K?6B0oP44GrjMS}0OI4AAd8;UC%h&)SF_@b>2ZgUZ^*keAaDH9 zD}8Zoz4^C148-d|c#uloH&Z83_W{?_;9Kvapno>gLywJRkl_lN$wAP!Z{18!zx+D2 z=@d=RkG`93|Mw^w@vouu(i?A6^3r8=o})s>?%zda_`J`Wwd&F*A5EevoQ`>CI-T6O zh{innIAx@#Qyib>cVJ&EJ^IKPYS?oK{ruAxRK0RV`tSe#pbEihG;G)~>e%OM`a3?8 zUkq8X?=Tj4W@K{RBWKd-Y(g@1?=yg&erGBz{^le4?$gP1-H5ws{_G#=gP&JW%QES7 z|3hP_`>{Plr5j_2N*^kpIa zipv^TphKrqY0LtCSZzYk%R})gREJ|tfN*4H83q(yTy{V$+H5xZW!rHDN`$bR`oYu; zI>z1$^*LDN)x4$Sm;G5mF~R@JfJPh)Gl0Ha`;Sz2qyRxCa=eP^F^6d!gCg+An0#$h zb+R;_1zTHP)3y_WySo-Bt_6y_LveR)p}0GQ;tnlt#kIvbQ4B*tC*_{o^46AN#fx7!#`-xrXZjXD!QZ_t)T=bzo`YsA)bCG)tj zt3ntn8j@ntusJcNI7{|a$Ly~Lcw+iW7LyNX3`eKRjl{bBb6Y_~vz_+zV}}${HnGJ_ z8xjbVq}_Emr0?#m+n?oo7WI255Z^_jrw%dJErtjs+#Q@XwE=&*cQ$ zh^gXP+|BIvYoJ9T-nV$m(I87d19)1~?xD~smJ?@q>2fE)Vru?jUBdm&^Cw`=X)oXs zIh*OWnTO51pQkx{?uS>$Sk5QZk3K(WvctWC&XMfC4zYJ4>9$<-GwE6}VTv#BQKH!2 z5Lq^**woYhAlQI5W$PHfa<|{llFXKR)045zXHUDc{;M!l zfSPd^ZCiJ79fXot?|n9A%8pSWP}|S;n{yjIM>&W^Ag{JGlqwwQ5XW0g6d6#ONGjJV z?3iCK5~S?^w658>HnM9OA7p2wkM@><0B2eQskxmZMV>()W@jWjB=hWUMwVtVH*Z%D1eoSR*lnjt&^`o&as zj&TFI_A;NDbbaw9%Ka28I$#l+boCpk8YfLG`5F{Xyw^nicb`@FR2UdVld|K*Z@hJ!|jBbo$7hZCP{lesxWBUL+dVdCp{9L>8 zDTl_!yu)(znV6M(dU(ZYA&WL%?!DZM9)W-AihF^+3L|K#n~X2e3gvGYYJT?A?hQYp9!T#h)Ycekmd0gl>X%+Tl=mdQ1}v883J$p?-aOQ9Ry$SaZ|J;ZMJn zE~D=-ey2!&=5(A4iP<1%30B`j{?A@JIor8pb?_smce5pz)jd0?bkMXp)A0{fBbgh22Xotp5kh|{?sY*6H%~BFxTRu zmdrw#c_gl2CZ8#59}N{VTa(QlNnIUK6r3<7amYNu=fNtU7j*ZcQ4&cHzgf?BH%@X= z`tSF?>}aJ|VPL()0oI)oNNhsn%`bM%VuDK<6O06s_Z0sn9m@6{;uaXgF_>onLAi_< zT|`D#!Z4{;uV=3}sU*&Z26?qoExuz~lY04orLNG<8c={tFhi+uftvr1#y^D~I28QJ zpoxw@!}k<|vUm^e33YgQ)^N&Fri;$HbStkeg0W>TRo*}f^ep)T`xJ|IPu!{v$Y#Dq zgPt8NNx+W>IMU%evPPI|2W4g{3ja4UmUnZGzq-xQ!l_)D{a@bF^YlM^+yHMU(T{+h zj;m{1-WdMIc}w-RH`@xYca0s%4CMEGJfc(#QR(L)Kb5_|Qx@ z02I00&q^~f#ty%hQKs+T7nJ`i(o|y9?|>{GyvMNI>PqaF1cd`I=DsRN#NG~1*+|H% zGlGZ#0#K&Ghpa_=IGY|@Ii_Eq1^7D+dJxChG#!?brSD17*N+~{5GtVp8A=#_1a`9? zc$C#~Il>=&Fo~k^j2_QYE@k?eme7$@X>) zEvY_*sZFkpeOMW72RmHxMjj@q`3Z%B#>I=Qi5wj+AGw0dkx`RnU6^V{@yEH<)i!9x z2D1HB8C#I-OS9zck7G4x1+jv(aslGVnT3To!jjOCawI=*Y)2dJAFTfUC;phApfII! zH!E(k+_U85%bGnu1_wT(*7q&Eyownc4ezjU` zf{7_h9eGAWn;rg%0@b4s`-1^ zK>v|q?v1$|Sgt5L{7&bbk&#D4rOce_YtIiXFLXAWAD3iu6naArdV$mmDad(VCzgRM zBo(k;Xb+On3X3yT>4Bh3-)itRHk+Ad+ejdT$f{>>D0ihI9nJ(606q6$=y>O6Ub)Ql zH;(s76L{VuClNC~_uk>wrKx7uayDo=Htb@`dNKvSDQ|zMew@PRfO*c-Ee*Hy=9K## zQ@BHV3yaFy{%Ji|J|2b|AnVy(GVvuNdn4^$nHWuoOnl~9XHcNQLa?1N&FBnQi8p%N zNf;fIe16>kuk>p2BV`eh&onOmmeHxfVf};VWW9Pg`vwEtW!#|JW=Q+=K+vr`|@5wQgO?OEN|_Q2QtM-EIn-& zS6=rMzd@3GNja7T`!9Z$T8m&{J-^@+Zq`W%AwNiFSdgLua5y zp>nIp7DLjHA?3 zl039uds3h;>0GLpuUBftRi06}i6w-Vr==6eCMK{fd_PNs`R3pNm?I{V_K3yiwrj4; zpZ}m|dp4*PU14SNsaEzUSy{M#`931!Z>B$FI8|SQ?!cW^e+ex(${Xk!K@e5Z*C>b9 z^Z_`xi#aRDSMCa)?F@Yw)9;tdgJm!LmE~l3 zOwU=5vtZ08zGF9t_nA;KnPg4n>9sVv_=@#H?dcPSiH{;av(VH(FhA6$dvohhWpP7c zguS&HfjclsGu$K?BE1fg69 zXDh-{z{hfkK?DFFJj_AKVXc5XCJ-+sau-*C!BaeWvub_g?#lZbw!dA7k||V!nIeZs zj`)%d4t-4@TxN|Z`V>DM_S~>RvCqG;9>DYKt(`ZmE--^a3>&t3({Tz%?NbH$j zrmQ7lD&acyj~0##G|WQAAn5~8o6OsCQkVJiC$!TbcDf#gEd_WPF1J$7>jCIVL-`Gj zGIY^&?L+@exOrd=kSdWz_nw;*$xUXt?#q$oZ`7D_;;ywby&bSyJLs_73*vCU%!Q7zB0fv3%HWtu5zL2_!`XddG3($TOqYz|Ubgp~(A= z%HRZH4A4@qp||nyT$pVgwIsi^rqIm18)D0=dmZZ=;w^kCH}tS0{WcK}3vc_rv5}Rt zepfsNu=hD~-yc7-s6>TDgafvfs`AITa6($so@0bJTn5oDUO657bi1ng0nwg6hCg9C zGg5G{3Qjd7m~yF*5|@laN|^vuD2}?BOz}U2{u4BSgA?_EAM@$!B1h_}; z#qC3;HFCk@R)>=B?fu`MVIc_d7d<06W?uzkUha9n&(ssJyqB{N+2>h7B=$PH=H2hx_qC_cGsbt%%k0_k_AF$1SPGP|p^WH)afnzWIw% zT(kJ+Yn`zL)>*K98z`QAnTK^YVd&By4WI)DN&oG|{DYv%NzWG%ePUa(vkD=!H_?%C z(%wB=zSzijhh6DdXCzynt)doxp7&#ucFpz?nXlT`ML%hN*VNCs)kxMZZ2 zDN81&UM(UK&IWogro9vAON>wYjqHINgLw`^m#KK60#*oT9TCM8MY2`kvfxs|=3@65 zl5eSSBEW;F;%~}UU*J0c-72$&ry86$LUwsNVc45G;w3%?!DB@Gg(m;ekr8q^Rp0Rii`_65!jW~F^y(e*3SnSc--+x<=MfKRK7_w3!>cp`c(A)Mx?gtV7xM{07z`_HH!DFlK=ph z-`djvPbiy7n{2-W!gMJgLT#UF&cjA(bKCU2&&-@tkNI+#Q?HkBavDou2H&{kHL@-^ znAHW|N0#!gd)F5kvyIx`8e1M=F$iF!7cRA!(2fF7L^UPiuP-Gnu%P}Y$?gB?>Co6~ zoi!BDVfDQFg@JLyA)j;HZ?po<)0b;MKSi}u{}xlvncidBawB9qvx^vZ&bI5;Qa>sh zg}1+zL_JYEYzL1kNxe{-L&b8?DyP5-a^+eDMvT^l7FF527%d&e0VvFCN!q|5nD5mN zAcAhTC=cD0fh?3<{}i{vuFoq40Hi@+E@|*xEDfB>ygLi7a>|(yQ9PoS9dx0^iU8P* zJ>%+@%m|h+jJ#_0#iqOT-~Sb+p0$xT#G2aj^f+VrGjB?Iu$$Ab; z(f5f^`6^+)b&TFqdf45R;T6P6y@m(b|M*EL=jn0HS2idrrR18e?-$c9y>^B#ZR~7f zb^}MJe>jfq<_TnP`9kM7b^th~n?+fKe7GeJ4W`6|&tNSZ;Ptu9+z*ZO8$#l&43|@x|-gdV<_HJdS=e zhi#1Ncn@)F4vE`F{oy``ofpS~XZ_!912sHkQ?+p3TjMBj-wKfZ+I((TLvXYGzfQ1Io`l6JtU12S6{yf)-SnGjLK)@a- z`px0mDbv#?RE9oP`vej5emqp;$<+94ZSatoY|LR0THYuUBYkbpx!F!ic%e>{yMM8M zPp=h~%O?oT3!I7uM+r_XB(xYqs=~eGWyweG zOwcDtIpeJdSzbtsI?BBU$DKb*O>4z2vZuw-Szf}LBbpXJIM5EpYr+@G5fmV5L3e!JCpcFNi_I#53hl!$zNfRB!hFf# ziGdCQ$P_Do%d$9_%etExFDxun_4el93^x*t>-&;ytmbszUFX0RuZ(7r5ZS)iC-s>< z+;LGEX*Nz7ve4T#MQ%+{wBlbV0uAq7XYvavsP`KyYIb*K;Nl-l)t-%4hL2ayaeZ)0 zGuD#VDthj`L9F}L{=HZy2sIfEt#1czf^KN@UwsGQ<1Z4WV=}j90b5%KE?WLDcUxnA z(Xa{38zv3a9$NMQBrec76YN@FGFsNgSPlr=dr=Ht7AkxZC0C-r2JF!^($R(GFt_qx zV)C+qVJ-TuRexaAq31KC$V@uSOO|@jyIcXeB(&^@M(vvC5;w0A&?IGKX8x0}D|hf4 zp~-k5U*wS&;4ilkdH{f|**F_co;ctMc$#>&0=5M_6^J0ECPp?20MoWP*4-8${s70W z;#WH&*|AkEL>`Zj1EOhDi{*ihpWKbKO_UQVi1l|0SRGOs-PnEuYs&`m=!X4~YnU(6 z0R(MrZ?`wZ(H5FBFlgQQIV`G~H#j6FzI*u#D)C{f1w8A__Gq3>ma8w~@u$XRqZFn* z9Pl>159{8C$G=nhutG}w16O08tF&Q#6F0Pcw*~i&e+?{_Z>D?a-poc?>_%KVyAqy{ zpsTzXJIy}dKa4@0^klVz0)seDVg*wSD~uaJbGu(xpk2I42EsLHoAuznOZ6tykV0%N zxvG`>hYZDTUoXx|7+D+PLT|~`fGX) zRKJ(rb>6y);3RxxKf4iimRfacYnP~dN=L;v7+WTD{P#+&@T>IxPc7_3IM$fB#!^Q9 zn#jm=b!Fx+=!ayzy=m$CH2wab0Vlh`+dB1EVT#o~@NA+@3 zOWb+cz2Wqi5q<_6o@D0}SPVTY^Oe$KfVLWihXSGLV~G6@3+d(wwZG4&5fn?(AZAa6 zNINEKLf1#j?m(pu__%T8@i2KgI^ruNKhCgP>CUBIxL0*xUWMCjw?J2ty^5 z`R3LaNWlz%ToK0$0+1=;1TV~1lUzk%=J}BhD7`+Q+)sCaL25;3n{yjmSeqs0K7z8w zQaop>GCQ&zHjI9_!bB-6`NlbTOxjbg_p9cs4}->SX&5Ld>iP)21tb3RV>>$*h3`jm zD%q}nf#b#laWHA*ZP(r^%Ur$T}BHim4mRIV3>-WA7Icl z#q88GHRojLg=qFM6bMq*v5KKN56>@I)R(j?_2HD7;&rXb|L;6AV__wM0#H7%$`24_ zE+JJ8?EM-4mjpUM&brj^Vl@WF=A$3LeJp~H9GOH22U9xQ#1*Pr3-^7{1fk^ds`T)| zQ95T}RBn6netEpv~%3~}mhK?=d$xC(vBMUDrs11kx9 zO6T!HM*la6*8dW^NOh2>fB+QG+j9F)KdV96#FRD4>k?TsQc6e` ze-~NS#7IcfBq)QM^+?tah*ou=eQE^;oRQfXq4m#;0 z)=aFn9%rhTE8u!geq?{|vou7{9}Rc^CQ%Y~vW%y2%*A zIS30GN%WlWYt=ir?lzJYM0aG1^3rYFCP(qmglC5sjY1`pLGU#Y0;1^(bjgD?WaQ{c zi{sP$isSYRYE4V`0Mb+ISC=D#k#3=W8aGwr&VcJv4`|^I=OC#XgJH4b0b$(_YGkN6 z4^+$)@=3mcUsu_*0+>jG$uQ8X1v}oJY|@2%cp~QIH|x?rmwueIT)VMs@>2v|HLT76 zcXw!3huWD5444<5>ws7>kUPu(U&kcx!O6oP}AxN-` zT4L!{-(8hNgky=}OKC#}gHrX-@f>a>d_Q>wP5@#q2fRHXE5zRzsNi9=I ze$e#?2463dx2BK~@nd|h+|qnG{i=^3$V*)1F_1h%q@@4l<|(@=G#8qRDO*hsUVKKw z9q`?C;J-<}Bs@oSc>Jg+;wuLN&^wAF0FZ5c`ou|jaHeriH1#542!-I3Pm{??_>04u z(bX_54&11yW7c~&LNG0whI_GwQj#%T>zGcX&I~LMUrXnQzXxm&DSkJkil<3>J2(WA z7{uQhs^4t?tOl9&p@7T5}x_u3mt5liLz zO-wHaZHd$!$-=MJ&~yAA=A1*80QH-&q5dUKdxMS-Dn7h5TJ3#ae@7ofY?A?9;OkWT zrooVE{fSlu|M1itHL6hyBsh!ZnI*W~3Zz^^;47@4Mo@u)Y0AL?V1g+qfgG@u3BHMP z>#kLBzLY@q(7Us}g`Yn<@&afhBnO}wzbmQ_)Sx!j#w9@jZDUX~(-G#%ol=}aHQ@(# z<@maS^7yiyDAFql{rEAguox9h_;}}BBd?EYfgLC{wO9Yc4w_#Ak3F%=G?-%{Yu400 z8h+)w$<7a&PsYu2(f3fN8RE6))zs`HRJ6e@EsDSBm%Yt%f9=qoI>2h?EiZ%$kB8% zD%y%gis+z;WF8RbutRqCWEK&C)F#F?;KyIuw?c?!paDVzNAy)tozIGT39}Me0FcgK z{1q#s;s1Lg#X&e973m|tzBI&a0cq80F-A8V)9)Grvuf9Lw4kBLj6s@ z--|D@FN`_;COGQbAw=7e2BlWIuWE$amk|6Uaqm$NCg$xcW+D>JL&URB=ltI{r2mL! za*PN;@Iyg5LqH>zL_jB{FEVan;fdV0swPgShiHetYW-=bx+))=fleeF7+&u>dh&}v; zxD)$gK=XkAdtQt|3q?~AXn4WDz)@Z00h)~F;h9Lcgl~JF z2|`l!p>vqfM`R8R#!4~rW^g;0>_YMd&;!$j{aSvMsQO1~Abl-Av(Mg;s+NJ>MzY1T~K{6tJo zgLadZWCBLQIBM{>pxop&j|b8S7V8K(``H)t_xA3DvKR|O^>@SCLdqJEv9Wi-gw#F% z?TjE|Om-L}temNQnbxFOuTjAsd(B^!qh@flliMQqnRx@>&T{acx3dsT9QLg=#`z2L z#rhoguWZkbw5nk6^E^j#KP@`)ecN|s-pll3eRZzTbM**^%T;d~X-}jQ$lU&bNC*_- zgn-y#EE;U-xpxlZID?Z}&ao@5Fr`JfhT}H7Ia9jQZzMMxk(Bfh;zxR(ktWD1E5}66C)9 z;q%;yZhwPHb({AXD~Z`nY>c>*``BDk+AML|O;;nXHH0`tfha%s(<5<*WU}0oU=Z)m z5Gg}0H!)bid|<#!eOKBKIW|i6CU> z^53X~mqu!T>>~=wskhyqQ=~8)78S9*+{``HH0oe&oMYERrO??i`!mO+LnUb?w^bmu zS3>T{KLn5?4A{Yyz=kOTsPA@~3MEfhC;_Tk{sEzh^30&&+ya!T#m%wnXRKBmTX^7kV+prm$i*e+1 z4f?*8@F>F-v~MIEP+_>wi4ccog;*&}*PJ17<2*RIJYkQX)Ns>MQ4@ktYNKm^?ncz) zemb$dO-FCi?Wx%GeRzcg%~J^kEt+St3NZ{VzR&;q8N>Wvi~*o(p0M>dz`=_49Fo$; ztN^izh=}UU2hh{GZSeh|@!oZ-H{xdzeq1yGICyD)G*n;(u@5uM(Mw_fJHR-8qGF1Y zuua^XZ0FF;B>Z@Hx@h>DZWBVFjM`?i4lI1riIOnUWFkFbtG(^MxcgzTu1Ho8!OLeN^pKTXR8sxpS+ToJ5uC&zQw9>FlxI`H@ z(g>eu51Uj7Pg?C6xBr_Arf%al|lzZk*Emq~ag5gDZ z_3~?qRLt=Y(W5+a*U-jj+N@+Y;|dM%y8=H_>Qb5DZ%50)zwm$tGb0h_9Ynw9(?)wQ z#joSUkmNEdYH5a#w{1NNBV%TUdx(Pjo)wqY`h1gmllifCCnGKu6Jb`OyRDD{ zI&nEUIj(>=-))YBtZsv=>hN9?PH6o+v)gJ8%}6&hN)?5i%JO2VzqZ`;Z?p#qVDfQS zZ)uv~mHwA|qOJY0S?Qq5mn>)|4S?j|qttZKJsx#KzaUsxwBl8i+=A+2?^k8)fL#O) zp%K)WlcpW&KW4A|x$6*X{XUM%2*>`-<6zDBKXpA+QvM4dXut3!nFI|HQ>)TVd*IU% zf0$`3)=!&y$Hp$$QDE%;3j9Y1+v8Iv)vZ+ajG*~^h;7>Z&7;&FiOjI?8KT=1MY~}s z$baW}w}R7PpRqK13MWQXpXo_%i0=Z5O6 zp7l05SLo`n9YK>9*Siy4y*5vdv23A?7WY&6>gwv*d>M?Re}74!j3Eo{xt&^g`{r97 zZ}Y2f!>QW+^>#E-s^zFQ<2^!%{Z;XVO=hIj#?jV>$%CTJgMIZ(hjxg+v&D<*3a`au z>!=>RpFc?KyV&Wo{o-iS#~d^Ry-qHR`dKe$*#?Y~2>UkaNfs9tVrBRIN05TDtz1aU z$VupAq(#_*?+Mzd4UoXF;D}fB>l~$`9!`3@=YCWRAOC(aJb7)pV z81wA5rjk8`_(3`>sJ4zEFUo?mof7fWxU!MZ>VkMQY=CIA!wwQgg&T0PreA`Y1;;td5Uy? zjSKI)7 z#i6mPnR+gJ5X!n_c*W$4owdi<^=`ES1#`^WFLoKKf1H4>m*@=OgbpNag?zcG0Fr;W zNcq-smPI^?_Ns3E@56|IPr6^Fvw77wZ4!v2g#`^Twdt(on4XnYslBhS0UhUoQ{bVyt*7(&$-5JB04k`ZQblKTkqv`e(>84 zjDn$7M}>klq-}0)6wgc?KinRziRxO4q066Z7=L4EK}FFfs}RW%H=_%9g0k=;p*WQP z@Gq{1g(-WByZR6fh1$1Q0vCPvF7MSCU#Phz<1%cAYcbir;A=19{61Oc)rowhAUDNj z+lL9ZD_3lzG$xhMkk%cPR4}ef=qSPmi6<(TAe*uY0r_O1^_*#|N8Iw$j!en zF3Qjjwq}|AIg^RAV@xRGjnDi3>?-zNpDG^*HSLl^TyBT7x4w z7niWnY@^KA2Z(MoL;#vMo#ezoyjO#7E?ePgQYG+;oZyKs>=@n=@$QsF_bdpQ?zo^% z;%~w?;%JlV$YvBC6D3&Oz*6IUBtMli49m6^9ulc4v>+`G`%ALi=%CGkfob4Aku5ar zBJP@;f@{Kvf84=kyld&ZF@~|A*XnM^8OY{RZ0#vO_=)KnIa|A!ZzOvp7^8HQ$x3R> z`tF5hqPAf17UuSr55cz#eFSTol8-m9_)R?gXJpbYFHvRxFBiT)Yp_uwj)&sAP0fga1K~vz*-*fO0+S?k$ z5aBKrQj!KZ+p42tg?9%`JT%7lU{DIb&y}g_=%nf~zd}i18Wje7Wvcn1{JGQ_-)UJ% zx{w68|9(L_l>9QRS20j1VOIr?nVqKkhtSV><b!6de;p&HEI}^P&CpK| zRi)kMTtKc}4>rWQe@s&#J&!_b6eVU2sD$jISq*_Kq!~PRYJu%7u7^L*P0c%w4ER$2 zkxk^x?ANT}@9XCfX!Ne|v@6rNm8Ew+5IqFIp0o9)h#pnGS0Z0&Zobnrw7_bYoqD=o z8U$S!Y!m(4NA)tYTw8!*+_Hpll=l^qwA^-@lON&J0#0KJ(^b1PI5;&f2ip?-_jutl z6>>t8@-#X|**L!)+A+Yt1qr5oi$4l(#ymC8cAEEK81SW@|De!M?Si!<9{>UQ1J&W0 zu!M$ERb}?t@mvCOeh5y)L&Yf&3N8RU41hxr%3Z$tr7X-b5h~(ay+jyY99)FzV$G$Z zLwxbI5-Ah^>Jcv?SQsDP^tTUm_@vZ&rs(_mGn8to44^~RC5{*U%5G*k#oB@uWI)u} z0E`wS965?1Ia+YI2_|rJ3(|=;F>F|Fu;nXZlde_QU(y#Ggr!PycQZ;HYG?Z0vhSad z)=p6aRx#h^kWUkaF8?cz?li)oc2L8VeOxbWXC)45Z3GS-V?L@wQFRC?cvk(a{389q zP9@QplG(D2!@JyY!PI+4%vp;yVV1%dxAXvZj6oNn zw?e0z+it?*M>LnN6N-+)-3xLBaDorP+Mn(FAW~_Zp>`nB$15!Vy4;5*R4;lN3fCS|!D*g~5E|vBU;dj$ zLp7`Eg%}@5Zg20T$khfD{SP=*LjC2+ES6A^E=*Cq174<5!<^t@2!Yt5;;Xpb6hL*L z!4t75Nn~-?KWJsh$jcv?%ImlRt}HE(ePWvUKdGRRa?1w|QYg^~+4Eri7VlL2CZ_4V))R=Te_I1Wh1b^bJ_F-D z`O^QEe4y-2r8n+qbFS|ZM|Pt9I+`jb6GzVSL>UrLWU*Cx#wb9MMf<44jzNCFabL|v`{qekm4$$FnIl|=2?{B)-lp|fq zu?e4zWajVAVRJ@B&6RUAS)N2CN(>#<>bSKI^?bnfw&Yr{WllMg^RX2}&NAC7z6=mDhyB-A@*}F5|~1 zPqpiEr{aXg-aAZl)CJysF6AOch-4bq+yyihSCoGVzy4gRI~Hw3YffMD+p>>*^+_?$ z{@JW>o{!xhAjx(%jk--w^_|liX%YZN1W6}?+4wW4h*dt2^rhNDD*&^iP9Plir6}b1 z$y>y@2y!9s$$+UKY&=?k>wHqXOMwWXFn8$v&n#`53P}*^vi*<|p zrk!n*7PYfDYhyybK$21r8%@sX84p8lmduu4m8c$R_jJQnVm}wjWqxMXa^J<_dN(VV z)aiDLyi{k;;`gw7fAdysJadUNz`(fxBR+{ZWmGIOTAo7( z)CFWT@4T|@3Rx<-T=ZP=F}TEl`)Mc0<8aR7O-6*pNY0SIE+5J=wx6uE3#>vZu65qG-)}({;0R{7Av2?BPq&GFhG-MQQpUM8;Q~RmoBz)OFymlF zahFYy0?SJBfnnok2kK`&tij_HR1o%U%sdA^Hza|``s*)pmBpK+$$W48sf^F2V%P91 zZaesf#EIsU8gMIDL!nSwZG?|igqH|Ea^btl^?DNkcu8Tw-$!@jKKpzDSiN=xSmb)j zG?j?8f9bqivYC6a+*07RL6|5#&ZN2@&-}Mqf!E1!VKUIba&tdUhC8Zt7_Hk`w(s{` zMmyVZuEIEi@_yF-q_SJ4d8olS^@JCoa-XfOl7b&oqLt;1yL!sWpKdF3GyRsVo`$R# z&$DPMuBxKK?q+H75E8|^N~{dTVk$~d&}=H^#X=+HYu!H%X}*6WMB*bME~J7 zc-^whTLkPkz}2szQR3uB8?KE4AX&6%Adot9R(;DJm0oqL!}*hm!!#h;x6O|kdETln zaKkNRb2?KyE16L<66!cmB=~V_YYTCId3#~bkJ) zG1$HFbdOAt|ttbCp>U`n1|9{pl!&Pep7`! z(qn4~V!(qIiZDD#9@ijD`p1-LAQvD$rz*y`H%^pfO%g^?@NU8Uh+g7_7s@T|&1lgn z@WYbOz(2Pl^{SbiCphjd_fWw<7!2xSE+A=*M-$Js*Ep_8s2sN4CVv@T*yo?F*qRcB z84B|~to%NZOtm|R^8+>B=;LY0Y{fC7`h47t{_Xr3g+kvDx*L?v79CT+-FCK{`@Wr?z1F#H^S5kv z?H@wTE^-A11iyS29_u)~~^Co7|s|)Yu%f4QG@Z2q(FOmDy;xVezk`~0q zX3(6yZ>C}pqkz8Ee8LJ&=L~9zP3@H}G*qB@GofsdEzLAxoK2j2nQErAAa0Dl? z?M5O{hKyC7o%+jWqub_?7F;!DgW(4yNNU(2?MIDv783ZvC3G}?5@o{fX@ip4(W{yw z@l-X52AlQEzj%CUL#pB95HSTm&{P#RLIc@MzNa^yOlHJZWYl&ULgwI9wYdzZOo(23 z!Z&OW&##xzLfdA2i#lGS>bQ&K_?<+8BFH2Gs{mZ<%LfvIUoGJWIyviV)V-~9e9BNXF6f(Y1E zMp8JET=*tYu`imUJzcUHWPQixa(IVDO;5uc9J+o@@AuG62#>>BOi|pSJRy8rP!>c+ z%uP6x;!mx<*L+9DKixVZDEn=^cc#9_A-C0`Bk-*G&iTo23Z}*Pz^*LzxUG1P)2Bj$ z$Rf}}xVL_5v-yPAM~@JS4zffWbja|OGGPW#Uo7v9bvktXaWOvi0U*3pGiw`@1s*m| zfqz?@%q5_v*U=^=lPj=I4ptfVEVofR6Hh`gp;*i9V z&PA;$>W?XwU5BJetF%MA>j%NJNr3(T0_Av=0>51)=72 z_2-y1blcYZ?B0XSpP48p!N=Lzh=a;QMQGI&c6rx@K;fC?5qvXa$nPws7P!ys;k>$w zH{g!u@j7|EaS5kfshTfcnu_DCE7#Qjz6|BYB#fF9y0}ktjyi2P`4t)d_Q}jv<=e%C z(=00lgAy{*(&V6+TkV{?G*O%7U{-C5-w`5GXpGWR5jU6vq;MU2X#>{lr8LN8I@)7m zocECOt>3TDC4RqJU?*2rNogrzhB5zNdtdz)<=6E~Nk~dahk$@|$j~Jz2!cvEbW080 zogy(PCDI_G(lvAmIONbUbW6?93^BwRzwdS4^PKm2{)2Po+CL0??(5>-d+oi}XEoai z#&VfT{nns&KTbpL`NvEmul5(DKTQQE$G)91uBV0UT4%WLdD34jg>3s=1zp*Hcf}}$ z_D}QgDv0PXseB_Ozr5=D#4ThWe=ynnrc@N3Exr-WOT40E{zdGwL}Rmg9{)3FAHu~sRCu`y=GH~OnD zEh3G-BQ81TLIK(W51D=g7~6mRc#`^Q=(ZnFz{*EEyt%%wBOQ(}1Mcy}L%$dtwWClX zaXuUbs^G<-gDYv|%+u!8Bol5plNbyAkj>w5StzcG_KhEE9J>oxE1C8i`a8_v%i9!$ zp=Y%W3cnaqB>+SgHe5dXY5J}EB*s6ft!l_GxLI4O_?SXQL0F9`%UkC-#T$|<$x!sD z7~9`WmDw-m-g}iy*?Aslz5IE&#OLtvtFt{!eT7FqO>)nReuTgI=_oh%F}q$sFM|)s zg`d%am5gPc#;gA(`9(03pI(Kv4e*u%a||NI(8 z<{O6RXLIe?p5i~Mqc7!U6{yE19xhlwqugGIef_QffbNP!@t5=1VH&9N0&Og6ruwiW zSDQQm|F{g>d8?CK2*hStNB)y_m!^yVMAo7L%K``AOfhV;=6=R@XQyH_rb>UdEcd5R zpSCAnDioWw1?bh<4IfXW8cv6Il?uTuQ$HLLb1>oyRA)AO_p%qR=rVYqc{U*lU6Vge z!MSt_(YHDz1rtp5A(IzJsSFg)NOxz7MP4QqHRJ{+VA{ug`%Nmb-ooPdne1`R*x|0x z+j<0f+H#@4C&T%^%@yKoYx~W@^MH$r2lo-*DN>biS%Y-jGWmO<%}JQXZPE+19ruLc z_@{Sfp>bqA`^6o1OWOASd^+(4F54$B<-ci{L~ft&9DH9lfAGCRz2TqI^;dptGSm-~ zpZhA@$_9&gi)v?`%4=tJeBs5@n#FDP($|v z28{^d=yK?mcSn@aj1W3cb;@-TnsW^q=KI1Y1}CDLhJg(QmSvK>)SW%QqKS!)JT!TU z`q);&x4XWyl-+9xd+;h|(tGS+pz`E?$EWTSazE28oJ^sG;UC|HPNH7RK$zN?X4nq* zTvix3ZwzJ@Xq^^}e^}MrZHsytkJIKD_OJWz%Z{959BHk_xR^BOxH!EIrz{DO0bA7R z%uMKn4HK6D11X(up~I>3TM>r727DXhm=+i2!}r^|kKZeF$rGzI^5U~aQJBD$Fo7#i zBhGK`uYM)Ndgv#%Bb1MqU`$tHG2(oy(uulH^z%^&b!~ug1YO~re-pPxXF{vuY zkQCU)(~i4<+g@Z%mwhcU3)Tu}UZ)>*m}ugY6W;;OwId9@vzHo9nqPTioRNZ8pWXIl znWg>0%(Ab=(}*;RWhz)-3<8i}-}e#ztxwb@>cTZ;wgZ2C)|u&F6q>O%(%SJs;9U%&KpcB;cH%ZZQHq zEh8%ILE||sj&S&89~E#kpUV9B3P;#|SbXMU&@i*o{kznQK(0r4o_HFHs^S?(J9IU4 z8CwQ_q`gPN-sx~!lz&Yw-k4+iF{yv!j!pa(ydpJ()aV$MClrnT3Tm90AGOs8ULAXF zq8xKd_2bK6W5+9eW9k0v4?*is3Y>nM1g7A7g_+8-Z%F90-nIVd_$IVeiH#}4ap!9j z;P5p6X_yOhPN{9v&vefEgsp~KOqZM@264v=WL0mU{tx^YD`p7+BrG$lAMciz{5#+2 zn;hKn=MhtHy!kzt?<2u@3I(vB0IV)_5Zv(bdsriOAQ`Q^MhW zReWCKg;E%4J@E8Jc|YPAsA(BFoXrW`%9Rp3Sv+TfW&7?g6han}UEwORzS@po(qOfN zKFy0Ov>>fokA0EPo`N2X|xr zOeIHjcKjjb*T35seC7>get2_N;&!le%d=c78cPy&N>NH#Sm~8p5(7mPoP5gdDR6=d zi(;(t*{d`oz%CnKE%1K#sQ|@Mdvfaaj_fk`I3-avwu8sQhJPB#Eo+ng63}VT)hLY0e3lamL_@>`qC4?ZoXm~T8AO_i@77ss$EHqAmdS<`7YR@AK zUVHs8>CUtEY!1-=GRt^(RRW~fTWx_yoio#YF-4U|^XEPW;M}i4t zK8O$&Fl&WVG_J_wt=4C|C7{7dxH^Y7QH*>XYgC|t&WdQ%@Nx?wQ;*^E(f!9Bm(SZ8 zm$vRi`j3%X^`4bYPimAA$~GKpN)fsexc3mWbKTz4y;4^!TxP^)TxMJ1_^j+?Ne>3u zl<^<2nh6;STeny;Ns)!O;cEOrB;F zIr^s(US@$_NC*9&`VA#4%+^|fZ*QBPy#qMSl>&l)+xtvQZJ}3b2+Pp#imDtOU?Uv8o1zVZdREmx1T|^+^AC`=kLuI zlF%YXzo_*Y4Y$5SBt__9-@Q-@OluBZA{~YhifqD2ibnhr(q;C|-=I&8?m}kT2^QT2 zlohMx49li(7COWU&uTmaZq8;%D~WrH>|TJ{&eAb8`$i70*0a+OrJy%qfhkmu3-KC~ zTRn_ht8&cv1nHn9YhpvtF*bH;k-RtcY=c1af#nG=SBr(q^->9?$ z@Jw-?8vB9dK9Pw>|6`1Gs`7G*5;<3oeja+{r`{byio_@dr!&Izl7Aa~VcJyI!E$8o zRBjst;mzKqq1sIC4;I@38y<6WqZNrH4rSk|xTFBd*+(T+<%iOHEYFiL$%M>86@H!T0*MUbAKD-M`br#^ zBE+Qp(8F>-oA1#t_q$4K`EhJ11eod@f+dU)`fDAdr_WLFGt2mtEry_xAraS|xa4#Z z#o~^WhgMZoz45eQ0Ls=h)qW<8x>4ezA86c1#Ek-eQNi_7|w5wqC2fekp?-!bR#hf6sSmcRBr4VUR7O z&&ipORf`~M2Ce>fXWSM61G=6n#m0~9x`y7I;G&>$cQt2DGjrq${E$fW`CQXhwzVlf zNj>E|8J9!-nfY(58E&W+l=P)l74bs!aW0QHYcXo(Y&5Nz16cmbp^l#=afSKF zDW}M9+Sp#z-~r%&Y;!kE6M=n!PkaDThpoH4*6tH_=mfRo3(LZ?Bq~E0H70er z2>h5=F!<2fXevCc?^VM~WlYB=B;L6lG5?m@Ayxn-Rn9mMIP^84R0tyh!9%DU4orwSsSoGVegn=UJTvCbzk;_ZUx!Qb^tle9xl z-qZ4+vV4*NB1|M#0O|9 zfE9H}o^eu!kv3yuC6UL2LJgh^8#H{}7#a14m9LwFsUyB)7$0R36_}-s@wL0$USIlP z8iUSZ^u)Hd#+`3jWf)Is+|Sxxsr}(Ymf!Al$(?e;M3*(%Ey(4U3XaySfs>e8bq?gR zS5Y@N2cZqv63eU5W^RGX#gmN=6F18W0Z;Tu(D9Kv#G+T4(c`Sxpg}KTgz=yql+)~W z0#1|@3&}ofa?Uq(b5#huJrV&p{Vp*m2&*N6p{(z|DEZ#>H+wnS7sZeqckQL$R8$LS zwL{SABn?|;@>4#|H0Dz$CDuOiovqsazHWKti&b4L*{98E{T(9}tt(6&)jJ&}p|+|g zEOqXnV2Am1p_&%8gc=c7edFR^m)D=gh*hGT$AKT1qft7Hrd;D=mzCOK;e_(JU7a!` z^$cq>T!O)|?3m+O(D&U0Pi3W%-3`;}Y)+Nd)Fy>X`#2@YhisXbUH>Qbyv4^&OJQu= zzpX+-iF@oCI&dPX{iq9U`acFgJ~-#pWNlyM=S7l(%jkt*Z<oX;@uSujQtMp-k7?2*! z!)f@Q>v*!42%8H#y9^EDjqjn;BRFl&;YObRo@ygY%}PT#R&lFv(4`GyoyE6AeWL2%P-(N&=P7cfK(R!pucYQt#D7&i;!yD+|$=`HG zYes$Afs$}VDcv{Ow5GLO!QM=TR(~SAX2LPLO3(*l1cYbhfGI*krdJM3V}hJ-XrMI@ z8e8&PC%pqOmSJ^s<^vmCV=Q_wWob4lZ8P%m3>m`7k>oD8`|Ha0I5Ez^Jh^VornLLs zK%Z0Z5t$ROmX!!%#5kkt8EA9II~v%v0vNrioe%x?@<5EgUXe)ahv~1kkOR6KsrK6o zW|{RGCCK7U=;7Id6yU1*$e_(AWN-WcCrfh2KdVJ#*r(A#89LDnOaU;L_jI|Sq67Cv zsuW}$WR5o*_K|PlH?FUj!S*4x@VX3e;n+9JiDm75?S}G&n2!1ZniI%3Whe}V;F~}U znU&1+jf@zh%&ebT5;khg;xGb|;-Vfo8BTbuiAVRo z^DfX2L2)?h{ zExEdipV#wgio{XkyE^e*tD+y?@_ZZy5L zTPW8zBoF|Mvr;Ww+syK%|Mkn?#KNmX=KJe{ua&-TgADU#tp+xc_nT-;=NJDpEmzDU zBIR@5O4JtbkKO-zd`T{umArhPhJRz^lJBJl5s2Hc4E|@Cz0R^D#XVOTXJpzi~mWb30_hR)-9{eD0VnuSs3A9J`l{xLTWiB_ZH{A zCX;~D6fFi{+2K`9`eVW$eby5t)LhoG)LRR1v)-=FgCuX^x@1bRGW+iZ?xKZJzMTz8 za9pe|d^|QxM6l}}hNZR%;ypTytP!;xP~qdg7?QxHA@Rtk+~fSy7z3cVhHqo^F-*rn zaxX<%Gp7&gQr~H7G_v17VdKoN@ELfz_xeQM+27BZ?dflwVSa%ymY5ulQ`mdPMWQ$w zuEs1q$geyf2gQ&&R{967t%fu48OES><>VScwG$_^mkec8*M&iJW17X4+leDZWS^YQ9yhn`>K&iVJXxRxebV~*{ZrRSG# zgDM4XT|eq;{dfmzzb>qoE3RDza)HILOHG^`Os6=rb_}xHj!-fHht6V%$0AGCEvt5@S;bZ`M41j8idkS2@uur_eGD&nmf3#?>!FD{xbd;hy5^%s#6SV+Tv4> zk-VyC84LfXx!o+1ZWfdBfaad@cU*W3hmnt`I=p}N;FdnBvS9?rTL{J7r{TTW`duxg zHuV#J*CiL={+?R8jD*LHGLH^x#fIgl5jaU+c6)STjk@5lE(;iL4&hkwZka#|xQx@&n%jeyC5CS0LK2W( zm2xZr=RC_>Vv8K?4Q3Lv0lp6Jymuw4tXx$YZ_T1}K1{k~AtKC7UACqLZtrL@q4qmX z!N|fv0yy_Un~Q6Qxy(&j`}EInVvRCXQ-_>RK;X9?%>=Aag@}lif`c zhvcc70%0F7g}bCxvybcp4UgrA-(su4CAmL@FzPw`p%`IjYPm_%IG{1H?+}ikeOIOl zUpU5uU`ojT3V)7=D(o!czIgc5Jw>b4j53Ad#haC=7?^Cfk90i~G3*gEPHK=m!?O^J zewujDNWvM6)J^i|$&wt?NL`ikoXpuWLrZz?2es^7@wM_wBA7VN^m2ov*#?7(FZ>H@ zUpB24L5+wdlrV;Jx!$yR#qeq2FC1|CYJD>%QR65jxb^tr17F1<7$Y>b z%JMsRdEwER-jC>z^`k_LpX=6!#Lqbq`~7UKJzAfBbTD;$?Z{nXy1>NhFarF+!W%#7 zC^Fb1850QagwdJL12M(4!}}>BD4%dQ3|n-6S7;6OAIcU5E~quiEUbIb@ETTMyXFya z^*yrGXGBr_40`2Rx`vu)LJX85*G@+2zm?=ZpmOV&7$=*v2i+(*O}3Z1$Q$(mLKJ3L z8bM#%?qFGFG1yph>5EAxU&KqxUZpugb`%lr#PCP0D9>0YC*K0mv6$>`P|MU82^TB5 zfIOGYg;Et?8h-l3`k(?_R3tFRaJcPflie)4JOy@33^n9=%dQYpS7rY?tAXwrq2#8) zM`6OQn`F9Vb&8ZgwJ>nRNz>WuPr<*-(QcIQZkr8O( zs@|aN%{v7mixzE7X0PQ=*D6g{Z*_PjI~p?kyUo>{q~VFf_pB6rJfdVjQt!b(^Y&T* z#F@A7gU@%1qG(rGiO%ka&#n^K8YF`GEZn4e`vb{tuF>g+T4w&+cko|&N_ zjvJmqKzwW^u9ph@jB z3l%yuz*Aw%!X)`C9${n@8Lx+Qa{r^4 z{vyXNN2h^wZyJ6ODgmD^GuzB-YPa4NxIObD$bdm0Z6LRUN?|_TuZ@WwGX0fhA%$}2 zPE5x1I?&*&AJLwVBX`T%xA{f2Tp2{fk{qJ6sTR2>;P0}8u7smO9j-;J%%BX^fpxv( zH@dmy_1uC3_kG*xN)V=E-3m`f(d}9Hes#+}GmY=sdP?dG95N;+XVH{>L@d*Gr|0-b z!=v|y9Qo_(saO#iaYP{OU-JP;PotIKhZh=qtU6>}5AejRG_5c-wa3~ew>b=gZKred zya)oj6cvzf{6=b+nkuQxNy9z4bP&cJj`h@x;vqHVZ-pnM>zu5I-_}DYA6tWnt(g0k zytWo0yIHfSsRpfUYi85=r|X-2K808{8VIp@B^b2p*Io{+ebQ0iBg^$SE^(t;3rSX@ z^_;7T^@rICFUHvX7e)^Ux|X6*2{Wl%f;g-51yys{ftJkADR4?3)v>et1{-*cJ77rk zJXAYT6+@zVN)0c^9X4ylg7v}Y(gQmf# zCf%$TppmV6G4M7H^~Mv4U`3qZ9=aeFa>!w}EtAY|8g2HqF5*5n%CG>hKjtqI<=HXa;z3{CKu%Nu^ku)vK0s-Nlu?Z3g_vlpc>Al)}`*V#Nck)gBx#`2wF4Rv zZwzsQ0uG`=}e>W$2RIpYht0j@PSRjygVQi176))vFEcbJ^;UZ9Tod}C!; z&O${Il0GOc=|*QACwH9*k1dTEjD{4#l4yus zY|{b^EYHD^LFCBMa!z!R{;o0%r5yOo)NksLe(FRe92?S$^4GcK0TVE=#ils`iK!34 zLj?j!ppl9<4Np#_os1QF+l||&U!5bX?qyk7^Q~UZi4?1F4*I|aJ^5G3&+l9KTfy4y zQ4Z3SX>%UWXLBTn^+0*u5;_x4z06lo0lm3=J_?ldBOhPxiiGYb?fF?F|Uet*-~q_=0k1BarCFw zpx(l25R-(O9XVLf35FaLuV?N&L<`B@5i`nm&6c-8JD?^?p*-sV8!TtAa zNi?F4nZ(*nRVm1ezMwRt&KFWOY4zdUl!%AgmlK~UtPm`65PqLh1@=yuiDUAWmA9|CH95utulVy zW#|@SsV5NQl1j=@FZYBgm)RjC0F|ou_tp*~@~RT}IIZeWfp{JS7-;VST{bSl*xCE= z@gy(573q}ZnwCsx*=KKg4LwqirH4)!ew+KGdV;*;(ykM&XPmoGXHltsY1-`FaK04K z{iV*?+EYHy6?}d95`Y|@DbqZo2BP};(#N-gvH&|o^Sfs6=Gsr*p%Aav%M^DXLoBSn z1fMRo_^kSG!PkO&uQlVmt*T!jPQ5_g*S|2$d*l;<6Cg8f$;uILO=F z@W##B1YhqQvEml0@}iLTG#Pjc)t$`y=82^8IfhbB_W!iei!;VCTFJT;;5fy(Mc9h3=> zVw2k&NKoLHl)OQ?s6a(Kt7rywaDFhwScVi-oj#^==pg2os2x=ayz6L+@sI>Sr8}oy*|5iN?g*+ z{``cl_`?9Jmd}3n>4)VZc28;{Q*c|*Ho3OvP?3O#05;h9}KK8 z3`(lyDhp1AA6Eq@+-)U^AmWo$*-9Sh>av&IsEV^-7>)DuFqo_-K94Y+4y;IaHA`yR zGD%tzBHHhB>%TRZW@zrBnv!CQRalN(Zh_|Bq7@Kjokg~s{dz3p~^-aj{fLq!pLulrL|oX^NZA(p<&duCG-zxKL? zP9?HQ+{&0zSivdloH55MQ2|3DPcDqG!zf=#QTEyQk zrw(P3S<=2Zk&!u0kh>j?H2A7vS!z)9?Zy_d>F)A9sdCtlO*l;Rc#p|@4 zk3D@p_sBqML`S9@SsYnsHT$Z=_`sSfSDf!vH?rxZOitvFQ2KKD?ysn;eBisI&c>3q z;b?8+R=?^*I{(T_bnJt3`1=A0qvb)@I?y7c#?LoDEy`QY>$_&iKR7?dv&_1W&&RYB zvdW5DF^Bpwi|m9=3H&Q8Zj?AyISMCYV z#kgly>w9VrW!*oqOs~7!iDsthvG`lDMa_`WP^_L6^^?=QDbP8UVv-p&{;e1f$l|2O zD1{q%)Txpl2A?o2f+Bo5AuP{X#vU*4I`2{aT5hg^K3PIFkB44Xm*v=siLYb zz+CoyZMu$g$0OugUBhzC<$lv2HF4g#FN;T@NAup*LR&*MAVW~i_~s$fhX2O<8V}g! zSR6QIC$Gh;FSQhd1{}XUpD%o*T%JCWr_d2-ZziklccjlU2fOZdS(-7wTv5vUO^S&2 zl@~qtE@tJsV!)@?ja!dcCu3>n&t3n#`F+d3x8oxotBKQCP1^94)wjwLbBz89O~Tsm zc$XLaZZ9JgL}eZVb|nNcK1p?XsCIAv zDkW#KwLGzX=atjMx-+96vK}=q_Hu4Ztm6=Osn#Bx_QY*;d_f*Ss3v>SGhy)E!!+;$ z6%JUBJVy@Q(!v$;n4BaM{HLXJb$j=jed3YuHi?LP^RF<;g)N)s=kP30`=-QJ&eaHa zneLG&;3fs^44Z2M9Dli;ZVwcaX>&j8Gf=`d&@A(SxWvZyv9ld*bC3f!@wJidGN9@l zps)XIPKCKsMu^kFi`$ZNH}rAYolix%S?%=I8G@nKDQR=e+3V61hmPq~=tp<+0LBHT zvf@C9SG`cASJeF18o-95t{g_?@+YqOT4hn{hsNh1&o!85XxELE)T!{J#;}=-)wf;0 z`a_z;xK7PoHEVu9Nps%+{h2d@QG*e+b&gH6ouB*ltL${EjyLdi{-=yM98Q>frFnH~ zB`$ZaLfKv_q4j`8G<=A>#JI(^txWS{>vU1DRu;zkOEb$j?{)r3OYo>B@e9NaJ5mmC*)4SA z(CmBQsy*lBm2xY9x+#nXAesjknSofD`wwF^XQ2|hqpbSL1C1)+&cd}t5~hUk{qmhrp>^A zy3jTq@-BMn9ek3j2jh_2P81F71yGz z*>8i@Jsj47lm|}mk5nY4cPMs!=lCJxYjk{zgt)GAb$@GV-BK`a?FxZcEe^WKQvidb z+aCM0qC?)=%+pp z%fxU1$(J?RDY-AN;BwNjfaC!S?iDtDnd(f^4m3+k!1iLu$bCF@VZjpxuhhOT; zUwnHtQrd;Vw@e3k7bLt_L{M=rhqhX#7YHe1a_&tpvsJcrZZ8L^*;rS69Jd4&)9PBI z6>R9ocE1)9yQ*xM_@0RUd?PF*_A1D@HFT6dDLlCJb2f`#m^>FAAG`ttt$%>xb{5)z zUj4m)A%QqmwvDt3U!Tjicb*km9Ij?KJ}_)sAli?r~qS+i~NH)^eSQhupB=wiqEL^rmWp8!uMf> z8_qb{MxGI{d?mXiK@E#nFzGlOBOOyhEVj$A=sW}zMz66VE`->!eM~P#9u?t6OlZpe*U{ zZU^I#RIIVIU1ZDq?1b?lD+U8*%^Hr7{pE9Wp8H5SZg2Ss!PcNK($Na*?OPO zxyZNpZSjEq;?I}_5P3unulW`ydKFD@{ipRtsC{UkE-39_uVT`4`Yt;pz2uEIXk8Rf zWpUlLchNN?Fl7)vyJc!2Vd7pu^W4W;eie^zCAS}|!N`*4=_AH8eeUE)ZV=Firr>$`)p#k@qCg;=pAs<~k;b@CDqjN3$ZcC_Z+R!^b{yrh(AeeTEHyq@ z#WKhH+9Ge+qBbn>8n5!)q&_G!P4G4BfJ#Zqy#Gd1R{b)#Cpa9&{Z|F#{G&7h~(HR=Q&xv}QCb zB-;#PmQd=X%hV+ZCgpzeneNG7b_B$ML+_pQ>_gAc3%~$P12H^KH=&tICSr|zb>`Qa zHiQ~0OXY9*E7LqHS=1D9;?A$9zuJ_pFHJtc=X7IsVXJQY8}c?7@I-+~Lq!z!P4OXL zjYGzV=0tApgwO@GCaA`K`zC&tA2m>=M4h`ssp2h848}WO{oFqBt+%s!``SlR zH7P1I%yWZ#`uhehrR2ApXE2{%*#OcSlkf;@jEw`Mb@pT6WnX`&X`(j9RtBUX%(<-U z_A=`hm7e5}B;h{eiO)W}=*f{5^$y#CLv8i)$i%a4@QHL`DqERbePdjMMGI+{M9M2= zues5E5-y6d8HwivDWAV>S}mv7kRuG?EEWDN?)a%)n*Z2TthKNhhuBx;)eFnl+7i&Y zw#fy|7A&P{w^@MrlvCX#pP2EFOO2#TQfMXP?d~FrIx0dz*&VZ&bCtd?_omuPZ-NH~ zZ%LWUps0_rSJ!dqUVyt!PV2)zlaZoH_iVp|du~su6r?enyw7N}pq^ zbMb?G=GXe@n3@ziI^adJ$h5WD9dz5 zXy_pDn;JDwfvFN%mNHr;r~RcnaL9*)z9a)cY)eP58Jx6t)E>2I#&b)2MlO94$NFEi zBmGM|(oow(y}tn{T)Gh5E3rwh#*Y&sF&r_JUGh+ zhy6UW*sAoa7{L0Cid2sK!6Y>D;bb=r<@dpmOVk1#90Xz9wGSL>bLN8Glx2$5JIS#< ziR%<$4_k5k)N41o8a({RJ+vr04%&KP43nK)-Q$91X$Xeg1-9VJtUGI1MYJj9QxVOG z!5c?if1@=R={Jw0;{v)pcU9@H;(HVcliqE)4eil!%qc#*(Z%09PolR+&etarZ8!WQ zVcamj@r^@;su*qz=ewrz`;$i%#J%%%{88))lk`uDh}zv8+pW=ONpUrnrhTfL?y*_N zmbq}jih`kx?ss6B*~!FgA{VyHkg+bX%#m}R=qRqbT+kV}H?*$jijk#O&|^98;^M}? z)jT!Unmm|50Q_zy;FX>r4m757r7IG-8q10T@U>RDFRPskx~N=-sEt?@eRd<~=-O9` z?I|oP5AyZ`bmDV!qE$L6=rKQ<(q_^YLe%$`U_E1*wp_L zQ2owdToOY-gd&z!?mXn3ZMQl&PU?h+OoGWoa>;9L=decBt5L)(n_C*$p5$5a1J}dt zEBO{%Y>n(U*J)Dj`=fEx1Akp^lS=eLh!9KlAkKkR_+F>v_Nk{;SbxMi6=cwJGV5se zh13aF0VfXhGgd@tl`Ub_vDsGJbD3_Y8B1l!OmGCau_F?l3&A@Nw3BXQem_r0l5yqF z#BRZueB|K{Tth#A)0#_EP$@+S7bqZP1`CLvh=9}Vu95S$x|~Z~dj+9Y(RU%B=E|=( zoT4=onHb8!xbpK=V7F*TFAP;@!?3dbIi3BU$7aCzMm~D7Co%OC;IF~Nm|Zu@;Nc@Rl!WLWTAG};UtvM7;6Yr z76DDz$(vh{swK(V|4Tg^QtYyHMK|_ViJKed2K8H#Z@hAH>`iCd%?qVxux2yE zR&5maP4`(zZqT#vDLT=chZyOniuY;UWI%O&O7|bE+sKK<-L7A1&<^@M@nNk43yVni zxr)-8HxoaiQ@(5qdt$jc@AQqoE5Rk9-&NcnS%>)|`2TRe#z)$G>z;``Vf8Ij_CJje z=x#=cRVtC48PiH#CG`X_5m$(e#o5bDJ}@hh-38NoWLnnB-FvK|(L~4;h$ChYRR}Ax+XOM7lMm&Z7WMr zf`5n^Fib>C^T+Pf<^}X&(6bsKAvqOu$u}5q-ah&0bUVrLoe%?fUSO3zK70WfpFEe> z&g+48XcwIzbJiMb2Z`i7rDsR6)g^}9v%hnArIVN7y0GhEG7UJ`!llcgA<-9J=4;!|yCVO%(9vyWLquZed1J%Cg!i+|NfaGK_^U~dSTBj%I?n2;EEMoN>?KTSFeZwmFB{-X9gNM(LzZqKYu_SX4MhB3+73 z^)Uiv<{7B58jysNfMiWxt}NA+1-q;>ZES^ zTQS#l1vm>0`3nr~485LN^|H8oPjg~FOIvG)-m1JrI>TfBa*~={EW~W1`+8y0Q8P?o1ao#Ut|Ag0Ou3c8w{;Gy+$#dWr(h;?>CS?6V*7TzA9>Py zOm0R5FaXzCtk&~%yS;Nx;x=Zjq;gO(G?hxkRp8Wi|qMl2~WDhEAxS1wm^9yn*zAgJaDspkHw zMAX@&xK#z&|8QqTydmn;(Gm=w#%wS>w)F9~&-S**)HAD)@2h$vl?9P5*OaCR=*R8+ z1Pp@1koCVtc(xLTxY{XMHMp2z{9h^fZzBn_ z%~y07HTvI&4H3o{RD;*TK=a@4@h@L=b)V(^%b)-9uKbTM96H^?u;}0a8)oLd=C;_s zy~W=rlOO-Zj+6+;H~+T4zbjE93daABE3ApaEWtR!G!b(%|9ufWJOv~FY5u)p`d=Wf zRaL6@zc=~+TFt%3r}Y14P5<&!A0=i9Hbg$+y#HZ0G11pi^0@zT-Nw%_6y)!!Q2Wc) z|7~Cnh5f%x{(X#1>#u$8F? Date: Thu, 4 Apr 2024 14:53:16 -0700 Subject: [PATCH 06/12] update diagram --- content/security/images/jit-enabled-flow.svg | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/security/images/jit-enabled-flow.svg b/content/security/images/jit-enabled-flow.svg index e7f65d7592e8..dcc425c5f367 100644 --- a/content/security/images/jit-enabled-flow.svg +++ b/content/security/images/jit-enabled-flow.svg @@ -1,4 +1,4 @@ - + @@ -18,4 +18,4 @@ - Account exists in Docker Hub?Update profile (if needed)SSO sign inIdP Group mapping?Is the user in an SSO organization?Create new accountAdd user to org/groups according to IdPSSO successfulAdd user to default org/groupsYesNoNoYesNoYes \ No newline at end of file + Account exists in Docker Hub?Update profile (if needed)SSO sign inPending invites to the SSO org?Is the user in an SSO organization?Create new accountAccept invite and add user to SSO orgSSO successfulUser is not authorized to access orgYesNoNoYesNoYes \ No newline at end of file From 9cc6f972d4253c504670a5a0067a24d66e50bf50 Mon Sep 17 00:00:00 2001 From: Stephanie Aurelio Date: Fri, 5 Apr 2024 11:34:11 -0700 Subject: [PATCH 07/12] add details about multi-org sso --- content/security/for-admins/group-mapping.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/content/security/for-admins/group-mapping.md b/content/security/for-admins/group-mapping.md index f32e35abf114..30df7d4eab11 100644 --- a/content/security/for-admins/group-mapping.md +++ b/content/security/for-admins/group-mapping.md @@ -31,7 +31,9 @@ After every successful SSO sign-in authentication, the JIT provisioner performs b) If an account exists for this email address, it uses this account and updates the full name of the user’s profile if needed. -2. Checks if the IdP shared group mappings while authenticating the user. +2. Checks for any pending invitations to the SSO organization to auto-accept the invitation. If the invitation is specific to a group, the user will be added to the invited group along with group mappings in the following step. + +3. Checks if the IdP shared group mappings while authenticating the user. a) If the IdP provided group mappings for the user, the user gets added to the organizations and teams indicated by the group mappings. @@ -54,7 +56,7 @@ When you opt to disable JIT provisioning in your SSO connection, the following a b) If an account exists for this email address, it uses this account and updates the full name of the user’s profile if needed. -2. Checks if there are any pending invitations to the SSO organization in order to auto-accept the invitation. +2. Checks if there are any pending invitations to the SSO organization (or, SSO organizations if the SSO connection is managed at the company level) in order to auto-accept the invitation. a) If the user isn't already a member of the organization, or doesn't have a pending invitation to join, sign in fails and the user is blocked from accessing the organization. From f539f0b5fd1e8009cf9ae8633365346fcff05327 Mon Sep 17 00:00:00 2001 From: Stephanie Aurelio Date: Mon, 8 Apr 2024 12:04:39 -0700 Subject: [PATCH 08/12] implement feedback --- content/faq/security/single-sign-on/idp-faqs.md | 5 ++++- content/faq/security/single-sign-on/users-faqs.md | 9 ++++++--- content/security/for-admins/group-mapping.md | 2 +- layouts/shortcodes/admin-sso-management-users.md | 2 +- 4 files changed, 12 insertions(+), 6 deletions(-) diff --git a/content/faq/security/single-sign-on/idp-faqs.md b/content/faq/security/single-sign-on/idp-faqs.md index de14e867ce97..6e20843215ef 100644 --- a/content/faq/security/single-sign-on/idp-faqs.md +++ b/content/faq/security/single-sign-on/idp-faqs.md @@ -44,7 +44,10 @@ Yes, bot accounts need a seat, similar to a regular end user, having a non-alias ### Does SAML SSO use Just-in-Time provisioning? -_Optional Just-in-Time (JIT) provisioning configuration is only available in Private Beta when you use the Admin Console. Otherwise, JIT is enabled by default. This feature will be available for all users soon._ +> **Beta feature** +> +> Optional Just-in-Time (JIT) provisioning configuration is only available in Private Beta when you use the Admin Console. Otherwise, JIT is enabled by default. This feature will be available for all users soon. +{ .experimental } The SSO implementation uses Just-in-Time (JIT) provisioning by default. You can optionally disable JIT if you prefer not to auto-provision users, or if you opt for auto-provisioning using SCIM. diff --git a/content/faq/security/single-sign-on/users-faqs.md b/content/faq/security/single-sign-on/users-faqs.md index 61f74ba0e078..bba7ec31f6f7 100644 --- a/content/faq/security/single-sign-on/users-faqs.md +++ b/content/faq/security/single-sign-on/users-faqs.md @@ -57,11 +57,14 @@ When SSO is enabled and enforced, your users just have to sign in using the emai ### Is Docker SSO fully synced with the IdP? -_Optional Just-in-Time (JIT) provisioning configuration is only available in Private Beta when you use the Admin Console. Otherwise, JIT is enabled by default. This feature will be available for all users soon._ +> **Beta feature** +> +> Optional Just-in-Time (JIT) provisioning configuration is only available in Private Beta when you use the Admin Console. Otherwise, JIT is enabled by default. This feature will be available for all users soon. +{ .experimental } -Docker SSO provides Just-in-Time (JIT) provisioning by default, with an option to disable JIT. Users are provisioned when a user authenticates with SSO. If a user leaves the organization, administrators must sign in to Docker Hub and manually [remove the user](https://docs.docker.com/admin/organization/members/#remove-a-member-or-invitee) from the organization. +Docker SSO provides Just-in-Time (JIT) provisioning by default, with an option to disable JIT. Users are provisioned when a user authenticates with SSO. If a user leaves the organization, administrators must sign in to Docker Hub and manually [remove the user](../../../admin/organization/members.md#remove-a-member-or-invitee) from the organization. -[SCIM](https://docs.docker.com/security/for-admins/scim/) is available to provide full synchronization with users and groups. When you auto-provision users with SCIM, the recommended configuration is to disable JIT so that all auto-provisioning is handled by SCIM. +[SCIM](../../../security/for-admins/scim/) is available to provide full synchronization with users and groups. When you auto-provision users with SCIM, the recommended configuration is to disable JIT so that all auto-provisioning is handled by SCIM. Additionally, you can use the [Docker Hub API](/docker-hub/api/latest/) to complete this process. diff --git a/content/security/for-admins/group-mapping.md b/content/security/for-admins/group-mapping.md index 30df7d4eab11..4f3c8c432e99 100644 --- a/content/security/for-admins/group-mapping.md +++ b/content/security/for-admins/group-mapping.md @@ -31,7 +31,7 @@ After every successful SSO sign-in authentication, the JIT provisioner performs b) If an account exists for this email address, it uses this account and updates the full name of the user’s profile if needed. -2. Checks for any pending invitations to the SSO organization to auto-accept the invitation. If the invitation is specific to a group, the user will be added to the invited group along with group mappings in the following step. +2. Checks for any pending invitations to the SSO organization to auto-accept the invitation. If the invitation is specific to a group, the user is added to the invited group along with group mappings in the following step. 3. Checks if the IdP shared group mappings while authenticating the user. diff --git a/layouts/shortcodes/admin-sso-management-users.md b/layouts/shortcodes/admin-sso-management-users.md index 1b3826a25f62..c7c489354075 100644 --- a/layouts/shortcodes/admin-sso-management-users.md +++ b/layouts/shortcodes/admin-sso-management-users.md @@ -41,7 +41,7 @@ ### Add guest users when SSO is enabled -To add a guest if they aren’t verified through your IdP: +To add a guest that isn't verified through your IdP: 1. Sign in to {{ $product_link }}. 2. {{ $member_navigation }} From fe1cfe65f15649ca2339d47cd8b1e2a2476eb098 Mon Sep 17 00:00:00 2001 From: Stephanie Aurelio Date: Mon, 8 Apr 2024 13:51:43 -0700 Subject: [PATCH 09/12] move beta feature banner and link to section --- layouts/shortcodes/admin-sso-management-users.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/layouts/shortcodes/admin-sso-management-users.md b/layouts/shortcodes/admin-sso-management-users.md index c7c489354075..f38b87a4ddc1 100644 --- a/layouts/shortcodes/admin-sso-management-users.md +++ b/layouts/shortcodes/admin-sso-management-users.md @@ -32,12 +32,10 @@ > > - [Okta](https://help.okta.com/en-us/Content/Topics/Security/policies/configure-app-signon-policies.htm) > - [Entra ID (formerly Azure AD)](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users) +> +> Alternatively, see [Manage how users are provisioned](#manage-how-users-are-provisioned). { .important} -> **Beta feature** -> -> Optional Just-in-Time (JIT) provisioning is available in Private Beta when you use the Admin Console. If you're participating in this program, you have the option to turn off this default provisioning and disable JIT. This configuration is recommended if you're using SCIM to auto-provision users. See [SSO authentication with JIT provisioning disabled](/security/for-admins/group-mapping/#sso-authentication-with-jit-provisioning-disabled). -{ .experimental } ### Add guest users when SSO is enabled @@ -59,6 +57,9 @@ To remove a user: ### Manage how users are provisioned -_Beta feature_ +> **Beta feature** +> +> Optional Just-in-Time (JIT) provisioning is available in Private Beta when you use the Admin Console. If you're participating in this program, you have the option to turn off this default provisioning and disable JIT. This configuration is recommended if you're using SCIM to auto-provision users. See [SSO authentication with JIT provisioning disabled](/security/for-admins/group-mapping/#sso-authentication-with-jit-provisioning-disabled). +{ .experimental } {{ $provisioning_steps }} From ba73106211d423c2eb8585ecaf761428e56c48ab Mon Sep 17 00:00:00 2001 From: Stephanie Aurelio Date: Mon, 8 Apr 2024 14:27:51 -0700 Subject: [PATCH 10/12] update tab order --- .../single-sign-on/configure/_index.md | 20 +++++----- .../single-sign-on/connect/_index.md | 8 ++-- .../single-sign-on/manage/_index.md | 40 +++++++++---------- 3 files changed, 34 insertions(+), 34 deletions(-) diff --git a/content/security/for-admins/single-sign-on/configure/_index.md b/content/security/for-admins/single-sign-on/configure/_index.md index b32dfa4badb4..b7d44aae1b71 100644 --- a/content/security/for-admins/single-sign-on/configure/_index.md +++ b/content/security/for-admins/single-sign-on/configure/_index.md @@ -25,34 +25,34 @@ This page walks through steps 1 and 2 using Docker Hub or the Admin Console. ## Step one: Add and verify your domain {{< tabs >}} -{{< tab name="Docker Hub" >}} - -{{% admin-domains product="hub" %}} - -{{< /tab >}} {{< tab name="Admin Console" >}} {{< include "admin-early-access.md" >}} {{% admin-domains product="admin" %}} +{{< /tab >}} +{{< tab name="Docker Hub" >}} + +{{% admin-domains product="hub" %}} + {{< /tab >}} {{< /tabs >}} ## Step two: Create an SSO connection in Docker {{< tabs >}} -{{< tab name="Docker Hub" >}} - -{{% admin-sso-config product="hub" %}} - -{{< /tab >}} {{< tab name="Admin Console" >}} {{< include "admin-early-access.md" >}} {{% admin-sso-config product="admin" %}} +{{< /tab >}} +{{< tab name="Docker Hub" >}} + +{{% admin-sso-config product="hub" %}} + {{< /tab >}} {{< /tabs >}} diff --git a/content/security/for-admins/single-sign-on/connect/_index.md b/content/security/for-admins/single-sign-on/connect/_index.md index b82febb0ba91..9f55da196156 100644 --- a/content/security/for-admins/single-sign-on/connect/_index.md +++ b/content/security/for-admins/single-sign-on/connect/_index.md @@ -32,14 +32,14 @@ Make sure you have completed the following before you begin: { .experimental } {{< tabs >}} -{{< tab name="Docker Hub" >}} +{{< tab name="Admin Console" >}} -{{% admin-sso-connect product="hub" %}} +{{% admin-sso-connect product="admin" %}} {{< /tab >}} -{{< tab name="Admin Console" >}} +{{< tab name="Docker Hub" >}} -{{% admin-sso-connect product="admin" %}} +{{% admin-sso-connect product="hub" %}} {{< /tab >}} {{< /tabs >}} diff --git a/content/security/for-admins/single-sign-on/manage/_index.md b/content/security/for-admins/single-sign-on/manage/_index.md index dc664aa99c05..6bd8101a1c27 100644 --- a/content/security/for-admins/single-sign-on/manage/_index.md +++ b/content/security/for-admins/single-sign-on/manage/_index.md @@ -14,68 +14,68 @@ aliases: > You must have a [company](/admin/company/) to manage more than one organization. {{< tabs >}} -{{< tab name="Docker Hub" >}} - -{{% admin-sso-management-orgs product="hub" %}} - -{{< /tab >}} {{< tab name="Admin Console" >}} {{< include "admin-early-access.md" >}} {{% admin-sso-management-orgs product="admin" %}} +{{< /tab >}} +{{< tab name="Docker Hub" >}} + +{{% admin-sso-management-orgs product="hub" %}} + {{< /tab >}} {{< /tabs >}} ## Manage domains {{< tabs >}} -{{< tab name="Docker Hub" >}} - -{{% admin-sso-management product="hub" %}} - -{{< /tab >}} {{< tab name="Admin Console" >}} {{< include "admin-early-access.md" >}} {{% admin-sso-management product="admin" %}} +{{< /tab >}} +{{< tab name="Docker Hub" >}} + +{{% admin-sso-management product="hub" %}} + {{< /tab >}} {{< /tabs >}} ## Manage SSO connections {{< tabs >}} -{{< tab name="Docker Hub" >}} - -{{% admin-sso-management-connections product="hub" %}} - -{{< /tab >}} {{< tab name="Admin Console" >}} {{< include "admin-early-access.md" >}} {{% admin-sso-management-connections product="admin" %}} +{{< /tab >}} +{{< tab name="Docker Hub" >}} + +{{% admin-sso-management-connections product="hub" %}} + {{< /tab >}} {{< /tabs >}} ## Manage users {{< tabs >}} -{{< tab name="Docker Hub" >}} - -{{% admin-sso-management-users product="hub" %}} - -{{< /tab >}} {{< tab name="Admin Console" >}} {{< include "admin-early-access.md" >}} {{% admin-sso-management-users product="admin" %}} +{{< /tab >}} +{{< tab name="Docker Hub" >}} + +{{% admin-sso-management-users product="hub" %}} + {{< /tab >}} {{< /tabs >}} From dea1f439aaaccf5bbbf62b6f50084189c81972a1 Mon Sep 17 00:00:00 2001 From: Stephanie Aurelio Date: Tue, 9 Apr 2024 14:18:34 -0700 Subject: [PATCH 11/12] update diagram and provide clarity around sso error --- content/security/for-admins/group-mapping.md | 8 ++++---- content/security/images/jit-disabled-flow.svg | 2 +- content/security/images/jit-enabled-flow.svg | 4 ++-- content/security/images/provisioning-error.png | Bin 0 -> 22704 bytes 4 files changed, 7 insertions(+), 7 deletions(-) create mode 100644 content/security/images/provisioning-error.png diff --git a/content/security/for-admins/group-mapping.md b/content/security/for-admins/group-mapping.md index 4f3c8c432e99..6dce0c848d55 100644 --- a/content/security/for-admins/group-mapping.md +++ b/content/security/for-admins/group-mapping.md @@ -39,7 +39,7 @@ After every successful SSO sign-in authentication, the JIT provisioner performs b) If the IdP didn't provide group mappings, it checks if the user is already a member of the organization, or if the SSO connection is for multiple organizations (only at company level) and if the user is a member of any of those organizations. If the user isn't a member, it adds the user to the default team and organization configured in the SSO connection. -![JIT provisioning](../images/jit-enabled-flow.svg) +![JIT provisioning enabled](../images/jit-enabled-flow.svg) ### SSO authentication with JIT provisioning disabled @@ -58,13 +58,13 @@ When you opt to disable JIT provisioning in your SSO connection, the following a 2. Checks if there are any pending invitations to the SSO organization (or, SSO organizations if the SSO connection is managed at the company level) in order to auto-accept the invitation. - a) If the user isn't already a member of the organization, or doesn't have a pending invitation to join, sign in fails and the user is blocked from accessing the organization. + a) If the user isn't already a member of the organization, or doesn't have a pending invitation to join, sign in fails and the user encounters an `Access denied` error. This blocks the user from joining the organization. They need to contact an administrator to invite them to join. b) If the user is a member of the organization, or has a pending invitation to join, then sign in is successful. -If you disable JIT provisioning when you create or edit your SSO connection, you can still use group mapping as long as you have also enabled SCIM. When JIT provisioning is disabled and SCIM isn't enabled, users won't be auto-provisioned to groups. For instructions on disabling JIT provisioning, see [Manage users](/security/for-admins/single-sign-on/manage/#manage-users). +If you disable JIT provisioning when you create or edit your SSO connection, you can still use group mapping as long as you have also [enabled SCIM](/security/for-admins/scim/#enable-scim-in-docker). When JIT provisioning is disabled and SCIM isn't enabled, users won't be auto-provisioned to groups. For instructions on disabling JIT provisioning, see [Manage how users are provisioned](/security/for-admins/single-sign-on/manage/#manage-how-users-are-provisioned). -![JIT provisioning](../images/jit-disabled-flow.svg) +![JIT provisioning disabled](../images/jit-disabled-flow.svg) ## Use group mapping diff --git a/content/security/images/jit-disabled-flow.svg b/content/security/images/jit-disabled-flow.svg index 5ae3e14e1310..dcc425c5f367 100644 --- a/content/security/images/jit-disabled-flow.svg +++ b/content/security/images/jit-disabled-flow.svg @@ -18,4 +18,4 @@ - Account exists in Docker Hub?Update profile (if needed)SSO sign inPending invites to the SSO org?Is the user in an SSO organization?Create new accountAdd user to org/groups according to IdPSSO successfulUser is not authorized to access orgYesNoNoYesNoYes \ No newline at end of file + Account exists in Docker Hub?Update profile (if needed)SSO sign inPending invites to the SSO org?Is the user in an SSO organization?Create new accountAccept invite and add user to SSO orgSSO successfulUser is not authorized to access orgYesNoNoYesNoYes \ No newline at end of file diff --git a/content/security/images/jit-enabled-flow.svg b/content/security/images/jit-enabled-flow.svg index dcc425c5f367..e7f65d7592e8 100644 --- a/content/security/images/jit-enabled-flow.svg +++ b/content/security/images/jit-enabled-flow.svg @@ -1,4 +1,4 @@ - + @@ -18,4 +18,4 @@ - Account exists in Docker Hub?Update profile (if needed)SSO sign inPending invites to the SSO org?Is the user in an SSO organization?Create new accountAccept invite and add user to SSO orgSSO successfulUser is not authorized to access orgYesNoNoYesNoYes \ No newline at end of file + Account exists in Docker Hub?Update profile (if needed)SSO sign inIdP Group mapping?Is the user in an SSO organization?Create new accountAdd user to org/groups according to IdPSSO successfulAdd user to default org/groupsYesNoNoYesNoYes \ No newline at end of file diff --git a/content/security/images/provisioning-error.png b/content/security/images/provisioning-error.png new file mode 100644 index 0000000000000000000000000000000000000000..5d9b345e6200294af0dcbf2954d70666276c1612 GIT binary patch literal 22704 zcma%BWm_9<)5eN>1$PQX3Ir$?+}&H;-95nz6qn%c?(PIi3&kP01TF4R+~MJVf5E%o zc8_CcXXZRd_li(emchX!#Y8|rz>$-cR7XHS1|c9Iv7jTrK1q7_K>K?0q^hVX_44xa z{QUg*^z`uXcz=I?b9;Y%eSL9xd3^DFc6N4pdV28h{P_5I^XTc|;9%?EWN&Y8cXxMn z=Vf{4WoheWaqDGkYiniu;OFVf{Kj+F>C5{1`sC)z-1^S!>ebZhW82~5%F4>{-gKYy_C6jA)1J{54{Q33km-F(A%hHSU;&aKbYv;u$XZWM@!edugm&^P^^Ur># zxqIiCyN-?ym+70_&I5<(Yv;-9jNcPZ<5w=Qi{|EL=h1W9@qaGE|D1;ZRW-Fc51!Q5 z*ISJoI`UObN_nDOhrmbNy7=B}*1`A7A2O-)U1BPV(lxQeP8ozk?h ziXVrzm8hCFjr=H$?0~$20+m!Zi$Va4s)3ZWG^Iq_7fDAJ`EL}WHT;tDqM~ACz(PSG zA$B3dj}j^*d>QOOaXvmi;x7rbg3=!VVE|4pdQMdu9?^H7eHl1-SU-Oz2k;XzxiB#? z6MVEJVdnhEz(B?zOu@j6ORf9iBMUVR?K?^?3JS`%l=LKI49p(DM)M|p#ajEsVag!CE+N>Fbjsp`pECew4l#JZ3T4;g$cW z+1%K}6Y<6Uxx=ZkbI8@&flKk3Jm-4>8397b-bU-}n2E4&5^letb&FJpoJX zg(#O&n6mf#+t0^p$<(%SbGNSzH%eO^!jDGr+}JC;tdCcf0ubMwc2x~b;OX2nr~#{I z*%ozHvFfi(Z29ga1pFqjh!}wiTq0w_zDwcxUFwPf-@kq8w(TQsytc7$^06~>bF(^i zDH}H0Iqnc$Bu^arn$7zgCgN@)Kt#6jKbYBDsTg*;6MO#qOGyI& z!7Yvw7=bv8CK3}0M(F!n`3412Aso_6eJDSUpn&i6Nn3N~$|DvEtRt?&^ZUHr{(h9X zGUcpV$}h;d^LK83yNMRCKYJYk`=v9R@_paG zX5jaQX9;dc|BH5cc2TEC-zMMun_GWHS};WRFRPikZ~M(J4r~Ov#11>$8!^L#qHpE& z+#gvtb)P3r{r~FcWX@GE3cP$YqmgGK5VTw{3-x)9P`&%%_s-owpG|{l==bxHuC^;u zC<&-Lv9b2_13}GCgeEqH3y~6rsCiM_!ezPz028f?XNq5#1heiimKWulb_Jl4- z{lmvw1+w3JbZBT6VF#H3CZX_fc`Fx3=?2>Vshi-_$;i*k;TMA47aOyNtT`}q%u*3j zrRZ>dLEjx^8cm|LwVB--jW2C*=v5XteQfbvh$ zvc5>fmc&fl)7Q}FAHLb@tbR(jJSQtHI>1$KuBGlEEL5*&MxUFv(~|ch&Yc_GRdC-% z!|RP9EFxS6O2H~*#HWxnXSlPD^2ksTB}Zl(4M8d~o+X|U03NOrjRBxWOO{2#97fDqJ8b-|I`3Wrh7HOFZ8pOzIg|29t__nr5|q2;BNYllCR za$PeUq7sk9ImglH1gXCD8S~MeJB3$bRqLC0?3RwLOKkD?Iy6n__jXnLV{;Vk-uMvj z7#S~Vg{eFXa|3D-#Susiw5OP~28CF}8nAX73q?Z0C57wDn0FfOHY3XpZ!czRp+aF) z1wFkrUUMK(pFccd0KL_k$W0=rwOk!#I{PK<@0_bX`^)WIBJa6!MwIj6cb@l&jPN&w z`Ko+5BaY=iSW5C4XN}hHt}GggC+aHq=$47u`hZy_vylO?0WT_9I})i(+-BM$4d`bU zyaAMw+X(=4XThjB>eKJdIv;x4ADfqZ=H%$x3NZc7rWAGgNHW7fvk0y; zXY6q1GVck#y!@y6Rx1Gf2Z5}3{N$2j^jo9DO@88hZV6WaAnhKhJqhS`kd(RXW0`st z-&W9mL?2>a8u|tx-I%z1loi5LQ+9C8$jdlrxQ`^TqZl0%;R+f~hPw_AhjAl_4vx|f z_zd~i;&Ja=5`|AnmE__v(~h$=tWjM-HDYhxeAc6~+lZ{7^1UuNmR)B7k{ykX)e2%a z&K~ihE(E%t#|A1``QMZEPcjd|R2tsSBBXl~j*m1Lg|};rcNK3eFg2_-ltGHk?S8MR zkcK+I$W3nm>D5*PH^hgDT}1x(nf){@aYuya8%$#7H02@50r-q?CgvgK26B!Bp(}kr zjM?;9NQrSSq~1Z_ycYrw8pgG$^V}}&c35uMYl@maqF+^E)R)D%wFa%rIxg}fC}j8T z8qDXV`i#Uw==(#@_Wt4G_1g1WprxABKbSS>jalucN_6H8I)Z$I%o*F^IxU;T0zzS` z+F$jw0*^Y)7FxL2zdtPYa_Fh{bv`{7Ht6Y@-*0oAYP?g=VD5lNsPO^^T7GkvjuRc$ zlsEtURi`IT%y|P(rfB@~b+j;clr1h3gtQVT*N7z<d?$i~K>tZEp@5F#`!y|-Tg z=xN*)UTzGi0KMnFs(TqS!0%*17#S;=W3XZD?7i<8B{tE`omOBOT}tAB%e%&-VF?yD)3 zunCA3-m6|;t-gLF2OW(*Vt^(fuY&M;)ld8X!X`IR`-vJ;9O$s>a2Di+jC?!isM5ce z&RH-{7FN4zC(va!UQF7c^}f$B5Lq5K?wzWT?o z{qDfSAfjLX(;zU^pww|mmP}}vl9EGj^7YVZ*Q+{bCg1 z5Avfx&|f?hH+Fx>^drI&1ev(%=-@z}_Cx;F8*9HnXYG`2gfU!7ztjBdEYDzv;2m9- z_HI=;Hx4eWvvcr2@uM|P%#fVN)7hn7yxcBMM3T_*k3@R~uG2mo1odQECP&LS&A^-U$(gAow zDF`}0k9l4XyV!3!Hb#)}5oaLp5^29Xd)0}MupEL?61;NQ8jx!=u=|z}fq96%`;z{Q zzeVamFaJtvD~@=SHY3~ablU=`&q*Uk>`w(2=zl zh7;}yF+{lr=ASVhYNwBxhuCV$I%?ka4<6MT*J7E;ub!Oxckv4VE@)#EIS5dXRX8{H zg6XteirP$-uXI^Va_~ZjqTR-0!jMh*Hg=Isq+%p{gEF(<8{UM7oPZ&cW)ZXYDVJdm zBR#kK5xh=uZTFbuel^Xvb(vgB!8uPoIZ0d}od$-|wMeMr%I#DJ{f1fGN9IHSMk+#C zvq1@p4H`jP5;D0DB?Wn(LX!hBDS}^d_4c(@`a_xaIsi?Y*cspL8@f3J=U zKhOO;KN(1IXvvGje$e`4{%Yd0Vdi{NUt^;+NUTqVkzxqq`zQRD!X+;~FSHGKj3O0} zBVYqOX@b+0x6d)~{{7zWQyY z#00I$pXVq|y}9!7)~VHMkZexL+_KKW3>jNuUSr&9->gI7bl#|T+meW2h#ioSE#8Q= z)u>?u!T>M6DcC9u-s|DwC4WD(d(pRYMD12R+NcbdvL{Qgw>|m%MT6MHEEES=LhrEl z-SxIO)P4ySg_xYfJ=(_mQi6|X1&v48d3(7WY++R{$Ubp|l3)Z(tB^wPiVGZ??c4yKSCCyl#(-cZ2nXygX29Ujf-g9yi9wNpnM2;5NOyHD!Ez;gvY z$%d#&KMR(H&YvTVzvU1zHfTjXg$Sk@$TMg#^>R-S)*&jITSp}#YhkW#A1UiF?}u6LD#RVpas$;pe6ko%236ZayoO@aCi2wphHK zMz_-JxN$ZzT6o_p|AouKn`GkgM#TLWKMpo6B^kh-aCu5e+msgFoujpQ7x;lCMfMN( zd!LN4W%V)+?Ci?6A`1X>UwB%tuY~em)1AyTGS`*o-{E_TjFoX-bH)y^a!|X?u3KXi zvhIj-ye!Clodn~2D)UHnXJOMkj9CjKYKoZ)y^ z7;{ZULrZ;rakZVfx1$`_uYLyN^1kKyWTHVfe7Dk-&?8m_Z?0p>bj#AIdYOhOC_E74 z7i(4M^hLC>dRf|I+E~JJr|uQ|ft=GEQJzdUazH=nh^nPv511cYeysKhS! zBM(Lz@%xCK#*2ZKBUd{)qhQNa1eU>R5$8s%PMEU62pgp7*)Owk1R=+6oyS(r1i|4_ z53e^Vx~p4oWZ_e_l81MDcWKIKR}NHT8mq(66k+qu^R$aq(gyTf9~6{n5MJ|fz9C8v z{&%tI?U2l{1>?^l7|#Q5X%jDw_2P)bOlr$-&okf>%2*P_ue+F{Zh8p%`OESE--d%t z_ZL2%)G7C0#7lfM3Z~JPL?afvTCyPKY8Jv_ibn!oi`_!F6v{oXHOLq{*{P!ih@een zxA5-i9p9j*`%EuKalzvvmN}hv$M&{x;C=s`a>I`PME&vKBU@i7oCtBnK?}w(FSUHQ zlp8$1`RHB8AojLnIf^yNC6G4&iy7 z5kKbUm@x;TA9T}lSoYNWQiSpxq6dUq989Ct3d2f38v~HMFi@;`8m5xF2fu}t*tFUa z|5ImdRr4XNdph7*BJNL$^qZe9!PsxVCOt{4sBo~~Z~MY`B^Xj?QO!`mvYz*8fuZ_JBHYwP6DDzWFi2nh)A`Rk2O=Q3#Tp$IN8aJ|NXJ6gEDs@FGzqB(Qd#j&qMa= zzqlimR+$jX-SO<`_p}IPjg`dWB|HsY3tw2%aEngs6o4h%Nfeob2s}oh8P{B*uEoPW zD6qvCabn(tVJ2^l(du)CfxREdc4F6X{>}dWn>W1^9a1|rR1ZpA{IjDDuKpMtQ#FmJ zLdNpFfzM4CC#l|#$hM@NO1nb_u=b>o&r^onj*~|yU)9X7u9^~E;cp5YL3>Id3p6(2 zH`C;H+dPK~G{4y4Jk}-LM_p~vh!e7AA8+u=EA0NYGxxYhtLZvCSWM?b9 zHp#`A*<4li@CLo%(*%($i+qwfQ7V#uy!kGc9*6gYgsgfhOUA@jQNU}-M`;Q;>=Ol(X0p(M&29?@B@dk%8f{CrJ&=5 z)YmurSb+EVz_@gWnjPW73_acRAFwZ)^E0!&+}zweUwFT?Hnp^H^YZe{%+G4N_BGpa zLpLcy?>3I1DZh<7j~Ku$Df^DhH|r0 z57eu?`ba?wWRFTGIz5)W%&4|9Bj+erlC#|Ia<_4+ReSUDLiIiRs%ge$)_|$2I^`j{ zVsWq8V8;iq*LVMCdlsUEf?ol}#A*)z)Am2Ogi)%4o<_^V-`ZXkX0N26NEW4zo?jB#foj;TXuf)T8W6fBCtDv|ck1wP4X++EIGT;GKQAdb z2AyeG2=ZH%SNP!`k->zwzJ$fpNjJIudWQR8xe0DJE?Bky8xs-qjfleFSmdjf+oM2i zV`0xK`FnI`c^oKDbiV735DF$z$!J*w4m(x4F4i6f;u>7USZT^lS2T zSZEi2WPH`9Ck=j7iLpH%u&ESbg?cYT!209J^KQgX$quQAZBY`${H;d#x3h0I0sU>f ze8cY|K!i}jjC{wE90F=WrMChrq^a;p!@8tTg1~xm=0am8IKRYz%RLZj(8nzb?BXB^ zOcz23%y+aDX+rqKU7}?CGfmUlk&icf^O1+>Y?%0RRaXgVyqgf*{hRaR<7a0UH~~s% z#$-+PZ}iCbLnela`ZP1X#k<^GkhxE0bRsXKD!mSSL`FZ`r7pw^C>$+#!vHhUYvuk$ z)Nb{^AKo9NmU%Otfv=k>E%X;vl%}m6k$+D7>xc1&b8B^P5My6)K9s+qnaCp8Z}#x` zcIbX_f)V-SIh0W)SHw?urLt|}rI*{WUt=catmMO3;Zj{e0PQOlpEKScql=X@57`}7 z6dlBJXIX*}HBt9{UA=Y-idj->R$Wg_pc~QK4YigMiQ1{}ga;1|+cn;e)_53~5kJBF zgX1sVvRbE;Fw0G_>cRaEf77xAMVe<+N@ou*{hz0YJ{m3bLEQwNm;zbH!!!)Lebb3q zxjmuJPzz9O$a){Q8Jw!6~x~E*TPVqkUDfhNFPrH+TE}cJc_ZJX(8B@vIK*=pT z`;O3YfxR9)@3d-2$%NSk0}$Kxb$>81F28WibMiDl0p{=Wt-x}Am$AU*iZDSh)8^w_5phbN9i~G;w2e+U7ns<4;A=KVDixo}~B7zhKLNnMjoadOBl&^M9`4 z7&)x733brIg>ra7VN{?%^*4ncWd-%|`O}r+8~Q#BXNWyypG#;F>T!5@!$zBvYChwZ zU7g0I8F|Vd9A8Z5Q>mq-nZD32rJ{22@5lD0nh0TjmULl0)ul$|P3Fn>lKJLQ{fcZq zg*_M~GJL^y+ar?bj!^u1f-2NI{T?4d%v$lHChf3AKc}A{=MztGkQcd_nM5TG>Vfa0 zrSI2Dz8@zp9mROT9Zl#gyEa#jHE zVY&Mp)wxVGmYHLrNNY(0;t z(T*SPoLFI)l!tyz$NswEh9)XiaZ%FDl_a0?cCHRsyuf5sG><*2Tsvtq^vSK_B?7fC z*^oIz#netu+MV8HYw!Y;l8!--BH(26njQRZQ;=EpNXLC<;St-F)d|Tgpqz(8IiM9g z;EO-$XNvM$B_sENf;J?qs#U6LC&j49$fCB$-7fI@5UqGPyK$ppDCt>cKV|}RC*R|T z90x+>I~NqcTGLWcqq3C(@#4%RxH`0GWs%T=Z(E@9wp8Fyy%0SpAJgi4gY%jQyoRXE6e>_LY=k2Vmpy_ctxX6%&t%y!6n08UNHh%fBD0!7HdGowr;0 zyOdWXG8RPW)Uzs8f}tAJHLvY9ph}eyixMsd&L?tF|8y>MMP4lW4YhoQU#YgS1x$J_ zePf}VE$nxpVL^ZYo!B?dzPFHmBU_>q!-ptmrkYy82odQ1Dr1p~LsDH2lr})GmA^Qa zm7K4}u&lSGU_Nd8MHlIgXVc(i?9Fg^fX|O>MxG>wH zU4Zp`){ayR95Kqia&lHVdGmPI-<#sMR_*-5?SpdmwN9}V34!Jx_#}k` zUbR!~VtmB>bGlbIl64S<=kN6;`qMT@jck`^CF@#zI!@IZ|5pgx_Z>1EEmvq2)RaaP z*+Na%Vi9ielIhEA1BaRh$IZkIvRPP_;Ti-6=V_)Mc;VcjU%_AGTA7vIS6AD;_b+Xx zOO!L~y{}+s)x%|i>!_1L4n8_*O=f6kkbk6|QG$5*;$0$j4(Zsl`L!wd_(lvqKj+)9 zTNg_&a3ZK!L2q02u~T(hEt z9;BHB4$^wp>*nZ&*|j<&Ychj^56*`Vl+%3^?JzSI-}LqKbx~})8cF+_P!2&U*g{HL zU5M7g>*(v!F(v$1lQ}}wLw3pX$6JTC?f6sWEWiI=lv0?_spyLYPRNz~C=}|0ity*Q zgn3)#R!J(-pI(1Mj1E4>A^(xjIfoP-*FKZU7~IRq(uNqBgm??IdwTTsds1m;as2)A zi~qK)i}g8CWn)uhRg8Ku=5Kb`%I-J`Rj=M2WL-MB_p~xoGnMMbQJYV<@0JOs!n=Tx9Zz`%7w1s<@}Wu?WF>M0 zJCLkeGp1Di&5}t!*7Myf;aCy8iB#17g=3T>>k`LXV#d=nj?mrOtN>VScIVRZgB zI(SNjDtY$s@{@bu-tVv^mFwtw)C$y-=hX?k)-4aq>g|}3C z3VoHcl}10ugY&!(UHpW|+2olB@==J_YzlA8|6b#X$vojA(Y`wGdo=EIjeokQAJPJT z8wISO2ramECKxa-i;^cnoJb?z0jPP=R>6<|2oxP51f!fqFwB?N$7l zeu_o;oqgKwAE5-*Lm6FIs3VrDU;tIzZ!0lHd3pI!BnoipT0+-LCgLfmJEu*-HU$Bx zYS6q4f)xIdohmQOCLv@5Qp~$%H@x?_J8y*k@`%I4L-<9rBZkN=y5F}Dz_RnSOZXx* zdtx`W%HNlLqxW^gNF3#335A4*CT(OG%Ajj)jhI>OSjHIT8G~ZqzHDt#7&>9bb4`+8%lcz=n8V%Rt({KY(D#`2vxwoI9Ca z^3Z>ZZ(ElAQw>{{+4na2UKr`*Zk9yC-J~~Hpx~HqXU{S3i$w=)O6^C7hT7X~PN<&$ zt@@0p`#&nN3bw4BWYeAO#cRnddsR>b#93jXW6!!M#05^sHeE2E&@VtWYW;wrO;%*3 zd)ycDb(QY_Df^h!{c_Cy?fDu^M{t_@^7(xFj3ROG#xfaq*xp+zlF2wn| zY%s}-h#>jRoKtfExgb=s=_2w7mtL#ZFxhc*Xn0s|jZX>)6;%xl@_%A_VRL~YzCS$) zi~%(LRMfdy9Tn-cnsq#RJ>cN0(nJP0>71(}lQX4S!W>hjz>5nqc5_YB`jaZhIoM^V z7y6`=MoAR!j6(HURQCrTr*6So`#)FOjCZO+DtR1quU1EI zj&yFqEFzjI(g(spG7xg0YxuYHrir4}Nu82buH->(0<-+}Pte?yd>)8+&@LlBIhmN` zr2>rE&T%XY%Cs%*J=*YQ3G3kHX^CBAJ5esO(tTt#Q!Y(Pla6W&_{HfYgX>F)%o-I9 zi~=Y=Jo@zQC&}V6!KvUpEG`DWsg5O@_+YaPo5pqo`ywHHM&NQu1>k1mKDiJnC#TY# z=K9x3@;1_t65F`}CSB|A=vH929$Y6bht0-PiI<8{TgAoH*a zi(r&`w*nr3#L-?5ucK#|wbZEL%d>W3UQvH&*#@~ zK!rPOdd;@84LbCLA6WI8CxQA5z+f>^;)p}2759idpj8gpadrQS&>#?n>p4@jixZ4SpR(O?zT2w zyG=9nMa*uxDS~a;^!8lm;H}kXp%&T;GpFV#+3kF6Z>Pp9KhbhIK=BtXMc42^35w9r%<##Xwhbm@oy{v?tkWHd36pd@a{8pONMu{H zBh$0^-Iz&8NQjGzOGuchtT_?jbMk%|@G797>A}xcvp_{K4v(9dzN~okKl#`oWwCjE zY@Rv%@%&3@@ZY%kh9uTXH%)=VfqaPp$fQf;@mB1JYrD*1NU3fe>)FSue)BT?WBxY? zGagLFuq=f0FnnS{@BMW2_;T7=uH!OKIT8zoRV0FM9EfQT-U2|q%#1~#o=@h>nuvc# zW`oUhmDuT=g#|?;L<994!Um7`aP?k28GpN)NTS9%)KGl-p%OsCEZO+hgamAm&J`T+ zH*RyBnrD7n%BN&yE?l;E^&<9Qlu!~~A{y~2cLbA`it{lR{rHv0g}{*tRJW2?9s z6FB$!?>fyF$i1Z-HqKaLV9uqHh{YYaUS& zgo~#Dem0cQpW+Le6p4TbTQt(a7Tl(mSJj@aHy5dCT>&Y-wA zDSNv{7|ij)>JD=jr&LhaE7@HnI0YTu-fpUZj_)ro#=93JYOHTFC`n39DTIBudSbr1 z*({F54$&;~TdjoOOnVm^E7 zB-yV+>y9?N;Xo)z*~RJt5)QuF;51!X?n6Uu0v?%X(;YEPEf&)t6r9a$Z7ZmjY9%NN|KGDpLI`)teE4*%-f-6DWQr$0yFJh`5&aYY7m^%Af-eh-kL$X~Wu zdJ~;0_~tf@Ad$ z32koHt!uLarF9pb{i7U1#F02hCBmWJXI)I`hDYNf#1}_6449V@ zk4=F{5tgn^zW=XiJ3B;!7|$lkF&p=+OHCv9WC||M}R>4LaYC9TNd- zp0jcSdUJlZ&9ITWDA*yYc9Jf9Rtozo*CziTRo`@us`f$?UdBuLqpY~h&vCWG;aFhy z6X`41+`5GYe^cQNuj+o82c*hPdlwzZ+YDS9r9)T{1BMQt0nq>mD_Tef%~RF*= zk(AAJ@2!e*pBEU0OMf!^lX~lh9opg5iax?wp+ekZoho`Ts*r#E#EjAY8A)<*X2ql! zx@6AzR?$)etYK>y^9|!xhhvdVe%Do@&xHCj4k^$jvP!JZChKDQY}z2 zcpB@>$|$ZZe#=T@-Q=s3q}fg5%8zl!Aj9#@bRP4A$a}-JWE;bGPJFQ_sUJ-Zlq)tLWW~N28~fv9ooL-`luR_GxU;=@Aa)`*GXV-&KzeQPow7L*u-Lx64fX(oL_-+Bjd#i>Ci+ zP00cvNkklrlz)SKCUu0qNRhjV;eK+y5G*=ScpENun)Qcnkz_vJYj`6)Ds_5nLJN;@ zGppzV)-l*5jY0bV9Mg??6hhdyp0nGYWW3Gia5PN*5CvB?! zm@9tRd5=N36{eN`yS}hEJIbX-tFDQ9A={?ThgY++vOj5CEI6I(2Wke?0JM8F#b32_ zP~&k{EGVw}w|2~U4#0rpzspKUsHhd%XJB2m=@am9^5)N+ggGn<;*2ZUQ$yB|ED7xs zyC_AO+<|#s<*o3Cx##E--N;H42mUpkOB_Aa2c7p~)wx}cn?xb&f)<{~SlieWrBrOZmaa3< z8b?VLb_3@K<0tDS9B-YHS$_H8UV+xe6MM9NbUjk#x;Mc7A_-_dVHA>)3NF-J6ydjy za;eb{68)A`2=Gr7?b~Ezp5qS>aXTlp=@vQ5>s#dUFuy}uu8cRq@eA(R+4dHS;*X~h z2(m)vIKST_AtCpFlKOE7Sj&2+ykN_9Y7PNdwi^JamMJ(AlA$Y-{6zc92K=&i!T56G zht*Q#KLB?VCslpKkyrJBZ|7jYKT>;`hiSAB$}SpkSUO-fh&Aa^CQ7B^XJxyo2*~T_ z%l$&fR04l<#_l&aHw+YQIvl|{6BVcgnc+_%L7B1F-&J~}3aIG_|Jqp;bdZ|n-Ft!;8$zx()hJ7no2}~ZT#y@UyVmGo`NofaW{Z01>ZNj8vBK{}z<`At) z&orcCcVN^^kE)J=9ach=6SEbu>iVvk=Mfub|xdAI!Qz=A+$`D^P=5Bj_6? zhx)Og8w6KFfIgUG$8Nkzhm-KMdvoBAnIf*cOeVf`(0&4=3$Nw7(2PDvCkL5%LBe;l z#FY-}f)&$(?D#5b&kgdG2mQquf*|}^djB@_cdOq=!pt}rke}y$EOeTh=&^~ypU*S} zU9%UkE=C$nK;fYMnneqKJ0c!omvj$W={U5<#6kt>A9ET0_G*Cuk_k3HYGaH*qWlvl zuaam6bJ2grQ}z;R*@^t_Prv$2vzrG;^KZ)A3bP7-*&{bZ_x;Q{Kc+wI|Lb>6ZqZ*P z3ayn34Knusa6}3+6m`Ifh{YnSFuzt z-WG5b%v=%kvGxYxQ~HBzwiZF>92;AZ*Zzi4##)VBdo2>F21xY@EoQ3eXpl3=ls*(LBNKw<$nL zN>xfNP_$`8Kz7#M44&7+Y7$M;kd#aPrUbZHpN?tPkf&lFLLA}y3_>wg7b2=9TPKO&|PXcRm7Orz|mCFW< z>G<5Op`{wzdr78p+t+uemYytM&TdyZh9n-&s`E}tTD7dJb5*AUZ-F}T%;(oBgqnpI z^JL557vJjBzv9C_E}UrLACGXMrG(iJ_(Hya-@MoC%esis05hN$M=sq%RnMsh^-R-%zOGc8GB`iu|$qzJSPn&LY^8}wur+kHGRgp2`L39oJOOw-SiVP^??)7pR z{P!#;lq`fO%sBHI-pd zV3{durV^}aJW;!J>A~ukUfVN*wMmdpHC$_A!buDraS$vdeC$$AVjKl^iQq1>e5aKb zhfUyxI5cIb6W3;`zg_0Wx=Wn+R-|IZI`F0_Ijm_aSp9U9rT#Z%slnfu=v@PMeOr*p zSKfsBDr)n1Q74C?ZT9)^e2$}c`~0Y84dPRdnsdHh$6lo<5pRigM%i73B0CX=7gnVh zt=^^l{56(FVdRs_o?y>wlY6=0g)BG3(XuoVXA5caG14Qw4bSc*q(J|ch zfWuTW7qB>Yo(r|FVV}gJZ@0I&oyyQ!19F33j8pb^73n8S+({p0GCuIuM`KHdx$`Ym7h zXu=s#yzt6z_eXu7UiXutTxED(5CNh@ePs@}H%2}UqM3>&(vEglVpNoBn;BL4ZHl+TDLM{ANAlnDIpO1`B=K_N|%S-fXw0 z%gfH$W<5=ynO1rrP5nUayVS3mi8{sbY-aWV3 z1(SC_ub%mKs$b5-f-;0DX}PtXOry$+i=StstlD{1a)op7NlD2_2}udb$>se`&0?uU z{O&DJo`~2DXIkAa5Lg<-v%cb|aEK!y{Vd%XsxDlbuO(?OnQ7dm&=reYBsh>jnm9g2U& z`$e!lMK<=>X0nW;kNIfTR^jZYKeYg~rSZHvwl8O@0>rS6lM)VtfC*BJ#|MvF-g0gIONF?ap9A`#M+WYa>ns~J~DIc)|@ z@M))dbVAXo7pnnWv5iP%K1ero8p!j;z{P|(w5}l!8=xIl=P5O3ANoGg!se_eu#SUG z`@=VG;t$wCW5$G0zZ=}QX+k$UHzCs^4t z8P@F=M0>#~JfyK2@ z7AUs371s|f-r_7S#ck1|#obw?XpzFItXpM#@c zqoWT~!{_G_N|jm*WiEcVjn^$&x6N7sw}*zc29dSccyzg&+|mDTb^pJF&IZEA!5r`O z_VJSt%83AFf!6ti{93v~Ql}9%LpC$7+uW4EisBt*7xLU5>zzB?${;7yj^n@zP-l!g zNxi^VWFuRWbjb%>h&2!U>B}e{K4UX9~{$heI5Hz?QQm54o;+97ed>D7#OdY;0CBhmYS`rOw(Z!R?Bqa}LZ@b!o3UraRRMfID`! zBRni<24BD8%x4&p2>ISKL!YKXFEy@nLN?04tDPZk7+hfhhXkvD2|#!Ww5M1LOr-I%?vgX4Bvz+o)L@!-h5Vtvwuq?2B~ z2J~~o8ycZg^y7W_V1zg+mfBu`c=znF7j0ZDw^w?_yS`9&KL94E{c>%*@qVEz4_a zd5I3|^(|~d=bet+u&8KD-J=AtSrX@?*xXMVqXs|)d8eU{xFwA6EuqsD$_#0dHq;E= z(<`7#L^Dx_b#*7Y4pix3`OI$K5vS`7Haf2$WO2Nxn;vL?|47nL3y6sv24_BO zO>l^_K;KKKBO9>5iOl+I=7LFio7q+PV4l?-mbs`)2^fFk1IOfKlmqz}BEH)o+uFIP z@}GVH+jA2k3MZA{TmW~%rfpkcLk zs&4i(Uy(L-z)b*jLy1HjESmx>{Ekd%z5|@?oByQc?@I|ViLeJhCNOLFO2e7}3%+jU zE-bPt+srD!WCB|+kIRuY0Ba|t>D?_GMyfZ`q0JJ{XD zF7L4J2R-L;l)|)nM%CK^2r^NA4baPM3eXw4LR;6YaHe%n?HlVi zt|j3CQSpT!Ae*YYfM}xRm#y6#859dqHAdTr$4paT*Lxg)KlVq#(p-d&rTo+0bt++> zyH&CQf|b$|uBfY6o05qNI%Lea^&MU+s=~ZSy^TbC@59>`D+?S(a)6zF zKVDQ_8bfbG42ng4_lA_`tm85sjGnVl8NG`^wIj%DGb0n2krq43?dr&^U+m11-g?re zZ+4F68Q@h+k%PzkGxDTcgq)><9OlVrc|HwL`MX#V*H!%2@WM#=^u8HdXH&DuxyE5MI|U2=)+$3 z#tZAq(?eR0kTlqol;!hG;ZLQ}4DiXT1W|7k&0CyY%`}r;tlU|=mZS!Wx8hkQo_}%~ zSrdo(_XlKb6m|)<%u6p8_zr}M3?t$NZ!qyik<8B>ZR~1S)99d;f!MRjBKS> zW=q>#i$A7|QS`ET^@B|1^M2w{HBT;?a>w(DlDIMQU%Yi!u|x4O8)lXi`R;5&xx2Bd z`R6_|aLY1GbHI39@$PmP1eft6Y2n;5rYW$L3k#YxBs*!KD0QouK9 zhP(#-S<%0Un5!PvYr)Cs4t**t`!28s2saol2w)h}H#@5fF3Yu-34Wg-AWevd5tNUr zsVS`$A(cplR)VdF$AGtxAfyad?^yMHvvzshXn3_m)OIh_J9_(u&A%Si`1f6A<&*+4 zDb{9q`~@%*?&SCQ5BEomuXh*tK0I-iH|X<8_TN9(PQ~I7(wiOWF-f(W4K)R4WSLeh zMT_vG4!Mx!qy!DP*bOAJ=~*+d;-FP~vwq8LR1PJzm(zSI@Xx7nm}?!weNUM^1Ki3f zD~iyruni`6VhJ%LBsp0#M~B34b(ZC!w0vfVd=nwfv|N1gvMo7PZMKQPvbheqmF=Dr z%tffxqkHn0*LU*JCD>$mAq5AHHg66I`Rv!e5CGA)>}Iy3Ds_Gs_iL_Nx4jN|@)r)e zCRvV|$&coEnYcGK2)mbf89%v;gXsTp3$*jFek7``O>St6Q^jnPI!xX6rIc(sW%k{T z=XhYsSR}Oj*txST=QxgzkX%>)0FRmsTJE<{BE(YONZdgC2I8U4%{jk{F#L*SRA+AD zfp*6&>rS#FYB2!|v@NGO=VN|lmNsE1SGRmj8mH=b^N~iiEEJ9MD`!$4ZrZYYk zfGY#2r-Jobg2w8)d}Jhx;UB$|HIp!>Ag0}e`aOL%00s{+*(wT5jWhX5 zO9!@|OJ?F0{6hG42=>bb%0=$GUisW&FqxNQvp6$Gw!^3k;l#=4!TJ&*lr0hUv)_ zQcWjD&bvKtBXH1EtoVC~v<+xBbA>JOzyGCP@$csc9v!p%+-+C@HJ8448Ozm54vXS+ zTb(Ga$RSDd?*K>&!)_dbu{k##)!Es7JEbd>yw>EeRWk6LqjDGt(|UU8oO6|L?C-h9 zw&WKi;CD-2ZTTps+gz6`U?6w+VD)dvaMB%3ht7L#fX{4Nt+U$Fm?QQY>< zZbF-WUx5Ys;bR20IUwLMrCht~74? zeC1bx|1y_uniQXokyc4(qw+}Ewx5wL?Dxse@uW3c1BiGT>K+{F}kR4 zd_Gvrby+)mLY~~z(E;&FMOU1>;SQ`0kt3+k3EJ*1*E)F0ILuX=lG$Bmx!7?CSZ) zFiNq{SDA1tVGEQ&oRZ%?xV)KixP*}btuzGA(KE=Tvd{*qjo(&Z#eB&ud!+5>e2oA!(U{ja!-V&c zB@JC1e1CC6nTGPjcV%T4 z&A&r{f@ZUAUe4<@c7#o@x3>JeQet;=hDMJG0}%W#2%>ws7l~Bj*6D1RIl!fJqnTlr z8=7l^Q&AtBW^sak9<*2M@fIG#JBm&SL&viaefg}He^)apYFMV7kfd1T?d9)00%@X6 zWACqzkDZN%M5NM!_L&X9kcT%=B^7ckvq)RO`fHyx6Ta%_>Yz6HIGCVdWfFU|8+n6| z7ku_9>VAEt`B|{H}K*E|J40h^+NIv=(!leD?mIT^5u8n`h_`M&XVWxm@rlk zo_mP3ML&9og$3A{H`W+e_(ht9NF-LA_)DISi1c)dCWJ0p|K9ZYhFeExPy?UOti0cq zsk{3q{yCBfIk&=vkAAm zwuNC?M0k;bx02pgqi{xOmzdU_AvK;<_W$J?&Qb{vJ%Yuvt^DJtk~nWDiCJe1dAq%(r{ft2;_<{K?Elwu*zsygNcv#-F&w z#q+S{FbI&U1~KDR3Z)w{2x50l|2#jQs#x_29@1T4*WQust{-h;y6PYK@Hrb=?rRqx zNeK1+vio9_A)}koTRhL({;2WsYa5jtz#2l%c%zUWt(sp@N_u!1xxRQrjh%;R^jBj`rs75%r2V(dztSb{zCUL&*(*N=?o zF)YKHG9LF3!WbMJ6q$~wSQ{d$gRr3(nQ#6ZdZDknIodP{dP381 zfbj}8Ng6sP<=qP4@N_(224gOXFzB?W`uE&!fPlo!?NMqe(Iiv%zLE%ej^>gv8YodbBOctmk?f=t}hvVO03#hQZu*u4b7{c{@z6 ziG=IyuJTo**0f_3VQFf2de z<&p*TrO^{e3Hq%MT>+(k(mW3O|EtURpT}Lm1v;hWNcVYGZ`37X;iCOGTerw8_YY@( zl$KMH)_?cMDxUq>bbtdFx_?BMBk&=ZHyl;0;t90N<;|H$DX3fZW{h>_E-}R&&tv{6 z1aobqN}atji>1Tv=#LfXDN}%Yq1&s@I4)xLe06XF zxx3sSacBJ_3MBkIGpZXgogF7qHs0a09PJ$x+a8lFxD+KQt?U@SpN^U+Rnp&)d^w@L z@cRo-9raDy6+_(X@JVw~nhRP1;||T`Cqmpyd`7P)&C_FZ(!#AE#@2 zV;w%+le$|8C7>y2#V;12tC{Mw>6HyZ+CX*dL6X+ds;XbE9x26KvYF{KPY$PMA89ZP zcwembMMJcT-t-Oee$z-uywOzV6%?pOpTQrECjH|j;!fva%g+>c`E6SAWn_wPVGR=t zyfW!dag}zZB4$g`A%3bR@AMu2L_>k9)(WS=99S{AU+YS=?dX-!Otwe8^rP&^ej|&x z(@zhm+=8IiX?9(T(^OBEf64^1Oif8>weAT2g^=>9DHSz0yOBzx9Z#X9bZ@N-*SC}U zFD}OLUW~uo;g|*&Z!ll2mQl3&Kpot2^UU-ytsze0T!5uQSJE)|CjkkZESB!SsfrKYupI=uyUvGNc)c-CK+ zTb-J!s$hYchz>DM-+NEE-%=8-(1$0TPpKn$F@AwQDOW|Lrb=AaSE(Lp?@XFZntE9e zj?hPpD34C+aZGpy!w-&B_a6Rq9Fcf^2ajBez|~YU zc_?53 Date: Tue, 9 Apr 2024 14:29:14 -0700 Subject: [PATCH 12/12] remove image and update faq --- .../faq/security/single-sign-on/users-faqs.md | 13 +++++++++++++ content/security/images/provisioning-error.png | Bin 22704 -> 0 bytes 2 files changed, 13 insertions(+) delete mode 100644 content/security/images/provisioning-error.png diff --git a/content/faq/security/single-sign-on/users-faqs.md b/content/faq/security/single-sign-on/users-faqs.md index bba7ec31f6f7..ed8502032f4b 100644 --- a/content/faq/security/single-sign-on/users-faqs.md +++ b/content/faq/security/single-sign-on/users-faqs.md @@ -68,6 +68,19 @@ Docker SSO provides Just-in-Time (JIT) provisioning by default, with an option t Additionally, you can use the [Docker Hub API](/docker-hub/api/latest/) to complete this process. +### How does disabling Just-in-Time provisioning impact user sign-in? + +> **Beta feature** +> +> Optional Just-in-Time (JIT) provisioning configuration is only available in Private Beta when you use the Admin Console. Otherwise, JIT is enabled by default. This feature will be available for all users soon. +{ .experimental } + +If a user attempts to sign in to Docker using an email address that is a verified domain for your SSO connection, they need to be a member of the organization to access it, or have a pending invitation to the organization. Users who don't meet these criteria will encounter an `Access denied` error, and will need an administrator to invite them to the organization. + +See [SSO authentication with JIT provisioning disabled](/security/for-admins/group-mapping/#sso-authentication-with-jit-provisioning-disabled). + +To auto-provision users without JIT provisioning, you can use [SCIM](/security/for-admins/scim/). + ### What's the best way to provision the Docker subscription without SSO? Company or organization owners can invite users through Docker Hub UI, by email address (for any user) or by Docker ID (assuming the user has created a user account on Hub already). diff --git a/content/security/images/provisioning-error.png b/content/security/images/provisioning-error.png deleted file mode 100644 index 5d9b345e6200294af0dcbf2954d70666276c1612..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 22704 zcma%BWm_9<)5eN>1$PQX3Ir$?+}&H;-95nz6qn%c?(PIi3&kP01TF4R+~MJVf5E%o zc8_CcXXZRd_li(emchX!#Y8|rz>$-cR7XHS1|c9Iv7jTrK1q7_K>K?0q^hVX_44xa z{QUg*^z`uXcz=I?b9;Y%eSL9xd3^DFc6N4pdV28h{P_5I^XTc|;9%?EWN&Y8cXxMn z=Vf{4WoheWaqDGkYiniu;OFVf{Kj+F>C5{1`sC)z-1^S!>ebZhW82~5%F4>{-gKYy_C6jA)1J{54{Q33km-F(A%hHSU;&aKbYv;u$XZWM@!edugm&^P^^Ur># zxqIiCyN-?ym+70_&I5<(Yv;-9jNcPZ<5w=Qi{|EL=h1W9@qaGE|D1;ZRW-Fc51!Q5 z*ISJoI`UObN_nDOhrmbNy7=B}*1`A7A2O-)U1BPV(lxQeP8ozk?h ziXVrzm8hCFjr=H$?0~$20+m!Zi$Va4s)3ZWG^Iq_7fDAJ`EL}WHT;tDqM~ACz(PSG zA$B3dj}j^*d>QOOaXvmi;x7rbg3=!VVE|4pdQMdu9?^H7eHl1-SU-Oz2k;XzxiB#? z6MVEJVdnhEz(B?zOu@j6ORf9iBMUVR?K?^?3JS`%l=LKI49p(DM)M|p#ajEsVag!CE+N>Fbjsp`pECew4l#JZ3T4;g$cW z+1%K}6Y<6Uxx=ZkbI8@&flKk3Jm-4>8397b-bU-}n2E4&5^letb&FJpoJX zg(#O&n6mf#+t0^p$<(%SbGNSzH%eO^!jDGr+}JC;tdCcf0ubMwc2x~b;OX2nr~#{I z*%ozHvFfi(Z29ga1pFqjh!}wiTq0w_zDwcxUFwPf-@kq8w(TQsytc7$^06~>bF(^i zDH}H0Iqnc$Bu^arn$7zgCgN@)Kt#6jKbYBDsTg*;6MO#qOGyI& z!7Yvw7=bv8CK3}0M(F!n`3412Aso_6eJDSUpn&i6Nn3N~$|DvEtRt?&^ZUHr{(h9X zGUcpV$}h;d^LK83yNMRCKYJYk`=v9R@_paG zX5jaQX9;dc|BH5cc2TEC-zMMun_GWHS};WRFRPikZ~M(J4r~Ov#11>$8!^L#qHpE& z+#gvtb)P3r{r~FcWX@GE3cP$YqmgGK5VTw{3-x)9P`&%%_s-owpG|{l==bxHuC^;u zC<&-Lv9b2_13}GCgeEqH3y~6rsCiM_!ezPz028f?XNq5#1heiimKWulb_Jl4- z{lmvw1+w3JbZBT6VF#H3CZX_fc`Fx3=?2>Vshi-_$;i*k;TMA47aOyNtT`}q%u*3j zrRZ>dLEjx^8cm|LwVB--jW2C*=v5XteQfbvh$ zvc5>fmc&fl)7Q}FAHLb@tbR(jJSQtHI>1$KuBGlEEL5*&MxUFv(~|ch&Yc_GRdC-% z!|RP9EFxS6O2H~*#HWxnXSlPD^2ksTB}Zl(4M8d~o+X|U03NOrjRBxWOO{2#97fDqJ8b-|I`3Wrh7HOFZ8pOzIg|29t__nr5|q2;BNYllCR za$PeUq7sk9ImglH1gXCD8S~MeJB3$bRqLC0?3RwLOKkD?Iy6n__jXnLV{;Vk-uMvj z7#S~Vg{eFXa|3D-#Susiw5OP~28CF}8nAX73q?Z0C57wDn0FfOHY3XpZ!czRp+aF) z1wFkrUUMK(pFccd0KL_k$W0=rwOk!#I{PK<@0_bX`^)WIBJa6!MwIj6cb@l&jPN&w z`Ko+5BaY=iSW5C4XN}hHt}GggC+aHq=$47u`hZy_vylO?0WT_9I})i(+-BM$4d`bU zyaAMw+X(=4XThjB>eKJdIv;x4ADfqZ=H%$x3NZc7rWAGgNHW7fvk0y; zXY6q1GVck#y!@y6Rx1Gf2Z5}3{N$2j^jo9DO@88hZV6WaAnhKhJqhS`kd(RXW0`st z-&W9mL?2>a8u|tx-I%z1loi5LQ+9C8$jdlrxQ`^TqZl0%;R+f~hPw_AhjAl_4vx|f z_zd~i;&Ja=5`|AnmE__v(~h$=tWjM-HDYhxeAc6~+lZ{7^1UuNmR)B7k{ykX)e2%a z&K~ihE(E%t#|A1``QMZEPcjd|R2tsSBBXl~j*m1Lg|};rcNK3eFg2_-ltGHk?S8MR zkcK+I$W3nm>D5*PH^hgDT}1x(nf){@aYuya8%$#7H02@50r-q?CgvgK26B!Bp(}kr zjM?;9NQrSSq~1Z_ycYrw8pgG$^V}}&c35uMYl@maqF+^E)R)D%wFa%rIxg}fC}j8T z8qDXV`i#Uw==(#@_Wt4G_1g1WprxABKbSS>jalucN_6H8I)Z$I%o*F^IxU;T0zzS` z+F$jw0*^Y)7FxL2zdtPYa_Fh{bv`{7Ht6Y@-*0oAYP?g=VD5lNsPO^^T7GkvjuRc$ zlsEtURi`IT%y|P(rfB@~b+j;clr1h3gtQVT*N7z<d?$i~K>tZEp@5F#`!y|-Tg z=xN*)UTzGi0KMnFs(TqS!0%*17#S;=W3XZD?7i<8B{tE`omOBOT}tAB%e%&-VF?yD)3 zunCA3-m6|;t-gLF2OW(*Vt^(fuY&M;)ld8X!X`IR`-vJ;9O$s>a2Di+jC?!isM5ce z&RH-{7FN4zC(va!UQF7c^}f$B5Lq5K?wzWT?o z{qDfSAfjLX(;zU^pww|mmP}}vl9EGj^7YVZ*Q+{bCg1 z5Avfx&|f?hH+Fx>^drI&1ev(%=-@z}_Cx;F8*9HnXYG`2gfU!7ztjBdEYDzv;2m9- z_HI=;Hx4eWvvcr2@uM|P%#fVN)7hn7yxcBMM3T_*k3@R~uG2mo1odQECP&LS&A^-U$(gAow zDF`}0k9l4XyV!3!Hb#)}5oaLp5^29Xd)0}MupEL?61;NQ8jx!=u=|z}fq96%`;z{Q zzeVamFaJtvD~@=SHY3~ablU=`&q*Uk>`w(2=zl zh7;}yF+{lr=ASVhYNwBxhuCV$I%?ka4<6MT*J7E;ub!Oxckv4VE@)#EIS5dXRX8{H zg6XteirP$-uXI^Va_~ZjqTR-0!jMh*Hg=Isq+%p{gEF(<8{UM7oPZ&cW)ZXYDVJdm zBR#kK5xh=uZTFbuel^Xvb(vgB!8uPoIZ0d}od$-|wMeMr%I#DJ{f1fGN9IHSMk+#C zvq1@p4H`jP5;D0DB?Wn(LX!hBDS}^d_4c(@`a_xaIsi?Y*cspL8@f3J=U zKhOO;KN(1IXvvGje$e`4{%Yd0Vdi{NUt^;+NUTqVkzxqq`zQRD!X+;~FSHGKj3O0} zBVYqOX@b+0x6d)~{{7zWQyY z#00I$pXVq|y}9!7)~VHMkZexL+_KKW3>jNuUSr&9->gI7bl#|T+meW2h#ioSE#8Q= z)u>?u!T>M6DcC9u-s|DwC4WD(d(pRYMD12R+NcbdvL{Qgw>|m%MT6MHEEES=LhrEl z-SxIO)P4ySg_xYfJ=(_mQi6|X1&v48d3(7WY++R{$Ubp|l3)Z(tB^wPiVGZ??c4yKSCCyl#(-cZ2nXygX29Ujf-g9yi9wNpnM2;5NOyHD!Ez;gvY z$%d#&KMR(H&YvTVzvU1zHfTjXg$Sk@$TMg#^>R-S)*&jITSp}#YhkW#A1UiF?}u6LD#RVpas$;pe6ko%236ZayoO@aCi2wphHK zMz_-JxN$ZzT6o_p|AouKn`GkgM#TLWKMpo6B^kh-aCu5e+msgFoujpQ7x;lCMfMN( zd!LN4W%V)+?Ci?6A`1X>UwB%tuY~em)1AyTGS`*o-{E_TjFoX-bH)y^a!|X?u3KXi zvhIj-ye!Clodn~2D)UHnXJOMkj9CjKYKoZ)y^ z7;{ZULrZ;rakZVfx1$`_uYLyN^1kKyWTHVfe7Dk-&?8m_Z?0p>bj#AIdYOhOC_E74 z7i(4M^hLC>dRf|I+E~JJr|uQ|ft=GEQJzdUazH=nh^nPv511cYeysKhS! zBM(Lz@%xCK#*2ZKBUd{)qhQNa1eU>R5$8s%PMEU62pgp7*)Owk1R=+6oyS(r1i|4_ z53e^Vx~p4oWZ_e_l81MDcWKIKR}NHT8mq(66k+qu^R$aq(gyTf9~6{n5MJ|fz9C8v z{&%tI?U2l{1>?^l7|#Q5X%jDw_2P)bOlr$-&okf>%2*P_ue+F{Zh8p%`OESE--d%t z_ZL2%)G7C0#7lfM3Z~JPL?afvTCyPKY8Jv_ibn!oi`_!F6v{oXHOLq{*{P!ih@een zxA5-i9p9j*`%EuKalzvvmN}hv$M&{x;C=s`a>I`PME&vKBU@i7oCtBnK?}w(FSUHQ zlp8$1`RHB8AojLnIf^yNC6G4&iy7 z5kKbUm@x;TA9T}lSoYNWQiSpxq6dUq989Ct3d2f38v~HMFi@;`8m5xF2fu}t*tFUa z|5ImdRr4XNdph7*BJNL$^qZe9!PsxVCOt{4sBo~~Z~MY`B^Xj?QO!`mvYz*8fuZ_JBHYwP6DDzWFi2nh)A`Rk2O=Q3#Tp$IN8aJ|NXJ6gEDs@FGzqB(Qd#j&qMa= zzqlimR+$jX-SO<`_p}IPjg`dWB|HsY3tw2%aEngs6o4h%Nfeob2s}oh8P{B*uEoPW zD6qvCabn(tVJ2^l(du)CfxREdc4F6X{>}dWn>W1^9a1|rR1ZpA{IjDDuKpMtQ#FmJ zLdNpFfzM4CC#l|#$hM@NO1nb_u=b>o&r^onj*~|yU)9X7u9^~E;cp5YL3>Id3p6(2 zH`C;H+dPK~G{4y4Jk}-LM_p~vh!e7AA8+u=EA0NYGxxYhtLZvCSWM?b9 zHp#`A*<4li@CLo%(*%($i+qwfQ7V#uy!kGc9*6gYgsgfhOUA@jQNU}-M`;Q;>=Ol(X0p(M&29?@B@dk%8f{CrJ&=5 z)YmurSb+EVz_@gWnjPW73_acRAFwZ)^E0!&+}zweUwFT?Hnp^H^YZe{%+G4N_BGpa zLpLcy?>3I1DZh<7j~Ku$Df^DhH|r0 z57eu?`ba?wWRFTGIz5)W%&4|9Bj+erlC#|Ia<_4+ReSUDLiIiRs%ge$)_|$2I^`j{ zVsWq8V8;iq*LVMCdlsUEf?ol}#A*)z)Am2Ogi)%4o<_^V-`ZXkX0N26NEW4zo?jB#foj;TXuf)T8W6fBCtDv|ck1wP4X++EIGT;GKQAdb z2AyeG2=ZH%SNP!`k->zwzJ$fpNjJIudWQR8xe0DJE?Bky8xs-qjfleFSmdjf+oM2i zV`0xK`FnI`c^oKDbiV735DF$z$!J*w4m(x4F4i6f;u>7USZT^lS2T zSZEi2WPH`9Ck=j7iLpH%u&ESbg?cYT!209J^KQgX$quQAZBY`${H;d#x3h0I0sU>f ze8cY|K!i}jjC{wE90F=WrMChrq^a;p!@8tTg1~xm=0am8IKRYz%RLZj(8nzb?BXB^ zOcz23%y+aDX+rqKU7}?CGfmUlk&icf^O1+>Y?%0RRaXgVyqgf*{hRaR<7a0UH~~s% z#$-+PZ}iCbLnela`ZP1X#k<^GkhxE0bRsXKD!mSSL`FZ`r7pw^C>$+#!vHhUYvuk$ z)Nb{^AKo9NmU%Otfv=k>E%X;vl%}m6k$+D7>xc1&b8B^P5My6)K9s+qnaCp8Z}#x` zcIbX_f)V-SIh0W)SHw?urLt|}rI*{WUt=catmMO3;Zj{e0PQOlpEKScql=X@57`}7 z6dlBJXIX*}HBt9{UA=Y-idj->R$Wg_pc~QK4YigMiQ1{}ga;1|+cn;e)_53~5kJBF zgX1sVvRbE;Fw0G_>cRaEf77xAMVe<+N@ou*{hz0YJ{m3bLEQwNm;zbH!!!)Lebb3q zxjmuJPzz9O$a){Q8Jw!6~x~E*TPVqkUDfhNFPrH+TE}cJc_ZJX(8B@vIK*=pT z`;O3YfxR9)@3d-2$%NSk0}$Kxb$>81F28WibMiDl0p{=Wt-x}Am$AU*iZDSh)8^w_5phbN9i~G;w2e+U7ns<4;A=KVDixo}~B7zhKLNnMjoadOBl&^M9`4 z7&)x733brIg>ra7VN{?%^*4ncWd-%|`O}r+8~Q#BXNWyypG#;F>T!5@!$zBvYChwZ zU7g0I8F|Vd9A8Z5Q>mq-nZD32rJ{22@5lD0nh0TjmULl0)ul$|P3Fn>lKJLQ{fcZq zg*_M~GJL^y+ar?bj!^u1f-2NI{T?4d%v$lHChf3AKc}A{=MztGkQcd_nM5TG>Vfa0 zrSI2Dz8@zp9mROT9Zl#gyEa#jHE zVY&Mp)wxVGmYHLrNNY(0;t z(T*SPoLFI)l!tyz$NswEh9)XiaZ%FDl_a0?cCHRsyuf5sG><*2Tsvtq^vSK_B?7fC z*^oIz#netu+MV8HYw!Y;l8!--BH(26njQRZQ;=EpNXLC<;St-F)d|Tgpqz(8IiM9g z;EO-$XNvM$B_sENf;J?qs#U6LC&j49$fCB$-7fI@5UqGPyK$ppDCt>cKV|}RC*R|T z90x+>I~NqcTGLWcqq3C(@#4%RxH`0GWs%T=Z(E@9wp8Fyy%0SpAJgi4gY%jQyoRXE6e>_LY=k2Vmpy_ctxX6%&t%y!6n08UNHh%fBD0!7HdGowr;0 zyOdWXG8RPW)Uzs8f}tAJHLvY9ph}eyixMsd&L?tF|8y>MMP4lW4YhoQU#YgS1x$J_ zePf}VE$nxpVL^ZYo!B?dzPFHmBU_>q!-ptmrkYy82odQ1Dr1p~LsDH2lr})GmA^Qa zm7K4}u&lSGU_Nd8MHlIgXVc(i?9Fg^fX|O>MxG>wH zU4Zp`){ayR95Kqia&lHVdGmPI-<#sMR_*-5?SpdmwN9}V34!Jx_#}k` zUbR!~VtmB>bGlbIl64S<=kN6;`qMT@jck`^CF@#zI!@IZ|5pgx_Z>1EEmvq2)RaaP z*+Na%Vi9ielIhEA1BaRh$IZkIvRPP_;Ti-6=V_)Mc;VcjU%_AGTA7vIS6AD;_b+Xx zOO!L~y{}+s)x%|i>!_1L4n8_*O=f6kkbk6|QG$5*;$0$j4(Zsl`L!wd_(lvqKj+)9 zTNg_&a3ZK!L2q02u~T(hEt z9;BHB4$^wp>*nZ&*|j<&Ychj^56*`Vl+%3^?JzSI-}LqKbx~})8cF+_P!2&U*g{HL zU5M7g>*(v!F(v$1lQ}}wLw3pX$6JTC?f6sWEWiI=lv0?_spyLYPRNz~C=}|0ity*Q zgn3)#R!J(-pI(1Mj1E4>A^(xjIfoP-*FKZU7~IRq(uNqBgm??IdwTTsds1m;as2)A zi~qK)i}g8CWn)uhRg8Ku=5Kb`%I-J`Rj=M2WL-MB_p~xoGnMMbQJYV<@0JOs!n=Tx9Zz`%7w1s<@}Wu?WF>M0 zJCLkeGp1Di&5}t!*7Myf;aCy8iB#17g=3T>>k`LXV#d=nj?mrOtN>VScIVRZgB zI(SNjDtY$s@{@bu-tVv^mFwtw)C$y-=hX?k)-4aq>g|}3C z3VoHcl}10ugY&!(UHpW|+2olB@==J_YzlA8|6b#X$vojA(Y`wGdo=EIjeokQAJPJT z8wISO2ramECKxa-i;^cnoJb?z0jPP=R>6<|2oxP51f!fqFwB?N$7l zeu_o;oqgKwAE5-*Lm6FIs3VrDU;tIzZ!0lHd3pI!BnoipT0+-LCgLfmJEu*-HU$Bx zYS6q4f)xIdohmQOCLv@5Qp~$%H@x?_J8y*k@`%I4L-<9rBZkN=y5F}Dz_RnSOZXx* zdtx`W%HNlLqxW^gNF3#335A4*CT(OG%Ajj)jhI>OSjHIT8G~ZqzHDt#7&>9bb4`+8%lcz=n8V%Rt({KY(D#`2vxwoI9Ca z^3Z>ZZ(ElAQw>{{+4na2UKr`*Zk9yC-J~~Hpx~HqXU{S3i$w=)O6^C7hT7X~PN<&$ zt@@0p`#&nN3bw4BWYeAO#cRnddsR>b#93jXW6!!M#05^sHeE2E&@VtWYW;wrO;%*3 zd)ycDb(QY_Df^h!{c_Cy?fDu^M{t_@^7(xFj3ROG#xfaq*xp+zlF2wn| zY%s}-h#>jRoKtfExgb=s=_2w7mtL#ZFxhc*Xn0s|jZX>)6;%xl@_%A_VRL~YzCS$) zi~%(LRMfdy9Tn-cnsq#RJ>cN0(nJP0>71(}lQX4S!W>hjz>5nqc5_YB`jaZhIoM^V z7y6`=MoAR!j6(HURQCrTr*6So`#)FOjCZO+DtR1quU1EI zj&yFqEFzjI(g(spG7xg0YxuYHrir4}Nu82buH->(0<-+}Pte?yd>)8+&@LlBIhmN` zr2>rE&T%XY%Cs%*J=*YQ3G3kHX^CBAJ5esO(tTt#Q!Y(Pla6W&_{HfYgX>F)%o-I9 zi~=Y=Jo@zQC&}V6!KvUpEG`DWsg5O@_+YaPo5pqo`ywHHM&NQu1>k1mKDiJnC#TY# z=K9x3@;1_t65F`}CSB|A=vH929$Y6bht0-PiI<8{TgAoH*a zi(r&`w*nr3#L-?5ucK#|wbZEL%d>W3UQvH&*#@~ zK!rPOdd;@84LbCLA6WI8CxQA5z+f>^;)p}2759idpj8gpadrQS&>#?n>p4@jixZ4SpR(O?zT2w zyG=9nMa*uxDS~a;^!8lm;H}kXp%&T;GpFV#+3kF6Z>Pp9KhbhIK=BtXMc42^35w9r%<##Xwhbm@oy{v?tkWHd36pd@a{8pONMu{H zBh$0^-Iz&8NQjGzOGuchtT_?jbMk%|@G797>A}xcvp_{K4v(9dzN~okKl#`oWwCjE zY@Rv%@%&3@@ZY%kh9uTXH%)=VfqaPp$fQf;@mB1JYrD*1NU3fe>)FSue)BT?WBxY? zGagLFuq=f0FnnS{@BMW2_;T7=uH!OKIT8zoRV0FM9EfQT-U2|q%#1~#o=@h>nuvc# zW`oUhmDuT=g#|?;L<994!Um7`aP?k28GpN)NTS9%)KGl-p%OsCEZO+hgamAm&J`T+ zH*RyBnrD7n%BN&yE?l;E^&<9Qlu!~~A{y~2cLbA`it{lR{rHv0g}{*tRJW2?9s z6FB$!?>fyF$i1Z-HqKaLV9uqHh{YYaUS& zgo~#Dem0cQpW+Le6p4TbTQt(a7Tl(mSJj@aHy5dCT>&Y-wA zDSNv{7|ij)>JD=jr&LhaE7@HnI0YTu-fpUZj_)ro#=93JYOHTFC`n39DTIBudSbr1 z*({F54$&;~TdjoOOnVm^E7 zB-yV+>y9?N;Xo)z*~RJt5)QuF;51!X?n6Uu0v?%X(;YEPEf&)t6r9a$Z7ZmjY9%NN|KGDpLI`)teE4*%-f-6DWQr$0yFJh`5&aYY7m^%Af-eh-kL$X~Wu zdJ~;0_~tf@Ad$ z32koHt!uLarF9pb{i7U1#F02hCBmWJXI)I`hDYNf#1}_6449V@ zk4=F{5tgn^zW=XiJ3B;!7|$lkF&p=+OHCv9WC||M}R>4LaYC9TNd- zp0jcSdUJlZ&9ITWDA*yYc9Jf9Rtozo*CziTRo`@us`f$?UdBuLqpY~h&vCWG;aFhy z6X`41+`5GYe^cQNuj+o82c*hPdlwzZ+YDS9r9)T{1BMQt0nq>mD_Tef%~RF*= zk(AAJ@2!e*pBEU0OMf!^lX~lh9opg5iax?wp+ekZoho`Ts*r#E#EjAY8A)<*X2ql! zx@6AzR?$)etYK>y^9|!xhhvdVe%Do@&xHCj4k^$jvP!JZChKDQY}z2 zcpB@>$|$ZZe#=T@-Q=s3q}fg5%8zl!Aj9#@bRP4A$a}-JWE;bGPJFQ_sUJ-Zlq)tLWW~N28~fv9ooL-`luR_GxU;=@Aa)`*GXV-&KzeQPow7L*u-Lx64fX(oL_-+Bjd#i>Ci+ zP00cvNkklrlz)SKCUu0qNRhjV;eK+y5G*=ScpENun)Qcnkz_vJYj`6)Ds_5nLJN;@ zGppzV)-l*5jY0bV9Mg??6hhdyp0nGYWW3Gia5PN*5CvB?! zm@9tRd5=N36{eN`yS}hEJIbX-tFDQ9A={?ThgY++vOj5CEI6I(2Wke?0JM8F#b32_ zP~&k{EGVw}w|2~U4#0rpzspKUsHhd%XJB2m=@am9^5)N+ggGn<;*2ZUQ$yB|ED7xs zyC_AO+<|#s<*o3Cx##E--N;H42mUpkOB_Aa2c7p~)wx}cn?xb&f)<{~SlieWrBrOZmaa3< z8b?VLb_3@K<0tDS9B-YHS$_H8UV+xe6MM9NbUjk#x;Mc7A_-_dVHA>)3NF-J6ydjy za;eb{68)A`2=Gr7?b~Ezp5qS>aXTlp=@vQ5>s#dUFuy}uu8cRq@eA(R+4dHS;*X~h z2(m)vIKST_AtCpFlKOE7Sj&2+ykN_9Y7PNdwi^JamMJ(AlA$Y-{6zc92K=&i!T56G zht*Q#KLB?VCslpKkyrJBZ|7jYKT>;`hiSAB$}SpkSUO-fh&Aa^CQ7B^XJxyo2*~T_ z%l$&fR04l<#_l&aHw+YQIvl|{6BVcgnc+_%L7B1F-&J~}3aIG_|Jqp;bdZ|n-Ft!;8$zx()hJ7no2}~ZT#y@UyVmGo`NofaW{Z01>ZNj8vBK{}z<`At) z&orcCcVN^^kE)J=9ach=6SEbu>iVvk=Mfub|xdAI!Qz=A+$`D^P=5Bj_6? zhx)Og8w6KFfIgUG$8Nkzhm-KMdvoBAnIf*cOeVf`(0&4=3$Nw7(2PDvCkL5%LBe;l z#FY-}f)&$(?D#5b&kgdG2mQquf*|}^djB@_cdOq=!pt}rke}y$EOeTh=&^~ypU*S} zU9%UkE=C$nK;fYMnneqKJ0c!omvj$W={U5<#6kt>A9ET0_G*Cuk_k3HYGaH*qWlvl zuaam6bJ2grQ}z;R*@^t_Prv$2vzrG;^KZ)A3bP7-*&{bZ_x;Q{Kc+wI|Lb>6ZqZ*P z3ayn34Knusa6}3+6m`Ifh{YnSFuzt z-WG5b%v=%kvGxYxQ~HBzwiZF>92;AZ*Zzi4##)VBdo2>F21xY@EoQ3eXpl3=ls*(LBNKw<$nL zN>xfNP_$`8Kz7#M44&7+Y7$M;kd#aPrUbZHpN?tPkf&lFLLA}y3_>wg7b2=9TPKO&|PXcRm7Orz|mCFW< z>G<5Op`{wzdr78p+t+uemYytM&TdyZh9n-&s`E}tTD7dJb5*AUZ-F}T%;(oBgqnpI z^JL557vJjBzv9C_E}UrLACGXMrG(iJ_(Hya-@MoC%esis05hN$M=sq%RnMsh^-R-%zOGc8GB`iu|$qzJSPn&LY^8}wur+kHGRgp2`L39oJOOw-SiVP^??)7pR z{P!#;lq`fO%sBHI-pd zV3{durV^}aJW;!J>A~ukUfVN*wMmdpHC$_A!buDraS$vdeC$$AVjKl^iQq1>e5aKb zhfUyxI5cIb6W3;`zg_0Wx=Wn+R-|IZI`F0_Ijm_aSp9U9rT#Z%slnfu=v@PMeOr*p zSKfsBDr)n1Q74C?ZT9)^e2$}c`~0Y84dPRdnsdHh$6lo<5pRigM%i73B0CX=7gnVh zt=^^l{56(FVdRs_o?y>wlY6=0g)BG3(XuoVXA5caG14Qw4bSc*q(J|ch zfWuTW7qB>Yo(r|FVV}gJZ@0I&oyyQ!19F33j8pb^73n8S+({p0GCuIuM`KHdx$`Ym7h zXu=s#yzt6z_eXu7UiXutTxED(5CNh@ePs@}H%2}UqM3>&(vEglVpNoBn;BL4ZHl+TDLM{ANAlnDIpO1`B=K_N|%S-fXw0 z%gfH$W<5=ynO1rrP5nUayVS3mi8{sbY-aWV3 z1(SC_ub%mKs$b5-f-;0DX}PtXOry$+i=StstlD{1a)op7NlD2_2}udb$>se`&0?uU z{O&DJo`~2DXIkAa5Lg<-v%cb|aEK!y{Vd%XsxDlbuO(?OnQ7dm&=reYBsh>jnm9g2U& z`$e!lMK<=>X0nW;kNIfTR^jZYKeYg~rSZHvwl8O@0>rS6lM)VtfC*BJ#|MvF-g0gIONF?ap9A`#M+WYa>ns~J~DIc)|@ z@M))dbVAXo7pnnWv5iP%K1ero8p!j;z{P|(w5}l!8=xIl=P5O3ANoGg!se_eu#SUG z`@=VG;t$wCW5$G0zZ=}QX+k$UHzCs^4t z8P@F=M0>#~JfyK2@ z7AUs371s|f-r_7S#ck1|#obw?XpzFItXpM#@c zqoWT~!{_G_N|jm*WiEcVjn^$&x6N7sw}*zc29dSccyzg&+|mDTb^pJF&IZEA!5r`O z_VJSt%83AFf!6ti{93v~Ql}9%LpC$7+uW4EisBt*7xLU5>zzB?${;7yj^n@zP-l!g zNxi^VWFuRWbjb%>h&2!U>B}e{K4UX9~{$heI5Hz?QQm54o;+97ed>D7#OdY;0CBhmYS`rOw(Z!R?Bqa}LZ@b!o3UraRRMfID`! zBRni<24BD8%x4&p2>ISKL!YKXFEy@nLN?04tDPZk7+hfhhXkvD2|#!Ww5M1LOr-I%?vgX4Bvz+o)L@!-h5Vtvwuq?2B~ z2J~~o8ycZg^y7W_V1zg+mfBu`c=znF7j0ZDw^w?_yS`9&KL94E{c>%*@qVEz4_a zd5I3|^(|~d=bet+u&8KD-J=AtSrX@?*xXMVqXs|)d8eU{xFwA6EuqsD$_#0dHq;E= z(<`7#L^Dx_b#*7Y4pix3`OI$K5vS`7Haf2$WO2Nxn;vL?|47nL3y6sv24_BO zO>l^_K;KKKBO9>5iOl+I=7LFio7q+PV4l?-mbs`)2^fFk1IOfKlmqz}BEH)o+uFIP z@}GVH+jA2k3MZA{TmW~%rfpkcLk zs&4i(Uy(L-z)b*jLy1HjESmx>{Ekd%z5|@?oByQc?@I|ViLeJhCNOLFO2e7}3%+jU zE-bPt+srD!WCB|+kIRuY0Ba|t>D?_GMyfZ`q0JJ{XD zF7L4J2R-L;l)|)nM%CK^2r^NA4baPM3eXw4LR;6YaHe%n?HlVi zt|j3CQSpT!Ae*YYfM}xRm#y6#859dqHAdTr$4paT*Lxg)KlVq#(p-d&rTo+0bt++> zyH&CQf|b$|uBfY6o05qNI%Lea^&MU+s=~ZSy^TbC@59>`D+?S(a)6zF zKVDQ_8bfbG42ng4_lA_`tm85sjGnVl8NG`^wIj%DGb0n2krq43?dr&^U+m11-g?re zZ+4F68Q@h+k%PzkGxDTcgq)><9OlVrc|HwL`MX#V*H!%2@WM#=^u8HdXH&DuxyE5MI|U2=)+$3 z#tZAq(?eR0kTlqol;!hG;ZLQ}4DiXT1W|7k&0CyY%`}r;tlU|=mZS!Wx8hkQo_}%~ zSrdo(_XlKb6m|)<%u6p8_zr}M3?t$NZ!qyik<8B>ZR~1S)99d;f!MRjBKS> zW=q>#i$A7|QS`ET^@B|1^M2w{HBT;?a>w(DlDIMQU%Yi!u|x4O8)lXi`R;5&xx2Bd z`R6_|aLY1GbHI39@$PmP1eft6Y2n;5rYW$L3k#YxBs*!KD0QouK9 zhP(#-S<%0Un5!PvYr)Cs4t**t`!28s2saol2w)h}H#@5fF3Yu-34Wg-AWevd5tNUr zsVS`$A(cplR)VdF$AGtxAfyad?^yMHvvzshXn3_m)OIh_J9_(u&A%Si`1f6A<&*+4 zDb{9q`~@%*?&SCQ5BEomuXh*tK0I-iH|X<8_TN9(PQ~I7(wiOWF-f(W4K)R4WSLeh zMT_vG4!Mx!qy!DP*bOAJ=~*+d;-FP~vwq8LR1PJzm(zSI@Xx7nm}?!weNUM^1Ki3f zD~iyruni`6VhJ%LBsp0#M~B34b(ZC!w0vfVd=nwfv|N1gvMo7PZMKQPvbheqmF=Dr z%tffxqkHn0*LU*JCD>$mAq5AHHg66I`Rv!e5CGA)>}Iy3Ds_Gs_iL_Nx4jN|@)r)e zCRvV|$&coEnYcGK2)mbf89%v;gXsTp3$*jFek7``O>St6Q^jnPI!xX6rIc(sW%k{T z=XhYsSR}Oj*txST=QxgzkX%>)0FRmsTJE<{BE(YONZdgC2I8U4%{jk{F#L*SRA+AD zfp*6&>rS#FYB2!|v@NGO=VN|lmNsE1SGRmj8mH=b^N~iiEEJ9MD`!$4ZrZYYk zfGY#2r-Jobg2w8)d}Jhx;UB$|HIp!>Ag0}e`aOL%00s{+*(wT5jWhX5 zO9!@|OJ?F0{6hG42=>bb%0=$GUisW&FqxNQvp6$Gw!^3k;l#=4!TJ&*lr0hUv)_ zQcWjD&bvKtBXH1EtoVC~v<+xBbA>JOzyGCP@$csc9v!p%+-+C@HJ8448Ozm54vXS+ zTb(Ga$RSDd?*K>&!)_dbu{k##)!Es7JEbd>yw>EeRWk6LqjDGt(|UU8oO6|L?C-h9 zw&WKi;CD-2ZTTps+gz6`U?6w+VD)dvaMB%3ht7L#fX{4Nt+U$Fm?QQY>< zZbF-WUx5Ys;bR20IUwLMrCht~74? zeC1bx|1y_uniQXokyc4(qw+}Ewx5wL?Dxse@uW3c1BiGT>K+{F}kR4 zd_Gvrby+)mLY~~z(E;&FMOU1>;SQ`0kt3+k3EJ*1*E)F0ILuX=lG$Bmx!7?CSZ) zFiNq{SDA1tVGEQ&oRZ%?xV)KixP*}btuzGA(KE=Tvd{*qjo(&Z#eB&ud!+5>e2oA!(U{ja!-V&c zB@JC1e1CC6nTGPjcV%T4 z&A&r{f@ZUAUe4<@c7#o@x3>JeQet;=hDMJG0}%W#2%>ws7l~Bj*6D1RIl!fJqnTlr z8=7l^Q&AtBW^sak9<*2M@fIG#JBm&SL&viaefg}He^)apYFMV7kfd1T?d9)00%@X6 zWACqzkDZN%M5NM!_L&X9kcT%=B^7ckvq)RO`fHyx6Ta%_>Yz6HIGCVdWfFU|8+n6| z7ku_9>VAEt`B|{H}K*E|J40h^+NIv=(!leD?mIT^5u8n`h_`M&XVWxm@rlk zo_mP3ML&9og$3A{H`W+e_(ht9NF-LA_)DISi1c)dCWJ0p|K9ZYhFeExPy?UOti0cq zsk{3q{yCBfIk&=vkAAm zwuNC?M0k;bx02pgqi{xOmzdU_AvK;<_W$J?&Qb{vJ%Yuvt^DJtk~nWDiCJe1dAq%(r{ft2;_<{K?Elwu*zsygNcv#-F&w z#q+S{FbI&U1~KDR3Z)w{2x50l|2#jQs#x_29@1T4*WQust{-h;y6PYK@Hrb=?rRqx zNeK1+vio9_A)}koTRhL({;2WsYa5jtz#2l%c%zUWt(sp@N_u!1xxRQrjh%;R^jBj`rs75%r2V(dztSb{zCUL&*(*N=?o zF)YKHG9LF3!WbMJ6q$~wSQ{d$gRr3(nQ#6ZdZDknIodP{dP381 zfbj}8Ng6sP<=qP4@N_(224gOXFzB?W`uE&!fPlo!?NMqe(Iiv%zLE%ej^>gv8YodbBOctmk?f=t}hvVO03#hQZu*u4b7{c{@z6 ziG=IyuJTo**0f_3VQFf2de z<&p*TrO^{e3Hq%MT>+(k(mW3O|EtURpT}Lm1v;hWNcVYGZ`37X;iCOGTerw8_YY@( zl$KMH)_?cMDxUq>bbtdFx_?BMBk&=ZHyl;0;t90N<;|H$DX3fZW{h>_E-}R&&tv{6 z1aobqN}atji>1Tv=#LfXDN}%Yq1&s@I4)xLe06XF zxx3sSacBJ_3MBkIGpZXgogF7qHs0a09PJ$x+a8lFxD+KQt?U@SpN^U+Rnp&)d^w@L z@cRo-9raDy6+_(X@JVw~nhRP1;||T`Cqmpyd`7P)&C_FZ(!#AE#@2 zV;w%+le$|8C7>y2#V;12tC{Mw>6HyZ+CX*dL6X+ds;XbE9x26KvYF{KPY$PMA89ZP zcwembMMJcT-t-Oee$z-uywOzV6%?pOpTQrECjH|j;!fva%g+>c`E6SAWn_wPVGR=t zyfW!dag}zZB4$g`A%3bR@AMu2L_>k9)(WS=99S{AU+YS=?dX-!Otwe8^rP&^ej|&x z(@zhm+=8IiX?9(T(^OBEf64^1Oif8>weAT2g^=>9DHSz0yOBzx9Z#X9bZ@N-*SC}U zFD}OLUW~uo;g|*&Z!ll2mQl3&Kpot2^UU-ytsze0T!5uQSJE)|CjkkZESB!SsfrKYupI=uyUvGNc)c-CK+ zTb-J!s$hYchz>DM-+NEE-%=8-(1$0TPpKn$F@AwQDOW|Lrb=AaSE(Lp?@XFZntE9e zj?hPpD34C+aZGpy!w-&B_a6Rq9Fcf^2ajBez|~YU zc_?53