{"id":1589,"date":"2024-11-13T18:31:42","date_gmt":"2024-11-13T17:31:42","guid":{"rendered":"https:\/\/www.labtinker.net\/?p=1589"},"modified":"2024-11-13T18:31:42","modified_gmt":"2024-11-13T17:31:42","slug":"palo-alto-admin-authentication-with-entra-id-and-duo-mfa","status":"publish","type":"post","link":"http:\/\/18.135.13.153\/?p=1589","title":{"rendered":"Palo Alto Admin authentication with Entra ID and Duo MFA"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">I wanted to try out Cisco Duo MFA using SAML and loyal readers of this blog will know in posts passim I set up authentication for a Palo Alto firewall administrator using SAML and ADFS so it seemed a natural progression to try this using Microsoft&#8217;s Entra ID (formerly Azure AD) with Cisco Duo.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Microsoft Entra ID, which will act as the SAML primary authentication source is available with an evaluation subscription free for 90 days and Cisco Duo, my secondary authentication source, is available as a free subscription for 30 days. The Palo Alto VM firewall, the service provider in SAML terms, was set up in AWS and is not free but a few dollars if you only use it for a couple of hours.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Cisco Duo provides lots of templates for &#8216;Protected applications&#8217; that are pre-defined but Palo Alto administrator is not one and is thus added as a &#8216;Generic SAML&#8217; application&#8217;. This will become relevant later.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This is quite a long post but the required steps can be summarised as follows:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">1\/ Set up SSO (Single Sign On) in Duo choosing the SAML option then configure the Entra ID association.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">2\/ Set up an Application within Entra ID and configure the SAML SSO option therein to associate it with Duo.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">3\/ Within Entra ID, create a user and user group and associate it with the above SSO application.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">4\/ On Duo, define Entra ID as a authentication source then add a &#8216;Generic SAML application&#8217; as a \u2018Protected App\u2018<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">5\/ Set up the Palo Alto to use a SAML IDP to for administrator login.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Setting up Single-Sign-on (SSO) in DUO<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Duo itself comes with good documentation on this:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/duo.com\/docs\/sso#saml\">https:\/\/duo.com\/docs\/sso#saml<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The first thing to within Duo is enable SSO and then add a SAML identity provider.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"386\" height=\"170\" src=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/10\/image-1.png\" alt=\"\" class=\"wp-image-1602\" srcset=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/10\/image-1.png 386w, http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/10\/image-1-300x132.png 300w\" sizes=\"auto, (max-width: 386px) 100vw, 386px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Then within Entra ID, add a SAML identity provider which is found under &#8216;Authenticated Sources&#8217; where we have the option of adding a source:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"681\" height=\"309\" src=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/09\/image-1.png\" alt=\"\" class=\"wp-image-1591\" style=\"width:840px;height:auto\" srcset=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/09\/image-1.png 681w, http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/09\/image-1-300x136.png 300w\" sizes=\"auto, (max-width: 681px) 100vw, 681px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">This information is transferred to Duo&#8230;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"681\" height=\"382\" src=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/10\/image-2.png\" alt=\"\" class=\"wp-image-1603\" srcset=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/10\/image-2.png 681w, http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/10\/image-2-300x168.png 300w\" sizes=\"auto, (max-width: 681px) 100vw, 681px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">&#8230;together with a certificate which was downloaded from Entra-ID<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"681\" height=\"169\" src=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/10\/image-3.png\" alt=\"\" class=\"wp-image-1604\" srcset=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/10\/image-3.png 681w, http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/10\/image-3-300x74.png 300w\" sizes=\"auto, (max-width: 681px) 100vw, 681px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">This includes the option to require an encrypted assertion which then gives us the option to download a certificate &#8211; which will then be uploaded into Entra ID &#8211; effectively so it can read our assertions. <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"506\" height=\"270\" src=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/10\/image-4.png\" alt=\"\" class=\"wp-image-1605\" srcset=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/10\/image-4.png 506w, http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/10\/image-4-300x160.png 300w\" sizes=\"auto, (max-width: 506px) 100vw, 506px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Setting up SSO in Entra ID<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Now, in Entra ID, Duo is configured as an Enterprise Application:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"408\" height=\"97\" src=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/10\/image-5.png\" alt=\"\" class=\"wp-image-1607\" srcset=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/10\/image-5.png 408w, http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/10\/image-5-300x71.png 300w\" sizes=\"auto, (max-width: 408px) 100vw, 408px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">This App has the following options:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"681\" height=\"228\" src=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/10\/image-6.png\" alt=\"\" class=\"wp-image-1608\" srcset=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/10\/image-6.png 681w, http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/10\/image-6-300x100.png 300w\" sizes=\"auto, (max-width: 681px) 100vw, 681px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Of these, <em>Users and Groups<\/em> needs setting up which we will touch on later but for the moment we will concentrate on <em>Single Sign On<\/em> and configure the association with Duo. The <em>Single Sign On<\/em>&nbsp; configuration page, has the following four sections:. (As described in the above Duo documentation link, the <strong>Entity ID<\/strong> and <strong>Assertion Consumer<\/strong> service come from the Duo SSO configuration)<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"681\" height=\"206\" src=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/10\/image-7.png\" alt=\"\" class=\"wp-image-1609\" srcset=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/10\/image-7.png 681w, http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/10\/image-7-300x91.png 300w\" sizes=\"auto, (max-width: 681px) 100vw, 681px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">&#8230;assertions are essentially the fields passed in the SAML header&#8230;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"681\" height=\"186\" src=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/10\/image-8.png\" alt=\"\" class=\"wp-image-1610\" style=\"width:840px;height:auto\" srcset=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/10\/image-8.png 681w, http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/10\/image-8-300x82.png 300w\" sizes=\"auto, (max-width: 681px) 100vw, 681px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The third section contains the link to the certificate (Base64) which will be used by Duo and uploaded (see \u2018Existing Certificate\u2019 above)<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"681\" height=\"348\" src=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/10\/image-9.png\" alt=\"\" class=\"wp-image-1611\" srcset=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/10\/image-9.png 681w, http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/10\/image-9-300x153.png 300w\" sizes=\"auto, (max-width: 681px) 100vw, 681px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;<br>The fourth section has the values which will be transferred to Duo:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"681\" height=\"168\" src=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/10\/image-10.png\" alt=\"\" class=\"wp-image-1612\" srcset=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/10\/image-10.png 681w, http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/10\/image-10-300x74.png 300w\" sizes=\"auto, (max-width: 681px) 100vw, 681px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Entra-ID Users<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">On Entra-ID, I have defined a user called<em> john.smith<\/em>&#8230;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"681\" height=\"19\" src=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/10\/image-11.png\" alt=\"\" class=\"wp-image-1613\" srcset=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/10\/image-11.png 681w, http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/10\/image-11-300x8.png 300w\" sizes=\"auto, (max-width: 681px) 100vw, 681px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">&#8230;and put him in a group called <em>Palo Admin<\/em>:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"681\" height=\"33\" src=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/10\/image-12.png\" alt=\"\" class=\"wp-image-1614\" srcset=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/10\/image-12.png 681w, http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/10\/image-12-300x15.png 300w\" sizes=\"auto, (max-width: 681px) 100vw, 681px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">This user has been created with an associated email address from the domain <em>labtinker.net<\/em>. When the Entra ID instance is created it is with a generated domain derived from the initial login but essentially an <em>onmicrsoft.com<\/em> sub-domain eg:&nbsp; <em>labtinker376.onmicrosoft.com.<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">However, it is possible to add other domains. Entra ID then provides a string to be placed in the domain\u2019s DNS TXT record so that it knows the domain is owned and administrated by the Entra ID admin. Only when this is added to the domain\u2019s DNS is that domain verified within Entra and usable within its configuration.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"681\" height=\"52\" src=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/10\/image-13.png\" alt=\"\" class=\"wp-image-1615\" srcset=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/10\/image-13.png 681w, http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/10\/image-13-300x23.png 300w\" sizes=\"auto, (max-width: 681px) 100vw, 681px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><br>&nbsp;<strong>Service Provider Set Up<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Having set up the SSO method and primary authenticator it is necessary to set up the service provider application in Duo and configure the Service Provider itself; Palo Alto this instance.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Duo has a lot of \u2018templates already in place for popular service providers but this isn\u2019t the case for &#8216;Palo Alto administrator access&#8217; so in this case we have to use the Generic SAML application.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/duo.com\/docs\/sso-fortigate-admin\">https:\/\/duo.com\/docs\/sso-generic<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Adding the Application within<\/strong> Duo<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Within Duo there is an option to Protect an Application:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"242\" height=\"111\" src=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image.png\" alt=\"\" class=\"wp-image-1619\"\/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">This has a searchable list of applications that can be protected and in this instance we are searching for the &#8216;Generic SAML Service Provider&#8217;<br>&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"602\" height=\"53\" src=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-1.png\" alt=\"\" class=\"wp-image-1620\" style=\"width:840px;height:auto\" srcset=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-1.png 602w, http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-1-300x26.png 300w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">This leads us to:<br><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"681\" height=\"496\" src=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-2.png\" alt=\"\" class=\"wp-image-1621\" srcset=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-2.png 681w, http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-2-300x219.png 300w\" sizes=\"auto, (max-width: 681px) 100vw, 681px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Configuring Cisco DUO as a SAML IDP on the Service Provider (Palo Alto)<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The Duo Metadata has to be shared with the Service Provider (the Palo Alto) which can be done by exporting and importing a SAML Metadata file in the XML format or by copying each individual field into its relevant place on the Palo Alto.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The SAML IDP, where the above information is input, is on the Palo Alto device menu Server Profiles\/SAML Identity Provider:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"333\" height=\"60\" src=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-3.png\" alt=\"\" class=\"wp-image-1623\" srcset=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-3.png 333w, http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-3-300x54.png 300w\" sizes=\"auto, (max-width: 333px) 100vw, 333px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The option to import the XML file downloaded from Duo is here, but this did not always parse correctly when attempted \u2013 so it was necessary to paste the fields in one by one.<br>&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"464\" height=\"336\" src=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-4.png\" alt=\"\" class=\"wp-image-1624\" style=\"width:729px;height:auto\" srcset=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-4.png 464w, http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-4-300x217.png 300w\" sizes=\"auto, (max-width: 464px) 100vw, 464px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The SAML cert referenced above is the certificate associated with the application in Duo and can be downloaded from Duo with the button just above the one used to export the metadata. This certificate can be imported on the Palo Alto from the &#8216;Device \/ Certificates&#8217; menu whereupon it can be used in the above configuration. (If the \u2018Validate IDP Provider Certificate\u2019 is required, then the CA cert that signs the Duo IDP cert also has be imported on to the Palo too.)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Once this has been defined it is necessary to create an authentication profile which uses SAML. Again, this is accessed from the device menu. An example is shown below:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"457\" height=\"230\" src=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-5.png\" alt=\"\" class=\"wp-image-1625\" style=\"width:636px;height:auto\" srcset=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-5.png 457w, http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-5-300x151.png 300w\" sizes=\"auto, (max-width: 457px) 100vw, 457px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The certificate used for signing requests is the certificate associated wit the firewall with a CN of <em>firewall.labtinker.net <\/em>previously imported on to the device.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The SAML attribute is defined as Username. On the advanced tab this is defined for all users\u2026<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"295\" height=\"96\" src=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-6.png\" alt=\"\" class=\"wp-image-1626\" style=\"width:393px;height:auto\"\/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Once this definition has been completed \u2013 a metadata link appears on the authentication profile which can be downloaded and imported into Duo.<br>&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"698\" height=\"60\" src=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-7.png\" alt=\"\" class=\"wp-image-1627\" srcset=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-7.png 698w, http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-7-300x26.png 300w\" sizes=\"auto, (max-width: 698px) 100vw, 698px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">This can be imported into the &#8216;Duo Application Service Provider section as follows:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><img decoding=\"async\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAdUAAABhCAYAAACAlTsgAAAgAElEQVR4XuydB2BVRdbHfy8vvXcSQguEmkAg9N47SBcBEexr7+vqWj5ddde69lUpgoCAdKRI7z3UAEkgvUJ6b6995z6IIlISIJCEe1fXvPfmnpn5z9z7nzNzisYkF+qlIlBJBAxGyMg1kltowqip5M21sbjggUU161hl21TZ8hXt7qVyy\/+uqroq2qabKXcn2l7VdVal\/KvJvsV12lqCp5MFjvZ39oWkUUn1Zp6uu\/Pe2PNG1u4v5fhpHXm5BowmDVUxjZXVXlXIvTtHrXb1uqbOjUvbXZV9uFz2leqqbP3XKl\/+W2Vlls\/Ky++vqJxLNUIbGw31\/LQM6GRLjyAttlZ35u2hkmrtetdUeW9Oxhv5YWUBqUlGGgfY4udtiaVMZmTVadKY0AjBVqtLnjqTRcXaVS3bX1EwK\/oWqoC86+Fwvd+vVcV1772BflxX5jUbVE1Wbhf7XZG+XLXMFZlTvtRo+BOZX+E5vWa95W27GlTlzKY8+ldow6Wyy\/++Yn2yaWqS3R6NsvVllnVRsLT\/d\/K92jtGyuYWGImOKyU\/V8\/QfvZM7GODnXUFJvwtLqKS6i0GtDaLS8sx8umiQhKEUIf2cya4sQY7qytse15pW+cWb\/XcPpwvfWPcglpvKw5XeMPdbP3m+y\/KvaFtPWWVc\/GleQvg\/JOIm+1bRdtTEeK\/ZluuhF9FhFa0gVLu8vr\/9PmS+hWRyrHFn6q\/kTl\/NR38arKuUV4h1fI2Ke1TOPX39l8FJ\/ndID+dy4bNB0qIiilm+hhHhnS0uu27XSqpVmKe3u1FV+0rY9GaIrp2cGRgR0vc7UtxsTMqC+HacV1xpX+HNJmKvGOv9l660dGoSJ03KvvS+ypST0XKVKQtt0rO76rSxT+uN+dvpN4b4bKrYVDR+svLVbT89eqr6DN0tfoux6Ci7ZJypXqx8yi0JjZNyy+\/FeDkaOKfDzjh5liRiXLryqikeuuwrNWSlJ2YT38pJCzSwH3DnWnnr8fZrkS2ey3Mi1z1UhFQEVARuJMIKOscvUFDbIYdi7eUEhtbxJuPu9KywfVWQLe21Sqp3lo8a600vawC3\/+5kPhEEw+OdaSVXxmO1mUYjNXN5LXWDoHaMRUBFYFrIKBQp8ZCQ3y6DXN\/0xEeUcgbT7rQvon2tuKmkupthbvmVqaQ6gdCqnEqqdbcQVRbriJQixEoJ9W4dFt++q2MiIukGqKSai0e9RrctUtJVTEAaOVXqmqqNXg81aarCNQ2BH7XVGX7VyXV2ja6tbA\/KqnWwkFVu6QiUIsQUEm1Fg3m3dCVv5Bq3YuaquJYVoMvJaCY5hrmy9f7vTp3varafrNyb\/b+q2F+PbnX+\/1aY3kz914q91pybvS3K7X7cllXk13+\/e3o3\/VwKA\/ud63n8VpjZCZV+b\/4THtVU63OLya1bRcQ+BOpKoZKvqU4WJWKb1jNJlV1fFUEVARqBwISFwKNVgyVMuyZt0E9U60do1qLe3GzpKrRWIgTtsQJviTUtPKduGxL4JQqMHkXmVY2NiK+DJ0SqPhOXbJ0Vnp5ab+V5bSFEuXGdOv7rrHQYm2tRVemk4WQAQsLddFzp4Zerff2IqCS6u3FW63tJhH4K6mWiKYqLjXX0VSNRqOQirzYlX+0Ytoun40GiResfNZoJSSZSWRcRnpCBGYikrJ\/ui5+b\/5OkVP+46XfX\/xO2ULKSklAb++Ou4uDyDNSXo1CNL\/LvuTeS+v7U5nL6ikvd2kZhTqVNcKlMpTvFHi0soI2aiRIhvJZaYc0RK8TXKyssJRFxqW9VGSay\/yl6398\/5e6hEjtbKwxyCAVFmZwPsOAj4871pZyj8gxr10u4qmS7E0+CDd5u\/l5uA0LnYrWU16uouWv1v3ryblc\/pXq+8vzflllV8LtUjlmUpVoX\/GZjqqmepPz9PfbjaKVlJaZsLayRmtZBdrPrWpoDZRzOam2rCOkal2K\/nopauQFokWC7+\/dwtFkK0aM6E8dJyuKczI5emAXxobd6BLgYQ5dZ2ltKcEkDKJl6c1Eo9Vaygvowjgq\/9HrdeIXewE8C\/nN0lIhaYMQ1IXyv3Of\/GYsiGP2nPW06DuCHm0aY2XSCbFpJcKeEZ3OgNbaCq0QXVmpfC83KkRlaaXUJ8qt1KOXmGdaWQRo5AulBeX16+XBtRT5itataILSEPksnwx6c9sshSi1UlhZOBjk98yUoxyItqJnh0CcHeU+qTMz9SxbNocRNHgIgXWcL8Q4Vchd2lYqfTHLFBnmMyKtQoxKm\/XmNmqtlM8iW2mfpdIOKSN9S07JwMXdE0tdInPmbqLN4FF0bOaLhfTlDurpNXCmq02+UwhYyXy2VnaXzM\/jH5deXj5lOpnHly+yLydd5T5ZQSZk2wmp6quPS01Rbgq\/zv+ZVCt\/Jkwdh58dnI8+zMJlG3Bt1o8po7ughHu99DKU5ctDnYuLhzcuTteOYJwdfZRf9yfS955B1Hey\/bOc0mKS41NwadwEF0njc7UrLeYwq1at53RyETb2bnTpN5hhfdqQH7GdZfsz6dK7P238Xe\/U3KiV9d4oqSraqUZTwOJv3uGnrbmMf\/h5HhkbQmHCGeZ88wll3Z7hhaEthS70pKelYdDa4+3thknmQmGJ3kxyel0xxTorPDxcsJCFk0TwR1NWKBpZNtbOnrg72mDUlwnBK+wn5Ch1Ru1bxPcbcpj+4H208LWlTDTiktwc9NYu+Hg5kJWaRKHGET9PF\/RCalZCXoVZ58kqtsDL0wt7K8nAU1hmrt9YJm3RS\/3uLlhSRn5+kdRjffEFUEpxsQEbaxscnOwpzD5PZm4Z7j6+OGuNnNo7k\/9tdeCFx8fQwFMeJqG49NRItm4SUh00gCautkLPGkqL8jBYOuLp4UxZQQE6xYBKShcV5GEpc9zN2R5dUSEFZWWymLDGxsYSXXGxLBSU\/yYyd+4GAtp0oU+P5qz47r9k1u3P1Hu64C7vKJ2yElAvFYFqioBZAxXCTM\/MJDM7B4Vcy42VlMWkjRCtr483tra2spiUhexVLmVDplqSakb8UZ4ZP5GDusa8++1CJnezZd2P7\/LIPxbR5Z7nWTzjObQlOZyNSsTCuS7NGngQd3AVX8zZRfN+43h4fFdKs1KJScrA2as+DX1dzS+Hgrx0Us7lkHJkIx\/9EsZb3\/yHts56YmLOYeNalyb13Yk4tIHvv11Jm+lPM6lbIPr8ZKKTcnD19qOhzx8keWz157z5xQoMvh0J9C4hLkXPPQ8+Sd\/62azbf56ug4bSyhtio+Ip1brQJKAetqJNlBWkEZOQgZWrD03qupuHpiz\/PNHynb1HPRqI1pCdlorJyQcPewuKC3LILTXi7eFOVnIUyVkG6vsHyEtcKynPsikqLJaXn2gRZRa4ebiaX3zG0gLOZ5fg4uqCve3ly49qOqsr0Kwrkaq9Vcl1NVWNmVQLWT33CzaGlQopOfLoK8\/R1CqDhT98ia77kzzUyZX9W9ax+3SKbAvb07JDN0b2asvp\/TvYc\/iEaLBakjPLaNe1nwTy74wx8ySbNu4kPCEHjY0b3fr2pVNQI7M2qjxyVuhYNvsTYm0G8NC4rqQdXc2W8BwMJfkUCzk2bexLSmIU6UXWdO4zikGtXQjdt4U9x+OFYDV41g9k2NA+ZIbvY\/eBI2hEg03JLKV15wGM6tuSg1t+JUvrT98+XTBm7WHNzlw6hLRFfz6ULQfDKdJJTkf3Rgwf1gt93Bpm77TliQeHU89NWYUbychM4NCeSIJC2pEYtoNDCUWySMggHxd6DhhDd59Ctu3ezolzBjRFWZRovek3aBghvmWs23KcOs0C6RnShMPrVnBeCFdfGM+iOeuw9Q3m8cenYZ+4mQWheh6YPpZm3o7m81WVViswydUidwQBhUAVIj0deYb5i34hOjZOiNRWFtM6sQ+wYdSwIQwd1M+8iFW01qtdF3aUNCTmOFQvTTUt5iQfPPcMB\/T2tOv1BP9+uBkzPnqNGbsK6d9nIv98uie\/rV5Faq5scYlm0LJzV2yTd\/Ofz5bSaMSjPDu6EQd2n0AnW20ZaQX0Hns\/HRrk8r\/PfiTf0gtdejThOY68+n+TCft1G6XWruhy0mjYYxRu59fxzr+XEzztCab1bMKhrbsotXOkNL+EwH73Ma5nIzOeR1Z+xnebznPPEx8yPCiLr19+nlBTOyb1bUx8WhHtu4Vwassqkkvs0ZRkU7ftCAYEa\/l5xgLSTSIvN48O9zzEkIBSZs9cQJrRGa1s37Xu2Qfb1AOc0XXjtSeCWPXTz5zNcaNrOye2bzuJtZCkydaX0SN6cXrbQpbvjCVYtGTbxKMUegQxZfq9nF\/\/KWti6jJ56gSa1bmGun1Hpu+NV3pTpCp0sfKnb4ksDsRPf5wEiw48Mi6IjfO+QddpOt0dzjJn2RHa9+mNJiuGk1HZ9B09Cd3p9SzZcYrB940m59geovNdmPLIZDL3LWPH2WLadu5E\/tkdhOf7MmncKNo0dKSkTIxzdHl89\/HHuAyYxjhZnO2f+z4LI6wY2jeY9FPb2BfrKGPYgYzoU5zJduf5Z4YTfWAnyTp3nEuT2HMsTsZ1Ip4Zu1m0+Rh97x1Hyal9hGc6MOXh8ZzZOI94UxAPPjQWU9JiPp13nuFDB2KfF050jkl2a2D3pi34932IDs4nWLTHiscfEFL1EA1bOfORnZY5MzczYuJ4Tm+aw64sX8YObM7p0CPkWQbwxMQAFn43kwhNG8b1CeDUgX0UOjbhnt5N2bh2H\/U792HasI6s\/vxfhLs0pF2gD2tmr6ZO806MHzcC59zdvPfTCe6dPI0OzT0wyMtJJdUbn\/vqnVWPgKWQaklJCes2bGLmj\/OJjYvFwdGRYUMG8uj0qdSvV++ahKq0sNqSauqZo3z9r\/+Q4FcPi1QTA4b3InTNHM47N5OzsMYMDrHgqx+W4d+hL7knd1Em2uKEQQ1Zu3ArTYdPY2pfH3nwN3EuI50tG3fRafzr9HLZw9drMpg09V504WtYdlTP6\/95jPjNW4g9l8uJA1sxtJjGP++x56P3F9D5xdcZ29yOzb9uIiE1lf2hYdTv\/jiz3h33B6luOMfwx95nVDsrji16gy8PORHsVsKpdD0jRvZg5befkeXYivatm9Kx1yD0R3\/kW9l+nDJ9PDZZZ9F5t8EhYR3f\/ZrGQ8+MJ2H3CnbHOjOwnZbNh4z8\/e+jWP391xT79sQzZxub5bfuzS3ZfiSNsWMmUHJ2NRujHfnH2y9hc3I+X63J5ZEXHiB03mdk1BnC6y9PoY591U\/G21XD5X6qLesUY1+BM1VFU4U8Vsz5hlhNHyb3tGbOnNXUbT8AbcxmSoKGUz91DweKAvng5bFY5sYye9Z8km0DaeGcx8mkYl77xxMUhK5lhmyZNu\/UjbgdqziUaiCkXRAl504QetaGh596mGHd\/WUBJuehxel89u7nNHtgKiPaBrJv7mfs1Qfz8kP9iNs1i\/9usOWb9x4k9dgWvl9ykPvffAKLyGOEnkklNyOVM1HpNO00mADrRA7HF\/DsP57BKmwzX6w4SOtBQyg8uYkkQ0umTrkH47kVfPlzKkPlfLSBbSoHwqLIzi8k4uRePNs\/yYAGESw\/YMWj9w+jvqetkKqRhNijzJ+7ncFjRhEt8+68zyD+fn83QtcvZ+WBaEZO7MKB5RuxaDOJp0e2InHvUmZvjaR+yyByZPfFN7g7k4a0Z93XH3LKuTHjxnZh2acLadd7KH17BZGVtoMP\/rOdEffeT+fgurL4FVK9eLB6q\/wRL5931\/ODvF3ztLL13AgeN3JPebuu5j96MzIrOhaVxeZGyt9MP6zFzkExL1i7fpNZYw1s0ZwnH3sInzreFMpRx5WuS+srt31IFKWtWp2ppkYe4ssPvsO2b390e5cQmuNPUAMb\/AK8iDlrokNAMYvXHmfopMdxzA3H4N6C1g0KWLQglD73TyPQ7gwLVhzDQ\/bA921ZjW+HB2met4ytpYP57pNp6A7O44kvj3D\/gz04figGRzt7zstZaKTlID5\/MpDP357JkE8\/IiB9D7NWnKa+lxWHDh1CV2cY8z+ddpFUP+H7LVmMe\/YDBjWFJe8\/xq8ZzRnUXMO+iFzumTYZ58zT7NoXxvm8YuoH9sF45EeOOI\/gf+\/dj5NsD8bExrPxp4\/Yld6JBV8\/wskd3\/DSR2d4\/rkRbF06l2Lv5rLNWMLw8QPZ\/uPnJNfpzcRePpxNLKNNYx\/2y4s9y7E7H785Ba0unFee\/58YkUBCjjMTH5rGmF7SsFp0XU6qLYRU7SxLxHL32gZhiqGNcqa64seviaI3L0zpRPj+JcxcchIv2YH37TnGTKoHi4N498XRaDKi+Xn+YpKsmtHcXceZZCG1lx8lZ99qFu+NonHbdsTu2kB0iRPdOwVhki1dg8aDjp2DaeTjglGsak3FmXz1n8+pN\/4BRoa05MDP\/yVU35ZHxrcn7sBCZu1y4r2Xx5AWtpfFm07Rb1Jfji9fg02jdnjZ5HPseBQ+LXvR0PY8pxNksfTykxgOrWfOllO06i+LyaMbSDYG8eij92A4+wsfLc5gQNcWnDl1iBJrb5rW9yRs3xosZaHYu264kKo1j00dRj054NSIKbBCqgt+2s6gMfdIe9aS6d2fp+5ty6F1a9l8MpFBo0M4uHIzmlYTeWZUIPF7lzN\/eyR1m7cgPSKO+h37MWlQsGiq73Pa2Z\/R93Tkly9+kcXjYPr1bktu6lbe\/3o\/o8dPlW1xb7OB1yWeTLVoVqpdqW0IWImhn6KxnomKEfsCNxqIhlosnytyXQj+oCE5t5qRavLpvbz\/2n9p+bfncT86izfnJfDC+3\/HMW0Xm4648fgYP2bMXkadoJ64mLJly6kvQ4J0vPOvb3FpPYxGuj2sPaJnwIBO7P1tMb5dnmJUiyS+mneUjv16Uha1i50xtjx0jyffLIpmwvi+xO5dSZzjKGb+vS3vPP8vXAbdR7OiUGZuyOSBSd3Y8utqrAPu45cvH75Iqh\/zzoxtZsOpRvYphJ5IZfD0F+li2sYHS+OZ+OhUiD5EbGYhp\/ZvIMtpMA\/0R3LsnaFDj27oUk9j32okneyO89ncUHoM6UHKsR2kO\/Xj09dHsO6rl3n\/lzgGT3yFD5\/vyMyP32VbnAN9OviRW+zAkL7tWTP\/S5Jsu\/HZJ0\/gIUY2q2a8x3\/\/twKvvs\/xwT+n0tS99pynKqBfTqrNFU21AqR6wQxeFl0zPiZS35fXHx+ILeeZ\/dEHLDucxohn3qSfUxSzloTSedBIHPNOsuPYOQYJIRSd2sqRlDJeffMZcnYuY45swQcNHY9zjOwcRJTQZ1B\/DMlHRVo9+nTvhJ+LheRUFKMjTTELv\/kvOQ1HMGVIO0IXf8Le0rY8M6WLzLW5fLPZic\/evo\/UozuZt+4EfSd2ZfvsX2g2\/EFaaGNYsHIvAV1H0cQ6hWNx2Tzz5ovo96\/m+\/XHCBw2Aa+kLSzclkiHvr0wJm5lwylPHpsYxNa1W\/AK6kvPFrYs\/WkWNm2fYoj\/KRbvsubpR0fTwEM0VSHVWJmbP87YIprkOM4KYabXGcgrD3Ri3\/IVrD+WwKjpfdj1\/UxOGFszdVhrwnZtIs2yCdMm9mTzoh+JLPVmQOdm7Fr8C5qOA3lSyi\/54HOMddsxfvxwjBG\/yq5MBlMemESQn5ypirWzeqkI1BQElHeGjeIiJub0ZWKYV9Gr2pJq7rk4NqzeQoNBI\/DOOsHSLXGMfHAM+af3czLFWXJptmbf1nUcPJ2I3sKJDt3707edNxtWLCIiw532LRyIjU9Gr7UVQ59sGgYOFDJyZ9MvizmTpcfJ3gFsPRncvSHbth7AwtZRznuKsXBqx\/QRcma0UsrliRyxNAo7Eoatuzt5BUX4+LXn\/rGdzPieC9\/F0jVbScwWtwLZSfdv15uxI\/pgitnCkgPZdO4RwrmjctaWnGd2o2jZvj89g13ZunIZJ+IVzcaGXqMm0q2RhvXLl3A8tgBr8WfsO\/pe2eJ1JfzAehatPk338Q8yqJ0X8eF7Wb9xnxi2GPDwa8XwfiFSZhuZlv6MvacbdjKa54\/OZdLzC+jz4Fu8Nr3HXyykKzoxqmu5v5CqTxH2WiWi0nU0VXMIwFKOHdguZ9cB9OvcFHux10mJOsiKjeG0HnAPneppOLRjO2FJBeImYoF3oyCG9GhD1NFQkguM9B3Ui+Lo44RGJVOnVRcC7DLZvO0AKdmlZjP7hi3b0000UicrcXORbU6tlYaTm39iwUELHnpQtpRTjxBd5kP3tvXIEkO8vbJdfM\/AYHJTYjh8KpXg3kEkHNjNqSTpk1jVlhltaNYqGDdtthgoldB9YG+MCSc5EJGIh5xbNrPLYv3mHZzLt8Ddw1p650ffzs3JijrM0ZgMqd9a2lWMX8v+NHdN5ViMlh6dA3FxkDN2cabLzkzi0P6ztApuQ0b8SQqdA+jdrj4Jp04TeS6fpk1s2b5iNRHGxrT2ks1zgy3BHXvQo7UfEUe2sSP0LNi5Y1dWgmfrYLq2bUrC\/q0ciiukfZcQIjctJN6uC9PG98RLDO50ZrPoO3NdaTvwZrYIb6YXt6reysi5XrjAysiqaN+rQmZF675SuVvRnorIKA9TmJTjxPyN1cilRvGJU1YHFmJppZjZKJaD1rJq0CkuC3oNdmaLVr0YIaVjsnLCU9KqK50x6kvIlfMsJ2cHdIViNVtikr8dsVEc3GULEEMpWTkF2Dq6mP0DbaytKSvMJjNPh4unKxYSDcBWXmgmKZcrhkn2zs4Y8rPIE83f2U1cKWSvXXEjUC6TUU9JcRHFkurdwtIeV+cLrjlGnfipiv+eja2NyCuTNmZitHbE210sR8wFSslIz0FrL5a6Thf8oZCXX1paPtaOrrg6XnAHKsfASky4y+PRKG3NkLa6enjKWaKF+DeWyGLA0tym8+E7+fbrrwgtCOTNN16gS1OXm5mD1fLev5Cqd1GFtn+V6EGSX1B8OCV6kMwUreL3qXwnR626Yp3ijCp+xTKuMqaKS41extNb9oWt5XOx4rOp3CNGDIpvpkKgism8Mr76kgIpnykLNBfZRnY0h1UwiNuMUl5jIW4meZHMmb+ddgOG0y6gjjKoYhl4wedTpoh5TipBGAyKZmsnc1rmTkZGlpgOO+AqwSIUP1TFEs\/cZrM\/rJS9pH5dcT5ZuULCMk+tzVvclqIhKzKyxenGGjd5LizNUZNM5q1XrfIMXLyUeo1Sr9kH9WJ0BsW3VWmbxsqO4pg9LNu0F4vAexjTWgz5LBxwc7GXZ0NmnLjp5OfkiIuPVvxe7cSfVXHxVXxlDeRlF0k3zrFsxS7a9B5OpxZ+Zh9WMyzqpSJQyxH4Q1OtZqRay3Gvku7lJMmW5b7T4l\/bkW7t\/BHOrXXXDZPqRSQshOg04vBygfgU7rtAsAqRKCH8lCALilm94nKiBFUwSrnywAtmp++Lof0UclREKPIsFUaRDzqx3C4Pxl0OvELaWSnnsHB0w9VJiah0oW6FlCW2gpCpQtASTkFcrcx\/izyri\/KkpFRzgQyVMn+tX+6TskqABiUIg1LQeJEcy\/ugfK\/0TSFlJXCEQsi\/X0rfpV6jlLngjyf3m9smrgXWthSlnGbf8TPYNOlG\/6A6lJaUmrdwzUsGab8S9ELuNgebuBy\/suJsUtNL8fJylYhK2j+HR6x1s1LtkIrAJY+V+flQzlRVUlXnRQ1A4HJSbaZoqtqi64YpvHNd04iPm5U5dN+fCO3ONahCNSsvBZNY65YJiWosrUQL1v5lwXAtQWZilt0hxThJIWr1UhG4WxAo11RT8hRSNVSfiEp3ywCo\/awcAlciVVshVaOapaZyQFaktFmLF63dpCwIVGKsCGRqGRUBlVTVOVCjEFBJtUYNl9pYFYG7DgGVVO+6Ia\/ZHf6DVGH6GAeaeeVjoy1RNdWaPaxq61UEag0C5aSamu+sbv\/WmlGtxR1RSPX9nwuJT7yEVC2Krxv7txZDonZNRUBFoBohoNgTKFb0qRLOVD1TrUYDozblyggolqb\/+blAgl2bmDLKiRZ18rBBXDgqeOZXET+zqsD+TtVbFX25FTKrAx7lltrlmUhuRb9up4yqwLAyMqsiJGRF6q9IveVlKlL2Vo+ZMp8sxbQ\/tciVRZsMnJH44G8+6USbRrc3Bru4EKoBzG714NZWeTPXlbB1b4lElHKkY+NSrE3iJyr+wAZlCtXSaXQ9Aqjql8f16q\/quXan6r9d9VaETMoxroqyFZF5M1jcDpK7Xvsu7eOV2nPpdwrWN7LYMmupYimv0ziRVujKiu06SdGo561HnSTm9u3Nra2SalW\/lWqR\/GPRBr74OQdHJ0uGdQNHYzyGoowLLitmf0v1UhFQEVARuP0IiPu2BECxx2Bbj8jz7mzbW0zPTvb8bYQ94pl2Wy+VVG8r3DW7MmWn9+fNhazamC3hKNOY0NuRuko2IyWagnqpCKgIqAjcQQQK8nM5dCJe0kW64yj5rF+Y7EajOrf\/3aSS6h2cBDWvahP5RXqWb0uWoPg5jO7rj4197QvJWPPGRW2xioCKgBKZLPJMNOsPFtKvi8TNbmJnDh96uy+VVG834jW4PuXswyDRfpKSUsjLK6BJY38cHCRBgnqpCKgIqAjcYQSU91NSUgKZWbkEBDTC3lbCk5rzOd\/eSyXV24t3ja5NiYGr0+lIPZdCQX4BjRr54+joWKP7pDZeRUBFoHYgoJBqYmIiOTnZ5neTnZ2dOWTn7b5UUr3diNfg+spJNSVFSLWgAH9\/lVRr8HCqTVcRqFUIlJNqdrZCqqKp2turpFqrRrgWdkYl1Vo4qGqXVARqCQIqqdaSgbybuqGS6t002mpfVQRqFgIqqdas8VJbKwiopKpOAxUBFYHqioBKqtV1ZNR2XRWBypCqTlciIQwtsbe5aNIuRgQ6falEX7LCxlpJsn1rr5L8fIw2VthJku9bLfvaLTWRknCWEo0Hfn4e2FxMUHhBCj4AACAASURBVK+XvpaWmbCztRE\/3lvXopLCfExa6aet7a0FUJWmIlDDEVBJtYYP4N3Y\/MqQasS+taw\/nEn\/MaNp4+csam4RYYc2kEB7+ndogO0ttHQvy05k07YT1A1pR3Cjulzktds0RHoWf\/shybadmTJpAHXsLlSbduYwu8+W0btnezycrW+qLSaJsXwuLQ8razeMGZEcjM6geUgnmnqpltc3Bax6c61CQCXVWjWcd0dnKkOqm+f+m08WHKT1qId5828jcNLm8euP73NYM4FX7u+Ao6LAGiUJN1pzZok\/XSYjRok7djk5GvQmtJaXa30GDq6ezfYUR0aMG0srLxuzKCX6U7lYo3z4k7Z4tXrFZchkYVEBTdeEXmeU8GcXVgZL\/vcByXZdmTyxL94XSTXj7DH2R5fRrWdb3B0ukKoSzlEr8v\/SV6nR4hphHsuKTjFv+UFcvHowrrcL381YjGOjjkwY3gXb27uCuDsmutrLGomASqo1ctju7kZXhlS3LvqKzZHF5KbnMnz64wxq78GWRR9y1DSBZ0a3IichlNCYXCFOI84+jejargUZiVGERcbjaGMivVBD3cZt6NTci7z0GI6cjCQtC+r7N6FtcDPsLmq6prI0vvtmEb4dBzC8ky+hB0+SX6ZDV1CIQ91GWJXkkS3hy+zcmtErxJ\/CzChCT6SgtzJha+tHl5CGZCWGczw+D2ttMfl6a5q36oiPZTpnYnNoHByCp10ex47GYO3gI2HPyjhxOpbsvBKsnHwIadOUHdLXRMtOTLqEVHNTYzl73oB\/PWciwk8rNC\/RqHQYnerRu30LCtPiOHY2GQdLHRn5Zbh7NqNdoCvRETHYereieQMH4iPCySwyYG2dyoLFW7FwacdTj44i68BStsVZMWDsGFp63n4\/vLv7KVB7X10RUEm1uo6M2q6rIlAZUt0873OO6gMJdolnW7iJqQ+OJGXPDxzRj2RcOwPr1m3BpmEQriXpnE1Kp8vg+9EmbGXuygOMvncQCRERZBr8eGTyAMIOrCUiywE\/VyNRMVl06DWcQZ0amNtZlHyY\/604S\/d+A+nseoZn31uMb+v2NLQ7x+aDmQS2aU9dl3yOhKZz\/4sPU1efxK6DZ4hKiCIpwci0xyaRc3gpcw6WMnZ4MDGnItB6tKB9Yz2bN8Yw+tlXaOsVy2f\/XYmDZ3umjvRj\/76jRMXHcTA8l\/H3j6fk9FaSaMt99\/2hqUZsXsjMXUVMGhbEzz\/OpEHn3vg5aTh4NJbB46djn7KL7389zshRvShKSyQu1UDrti1IOLofl5D7mTa4gWj2MziZVkqfEa34deEGNE7teOiB4dQpPsSsDbEE9xpBn8A66oxVEVAREARUUlWnQY1DoFKkOv9TDhe3ZdqYQNbO+Yqsur1prg0l0tibNtrDHC1ozasP9RUM8tn6y49sP1+PPgFadh\/P5u1\/TCf5xA6WrT+IV9MWxJ\/ej7ZhP7oGFLNi5R7qNx\/Ec3KvshGcEbWV+dsL6N1vEMHWR3l7xkFGTL2fjgFZvPT0bEY99LwQjxXf\/t8H+E5\/go5WhZw8k0pejmiix4\/jP2ACdTMOsyerCW88MYiz239jzeGj+LRrSdKeJAb97Wlaeybx7TdrsHdvw\/gBdTl85JRow7B3yw6ChvSB5EhyLNtx78Q+v2\/\/nt2+lJ8kTd7Ygc1ZtXIj9z79LK18LVnyxUek+wygrWsa60+U8eYrE7EypbBi1QpCTzsT4JKJfcsJ3NfPjw0LfiI8G6Y+3Yv1i3YJqfdgzAB\/ynKP8sOSY7Rs20\/OpxvWuHmkNlhFoCoQUEm1KlBVZVYpApUl1dCiYB6+vz\/a1B18+N1GyRVXiFvTibQp28ExbS9en9pdQmAXs3PFLNbHejIg2I3DZ4p59YnRJB7bybptB7Gu40dS5BGo15PWXkYKdFpaBrYlpFV9M6lmRe\/kp+259O4z0Eyq\/\/75DCPHDyOwQRbv\/HMZg6c8TIeGRmZ\/9iWeo4dxfvMmCBhCX39LNi9bhkuvUfgXRHKsoCXPPdCFMzvWsTEsHJdWTUnfH8+gJ5+hlWscX36xBkePhrhrkjiZ6czo4V3ZOudHnDt2RJseRb5VCBMm9PndUEkh1bl7ihk3pAVrNx9k+oPTqetsZPWPX5Hk0pV2nrlsCdfw1nOjMBmThHhXcSJOsmrYpWPVaiKTevuw9qcfCEu3ZfqznVm7cA8ePv0YPagRutwjzFweRsvgfvQJqV+lY64KVxGoKQiopFpTRkpt5+8IVIZU1898n\/2FwfztwRH4OpvY9cvHvDtnMyFj\/sX0drks23yMFp174FGWSVj4WRp1HoZ9VgQ7Thfxr1cmExu6iaVr9hDQcwj6lGOkaZvQMagudpb2+NWrh7vzhbPE0qzTfPXTATr2GUR3jzje+uEEY+8fQ9vGWfz92QWMeOgpugfAt+\/\/B\/cJI4hbuwm\/DqNpZHGONcvW0\/LeaTTJOcmBvBb88\/G+nN64nFUHIwgePZDYVWspa9iTjr6pzFoWRlshUGd9AknFdRjUrTELvp5Hk2EDcUgPJ8eqA5PvH0Rd+wtwhW9awIydsv07vDUr1uzk0aeeoIGbiSXffEiKp2xVe53np3WnGDtR+pcVTVh0Id369Cbn5G\/sS3VhWJ\/mbFi8nGKnVrz9fyNZOmMhiXl1ePihUdim7eTnnWl06nMPXZqpWYLUR1RFQEGg2pKq8uIsz+SuDpWKwKUIGAwG9Ho9qampFBYW0rhx46sG1A\/fv4U4XV26d2yJs7hU6vOTWDB\/Ja7txjCkrQcR+9cTmmLATqxXXf38GSCuJ\/GnwohK0zG0bwhZSZEcDovGv30fHLLD2H44gjKtI26e9Qlp25Z6Hhcsak2mfH7+6jto2kcMlepy4HA8ge1aU9e9mNXLQwnq0oOGnrBn4yZcu0hm9bgTHI3Mw8HOCmNZCQ07dMGzKIXYEm8GdQ3gXOQJjseeI6hPV9IP7WZ\/5Hm8vd1JzzMRHByMr+U59h05Cw7eFKVn0bJrGyxyUijWNqR9+2Y4XfSeUVxq9kbraN+yLsdPR9GtRzfchHCP795Orn0jbHPDWbDprCRSFuMpvRE3n7aM6tOMxMiDbNkbhp1HPYqz8\/Gs15Ah\/TsRfmAL+8Mz6DdsMAk7V3K6wJXRE0bh53DrfGDV2a4iUJMRKCfVzMxMGjZseEOxfzVihW9xuYV+JUH5S0B9lVQrieBdVFwhVeVfJaD+9Ui1IrCUFBVg0FgLwVXAj9NYRm5+KbaODtho\/+xHEh+6ThITJ9Nl5Eh6NPO5btWlJcUYLawlUMT1nWX1xUXotTbYXlLWIGRcYrLEoTywxXVrvKyAoYi9G9ez7rQlrz42EEtraculsgylFJZp\/oJLWVkZ6WdC+WXTUQK6DWR452a32Se3sh1Vy6sI3D4ELidVJS2lpWXl8qlWCanePgjUmmoaAsqCS9FUk5OTq1eWGgkscfRQGI71G9O0rlf1h9VURsSRQxxKtGTK6M6VIsbM2Eji8g00atoSDztVS63+g6228HYhcPn2r5KWUqvmU71d8Kv13AgClTlTvRH5d889JhRtuUgsiF2d7SsQbOLuQUbtqYrAjSJQbc9Ub7RD6n21HwGVVGv\/GKs9VBGoqQiopFpTR+4ubrdKqnfx4KtdVxGo5giopFrNB0ht3l8RUElVnRUqAioC1RUBlVSr68io7boqAiqpqpNDRUBFoLoioJJqdR0ZtV0qqapzQEVARaDGIaCSao0bMrXBqqaqzgEVARWB6oqASqrVdWTUdqmaqjoHVARUBGocAiqp1rghUxusaqrqHFARUBGorgiopFpdR0Zt1y3RVIsLssgpscDDzUWSf\/8R+UdXVkBWRimuPm7Y3GSMTRN5bPx1O3ZerejaJYAbTddt1JeQk52NwcYDL+cLIRMLc3Mo1huwsrakrNiEi5cr1pcEMCopzCG\/xISzixMl+flobOxwsre9LJCD5OApyJU8PNa4ONijwGDQl5GXX4SjsxOl+Vmcz8xDbzBh5+RKPV9PLIx6CcdYiElrh6tjBcI3qvNVRUBFwIyASqrqRKhxCFRGU9239Gu+WZ\/MQy88Qz\/JLnNh1pexc9mXzF5bzItfvEwbZ7u\/YJAce5b483l069L+uviYyOSrD2fg2KAnUyZ1x+ayO8qyE9kdlkFISOA1CcpUmMKa5Us4lOnHq8+Pxzb7DAsX\/0ZRvWB8Ck+xfEMyk19+hUGtXC\/WoGfpD\/9mR4wDT\/1tAkc2rEDTohuje3fgTz0y6ji0\/Hv2GlvxwKi+uNloyIoLZ+nq7fS+dwQpW39m6Vk7OgQ4kSbk2rTZAIZ2c5KcsVsoderAg2NaXxcDtYCKgIrAxdeLyURiYiLZskBu1KjRDQXUvxVY\/iWg\/q0QqsqonQhUhlS3zvuITxcfImTcM\/x9Si9z9pbS3Gg+eu09DmV7SDLx92jvaIuhrJRS0dQsLa2wFlVz94Y17DuZypNPP4ydlVY0Ox06g1FieMrvojUqyqJJtLnSUh1GbTbffTIHV\/\/eTJ7UFU1pGUajCa21DVaiFqZH7OarXyKZ\/MAomjXwwCiyFK1QY6HFxsbqD61S5EUd28a8X7bTZuw06mcfZvXeVCY+N5X432bz2bf7GPboCzwzrbeZuPPTjvLJO58QVhLIu69NZvfyn7Bo058pQ7rjcOnQC6numvshW03BPD15BB62GtKijzHn598Y\/MA4UrYsZJ91H14Z3ZajO9ewOayA+6cPYMfSXyl07sbzUzvWzomk9kpFoAoQUDXVKgBVFVm1CFSKVBd9xfqj58kv8+CZlx8m0M+ZsJ3z+GF5LJZCYg\/\/5zXq5aewdukKovKM1GnQjC7tmrBu0SwOhecxfOIUenVuSLSkStsflYalYx36DJMsNE3dObBxFTtDIylzs+Ls8RQGDJ3G4BArft2yncSUbKw9WzFyeEuOrV7O0i3RtO3WnXFTBnFu5wYOx2ZRZrCk26j76C8a9B\/5borZvW4FC9fvxqVxAG1DxjOhtze\/Ll\/Mr4u306hTN4ZOmEZIA2tJbv4Tm7buo9S3C4\/c24N9axdjEdSX+wZ2\/Qup7pn\/KduFVJ+QvKnuQqrpMWHMW7yBAVNGc37HUg7a9uXlUYEc2bGebadNPDClI5uWrhdS7SJEHFK1A6pKVxGoRQiopFqLBvNu6UplSHXLgi8ILWqAQ+pxnDqNZniXuvw6+xtMfiHEHTnJqGcnkbppCac1HZnQ1Z1dmzeTbh1Mh\/qF7D2WxNOiqRp1xZyPT5Y0bQWsW7sFi\/qt6dbEniNH42nTbzTNnaP44JNlNOs8gbG9mpCZk0RBUS6rFq+m5ZDpdPHOZfbSk0wQLbFlExeiTiTIOWk2kSf3cjy9Af94\/l7crP44KM1PPcq\/3\/2U8579+Oj\/HsJdm8+Sn5eTGJeHrast9j5tmDzQg1nz92IozKDU0Zv+vbsQ+tsvVyXV3fM+YadFW\/424c+kOnjqWBI2zOHHw3qC6jlh6VSfkaPH08IphTkL11Pq0lUl1bvlwVL7eUsQKCfVnJwc8\/avkvpNzVJzS6BVhVQVApUh1c0LPuNocTC9m+WxZm82PTs6StJxI0O612fNiu30nDqM3d9\/h75xdwI8LIiNisXKrSU92roSeiyR5559kPNxYWzYuhud5DONijiNU6MgXIUE7TROTH5wrJj\/ZMuZ6ve4+PeibVNLDh8+jFG2fk8cOEjzfk8yprWO2StOMf2hcXhYnWflip2ko6M0O57ojHq8\/cbj+NpfJFWTjsM7f+XH+euxrt+CgaOmMSTYgcXz5pNZUIcWDcoISyrC3VXKW7hR36GMI2ey6Tu4N4eFVLWt+zF5QBckH\/sfl2z\/7l3wCVsN7YQgh+AqW+AZ8SeZs2A9Q+8fS8r2pey37sjQenms3HScflP+Th\/fc0La69C5duPJSe2qaihVuSoCtQ6BS\/OpNriYpFwr+VTljBOTJB9X\/qvVWkoS8qpNmaieqda6qVV1HaoMqW6c8zGHSoJ5cFQQK2Z8ysFzOvpOfIFBdTL5btZq+j8ynpOLFuDcYRxdWniARoubsxtnju5i99Fknnt+MqsWLeRkkj0vPTuStQu\/JUbnTT0XW8qKDAy\/\/z48LOP58F\/z8GvWgcyYCPzahDByQBA\/fPwxtq0mMaqNkVlLjnPf1OFkn1zDqpNu\/G16T5JOLGfBdnjzjSfwc5AHzGQk4dQufhayb9RrJG7ph9kZqeHJl8az+5dFJGT58cjE5ixd8ANrThiZ+siTdLQ\/w9wtCQwf2Z9D6xaiCezDfYPlTNUgnGtpgYU8xGLrS8TOn5i1z4JHp4+nkWxXR53YyYrNCTw8tT\/HN87nkNMw\/jm2IWuX\/czeOC8ely3fjSt\/o8CpE89O6YBRpFiKlbSSPFm9VARUBK6NQEJCAidPR+Dq5oGdnZ0QqPLsKJbBZmsMnCTHqm8dT\/ntT8vfWwqrSqq3FM7aLawypLrt5y85UhzEtHv7kH54Bv9Zmscbbz6Bd1EUX\/ywhpEvP0Jh6AY2HdLRu1czISELvJt1xDppN0vX7aHjmIkUhR\/hWPg5egxpzfblK9D79uK+Ec3YtnoL1u5taFUvjZ+WHqLHoLFYytZtpr0XLQKcWb1gNa36P8XkHo58P2MJDUK6Ut8mg9\/2nKNr9ybEHNnK6fzmvPv6I3iLua4uP5klCxdwOrcR\/3jlXkgIFW3xN+za9MajJEHOaZ15Xoh9i2idayMtmPrUi9RLWcvsHWkMGdqboxsWk2LrS6fgIOxlceDfrAW+rhfsgIuyopgzax406E6zOjbEnD6Ja5P+jO7qwq7V8wh16MurYzqSFrVfzlq34tW6J9r040RkeTC0d2O0Fo40btIYL7e\/WkrX7tmm9k5FoPIIJCTEERObgLeXD7YKccp7xey5J6RqMBrJFlc5kxgztglsLsaKl\/sLVL6+K92hkuqtwfGukFIZUk1LOEuWwQX\/+t5o9OnEpeho3NAHU2kuZ86kUr91CxzFxSb8SChRGUU4u9elU8cgbIy5nD4eRrbelRbN6nL+TBjJRVay7eqIu6cnDRvUJTs+kmNhMdj41MHRygYfn\/qyLVzI8ZPhFGoc8RRfUw+fAOp52RN\/+jAxaTqahbQkL+oUSdl6fPy8xUDJjubN\/LGxhOKcNM6cjcGxUQhNvBTfUBPJMdFkioWxo5MThmILmjatS056EvkGLd4+vpiyUohLL8O3nhfZyVFExp4TAyiNWB7bEdQ2hPqeDr9bFxflJLDvSKQkJdfg1aAVHVrVxdIg58VJcWRbytayn7sotUXExceTWWInGnge4dEp6OXht7H3ICgwkLref7Irvivmm9pJFYHKIFARQ6WS0lLORsdjJdvCLZo1roz4CpdVSbXCUKkFK0OqKloqAioCKgK3E4GKkKrSnvjEZJLPZdCtY3CVNE8l1SqBtXYKVUm1do6r2isVgdqAQGVINUVItatKqrVh2Gt2H1RSrdnjp7ZeRaA2I6CSam0e3Vrat2uRqjKh5Z87dCkV3ynr2PK672QbrgZ7VbXpZuXezP03c++tmp6VbcOl5a92b2VlVrQv5Q\/l9Z6Py9uoyL\/8nhtpe0XuuRo+l7b96viUu8iopFrROaGWqzYIXI1UdRIkviC\/FL3OcIdcPxTHkz9iI91ewMrrvpNtuFqPq6pNNyv3Zu6\/mXtv1cyobBsuLX+1eysrs6J9UeQq1\/Wej8vbeKV7bqTtFbnnavhc2var42PvYC1xfm3Ni\/qKxP5VzlTV7d+Kzh+1XJUicDVSzc7Ol8wzuea4uxrNHVNXq7TvqnAVARWB6omArZ0Ndf28zD6pip\/q9QLqq6RaPcfxrmzV1Ug1MyOP3Jz8uxITtdMqAioCdxYBS0m84SducloJulItSdUkDrLFRQWUlOkxij5tIdlB7J0csdVeY\/vAWExycgaWti7U8XKuEMJGQxnFxQbxw7OWCDmFFEt9GgsrnF0lDupVJCgvdY0SIaNCNaiFbjUCKqneakRVeSoCKgI3i0C1J9XCnGRWzJvHkfPFaOWMzMm3ESMmTSGkzl8juiTGRFKgcaFFfTt+XSERaMR5vk19yRlZaE9j\/7qShPrqcKUmHWLVylj6jWvP\/l9WEJaWh6XWGu8GLRk0dIhkNfnD2d1QXCCO8jGEJeegM7rSuU0jvDwrRt43O2Dq\/X8goJLqjc8GJcygYkihXioCKgK3FoFqT6ppsUf54B\/vktu8J10auGHn6k1bSRjtWJhFVn4R2QWF1G\/cmnrO+Xz76UeE5dbjmUdGkRQXjZuXOzGHJIVVuIn7pjxEA7diXD3qUc\/HldzEM8QX2tEsoB72oopGnFjM\/70dymPvjmLZO19Q1rgjLf1sSIg5i6FOJ956bhpeF3lVV3Ce9Uvm8v3qA9jVac\/zTz5EjzY+t3ZkVGnXRaAypKq1kvynktO0VFeKUSINlV8WFpbYWGspLZHvr1vj9QposLKVUGOSSk5XViaFr2eMcRV5EsrMytpaAm7rKCuT4L1yaSW5qxK\/VwlpppV+6CQSi9EcP\/TCpfRPdpukXgMW8rek1EGvv0KPRLa1jTUGg07KWIgsozmnq6VEgjLoSuR7lWivN8rq7yoC10Kg2pNqetwJPn\/vc7RdRzKgZV3cJHyci2U6C+bMI8XojZ0hDYNzIOMHtuS3BV+xL7UOT04fQWxCrISF8yD6xA42H81iyqPPUha5njyPTjx4X082ffdvohx78eTUwZKsGc6cWsGHHx5l6t8H89vXS+jxxFuMCHYn6tAS3vtqC5P+8TGDWzmZsdQVpbNu8Wy+XbwT+0Zdefnpx+ge5K3OtNuMQEVJVXiEotwM8kq1eLq7yQ7ERS1NSMpgLCTzXCEuEtTa1lIhrT86odCLlZCZtaWWoqKS6\/TOQo4b8tm\/9TA2zo0IDG6CVkjxUnkaS7EKtLWguFAhxCuTl0Yaqy\/NJzMjC62zLz6SSkYOGcjPziSvuEgI0U7hS1y9PLE2GcwLAQs5CikuyCavyIizBOguK5bzZGt7HB0lgLeQ8O+OAGZSNnDm8A6iMg00CW6Bh50bDpoyjh8+iG\/bXjRyt1c12Ns8j9XqahcC1Z5UMxLC+PSdD0j2akp9ecHVa96RLs1s+WnmXFw73c\/whueZsewQ\/SZNokQyfxzNasIrkzvzv+9n4tN1KL6Fh9lx2o5HnnoczZFv+HiTjkemdGL5rCWEjP8bkwa0RklhaSbV\/wipvjqY9V8tJuSBl5jYvSGpCbv58N2f6fLIa9zXpb559MuK8kmOjSIiNY8yCyc6tWqMr2i\/6nV7EagoqVraagldNYP5m5OY+MQzkoXGG5NB0QANHPntWxZvK2H6W8\/SytFGtFghKZkPRrEa1gobnUtOJPl8liQJVxJ06yUMrwTENpOyUcr+4bdmYWGDvUsi7734GU4NBjLtkXskmm+RWZs0GYxym2jJ2ckci8imVbvmuNhZmetSCF+5jFJGuSzkyMFYdI7Na5ZyKsuXZ198AM25E6xeLjlN6wfhXRLOb5vSGP3sswwIdCO\/QIetvUlyw37OgTh7pj4wipM7VqPx707\/HiHY60X7vDgsiuFE5rljfPfFKpp37oynbwmJ8b70aevE\/G+\/pP1j7zColcRDVvqlVeAxXZX8b+9Iq7WpCNQcBKo9qZ6PPsbXn3yH7\/hHGdW0DjZurhTGhfLt7OUEDHuJKQGJ\/GfmeloNGocuYh2nilrx5rTOfPzJp7h3HUP9ogPsj\/Hib49Po6HdaV55aYbI0HFO35JXZEu3ZV1HGS2TkOrK30n1NyHVTg++ytguHuxcM4uvFp3m2Xc\/pmdj+5ozsndBSytEqqKdWdtp2fDdP\/n4p4N0n\/o6\/5jeD0cbDYWZZ\/n4pRfZl+nNW\/O\/pIu7C8ZisRwWorJ3dsXZooh1q1ay+0gMT7\/0smiBWkxlpRSIpmkrge1txcpPIVZL0XCL8+XM3zmd\/\/1rFk71ezPl4eGY8tIoKjXi6OwuW896STazji8XhTPpiSkEN64rsoooLCpFa+uAo501+jLRbJXtWSsTJ3ct46df9tP70b\/TMG0j89ZFM\/aVJ0nf8gX\/\/nAfY154mxeeGIKFzkjBuUN89I83OF7Qkvfee5RdC\/6HpvUYpowbiJM+H70Qu\/l\/FnoiTi7kmx8yePXNv8mOTyqxqbb42BWy4IevaffgWwxs7YexrJBc8fO1kz5ay8pC2VJWLxUBFYGKIVDtSTU97jjvv\/o253yDaV3HCfdGTWnsa8XGX1bSYMhLTG2WxL9\/WEvQ6IfxSlzHj+vjmThhENu3bMGvw2i6e8QxY8lO2g9\/mkcntGf3jP\/js6X76DLpTV69v7ucp17IaxdxYinvvnOIR98ZxYp3PyfbOwBfJyOZuSU07TCCJx4YKC+hioGqlro9CFSUVK1ky3XznA\/59VAShfoG\/P2NJyXJtzMR237ki7lhQjYaHv3yXernnmPrrxvJl21aG3tX2od0YPeqmewNO8dEyVnapL5kmTl+gvQSA2UlWpp17ELXYG\/2\/fobEUnpkv6tlK2rj9B9yEMMbefEwQjJBFNcSonBlR49WxG9cxXz10XSc9gQ+g1sT9yuvWSJ5lual0+99gPoFlQXC9FYNXK+aanPZMvShSzbGYZnfR\/8g8by9LQAFs6exbKZm\/DvMZiR9z9O\/1YWrJw7m3XrNlPg3VPmaT\/2r5gr+VRHcO9IWTyUk6psEesL0\/lt7bcsWpXB8PFjadvSiqRzHmLMp2XhjG\/p+NgbBLtmsWnjfgmeYcLK0Zmuo4bjb2+lnrXenimt1lILEKj2pFpSkMnezZuITC\/CoNfL2VcjWrcJoCA+Bnv\/9rRyzedgWDQeTdtTR5\/I5l3H8GgYYDa6cBdibOFpYNuubRg8OzKwRwuiN37NG7PCefL11xjWvsHvQ5idcYa9e8\/TtkcAkTt3E5mRI0YiUKdhIIP6d8O96nLI1oJpdGe6UBlS3TjrxcSTJQAACWhJREFU34SKEZtl8hHqDn6Ukd3rsfq\/75Pj0Za0k6e4559PkL15KVFlLejb0Y2Dm7eS69SWek7J7NsXw\/RnnsHHzZpzkWFERJ9i69YTNO45msHtJA\/plr14t+lBY+dkZv6wnrb9p3Nf\/xZEnA2VBMUn2bXzFAMeeJ6mmjPMW36CIZPH0KVDM9KOH+dE5EnCjh6mxKsvr788CRcLoznPoq2DE5lRu\/jXq6+SVvcePv7sbQLsopkz+xeijmdg6+mIW0AvHhzuzpff\/iZ5Us9hdG7I4EFdObxm3l9I1bzPrCtg\/745zP05gymPjIW8raze4ctzU9qyYsFMAu99CMIlt2tRM4YIBjt3bKFUkpM\/NX2Q2F6V\/ul8+M6MuFqrikD1R6Dak+qthPD0njXMW7Yey4DBPDVtKD4OYiWpXjUWgUqR6sz3OVYUQq9GGaw9WsLAXm7s2p4uC6ZA1q7YTM9HR7P\/808o9e8n7lOWRB4\/hUksu\/v3rcfhbWG8\/MbLpEQcYPvOo9h5OBN5eC8655a4yBSylbP+SU+8gJ\/zGd55+XOcG\/amQxtHIctw7H3dCF3zK3W7PsXItmXMXnyMB55\/AB9SWbtqLyWSPNyUdpq9pxx4\/e0XZE7KWa1s1VpbGzi5ew0\/SFJzTf1gRk18jDHdLfnuy5mkZ\/kR4FtIZJoBX18b8vOtqe9o5ERMFv2G9eXIlUhVZGqtLEhOWCEknMbLf59McoRowts8eWR8IGt+nolfv0FE\/LqIXLeedGxm4tjxcLHUCuad\/5uGSSXVGvucqA2\/vQjcVaR6LuYU4fFZ+LcOoZEkbVavmo1AZUn1SEFbHhzXhoVffEhEVhntxz\/PiAbFfP\/DCnr8bTyHv\/0C+y730r15Hdnp0ODhWYfE2GMcOpwkhPcoi3\/4hqNRNrz2+kRWzf6Ms8V+eIs7jsnSxORnX6OxxREhq2\/waNKZnLgw3Fq0594x7Zn5zv9h3WoaIwKFVFeG88hLD5Cxey4L91jxxDMjSTs0n7nbNLzx1ov4Cjla2liRdnYfc+Yux731QFwLjnAswYNX\/j2JTTP+J+eg\/kyd3IRlc2ey5ZieyY8\/QzunWBZsiGbY6AGiqc7HNmQcU8cOwd6QK+e2xeJeI4ZXcnwRF7WUr75P44UXJ5EWu5QV2714ZFwrIdVZ+PYfSMxvq7BoPI6BoqmWlJpwcvemWRM5\/1VdbWr2w6K2\/rYhcFeR6m1DVa3otiBQGVJd\/+3bHMhvx9OPDSd158f8a34O\/\/zoDfxKIvjwk4WM\/eBVyvavYs8JvVj6BmBn6UBAp14Uh69n7oLVQsBT0QlRHjueSM+hHdm+bCGmugOZNLYDO1cuROfUkhaN8lm8aC89Bk1Fez6UDGtXmjd157eFS2g+6FWm9Xfh60+\/wzukDw0cc9m2M4EuPZuTcHwbx9Ia8uG\/X8fP3ZLC9DMs\/OErwosCeeujlzCGreHr75fj0aMfLgXRxEa58caHj7H2vy+yLMzIY299RoOYeXyzPonRE4ZyaPl3nDH60qldGxzEHSgopBsN6riitSgj+sxCPvsqjVdfe4DU6EUs3eTNk5OCWDLrW9pNexbH2J1sidTTvnUANjaONGzVnMY+brLIUI2VbsukViup8QiopFrjh\/Du7UCFSFXgUVxgUqJOkFHmRvOA+mjLkjgRVUpQy0Zi6ZrNqZOx+HcOwbY4mxP7j1EkASHs7FxoEhSMK1mEHTsuW731aeBlT3J0BAUW9hLdqxRHD3+CWvuTcOIQsYlZOPg4U5qrw79JII5kEh6bhEFrK8ZHJXg3DBZDJwfOhO4ns8wB\/2YNOB9xSiKAabGxshRt15W2wa1wEPcf5Xz09MmTWPuE0DbQE5P4nZ45FU6WwQoPF1tKCjQEtgskM\/YkaaUWNAhoiUVaBJEppdRv5EdWwmniJSKYlbWtWCbb0bhFIHXcHSSYhIHC\/HhOR5QQGOgv4T8TiBfr3+YNnYk7G4l3i7a4mrI5ciyMwlLBwNFF2tkCX\/FdLXf5uXtnm9pzFYGKIaCSasVwUktVQwQqSqpK05WIQxZyWqmkgxOmkYAOFpSVShQFuSytLTGYYz1bKj9RWip\/CxFbiIen0aR8J5az4u5iIeSnRDVSZFjZKJGTJGqRuLRo5X6jTmJTyx1KdCa9QfxZNSJIIisp7rDWtuJ7KmeSUgQrccMxmH\/XSgQkRZZe7rcx16W054Lnq3L+aYlWfGXLSsVaTtplpRCvyDOZ\/WTF5ki+t5D7zDLEzceolJE2G6RCC2WfV5xgDRJR6fIQExq52UocsxU3GY1WaYO4zOhka1jwMeqkLgHA\/J0ZgwtOtCqhVsPJrzap2iKgkmq1HRq1YddDoDKkqhCVhGH4C8mYKezSOLjyd3nwv\/LYuMrvyqV8Lv+7\/HN5G6\/0\/RXLXpR\/uSxRI\/8cfekKsXmvF69XMfA1R3C6pA8XG\/6nfv9ezkzfikPZ9TG43liov6sIqAhcQEAlVXUm1FgEKkeqNbabasNVBFQEahACKqnWoMFSm\/pnBK5GqlmZeeRIonL1UhFQEVARuN0IVJZUE5JSSEpNp1vH4Cppqka2xdQ0GVUCbe0TqpCqXgKCJCcnU1BQgL+\/vwSRd5S8uKVkZebKWaGcG17cuq1ZvTdvyF6lyX\/EG66aPl2r7qqp8c5Krcr+VqVsBbWryb9V9Vb1XLvSyN+qtpfLvp686\/1+rdl5ZXycnOwl8YuzcgpjTlKek51N4yZNxPjRTrJCKUG1\/7iUd1hUTILZ7a1dm5ZV8iiopFolsNZOocr6SyHV1NRU8vLyaNSokZlUlctspKOuz2rnwKu9UhGopggo9goWFha\/L+YVUs3IyKRhw4ZCqrZiDCm\/XVwwG8UAIiU1jbT0bAJbNMHF5UIWtFt9qaR6qxGtxfLKSTU3N9esrdapU8f8b83UTmvxQKldUxG4CxHQ6XREREQQn5gqngMST1z+LbeolxU\/GqMGF1dH\/Bs2wM3NucoQUkm1yqCtnYIVFxJl8qakpJCTkyOrPRfzNouqpdbO8VZ7pSJQExBQ3j\/K+0jZSfOrVw8bW9n6VXJK\/uFbYP7bSoKzWFtbV2mXVFKtUnhrn3DlTKKcWLPl7CIzM1MSIfz\/gPsthzAA+Qk0hIQNgORAAJf8EPb2qNPJCAF8aYUM4zC00NJ8mNnIdlDbPnTzCPGpEWaw\/MnHx8cgIiLCwM3NDd5njnudBLVsxW4OAIFGRfpIc8hkAAAAAElFTkSuQmCC\" alt=\"\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">On the Palo Alto an administrator has to be created and associated with the SAML authentication profile. In this instance the user <em>John.Smith<\/em> is created: (the Name is not especially clear in the illustration below but does indeed read <em>john.smith<\/em>)<br>&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"409\" height=\"159\" src=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-8.png\" alt=\"\" class=\"wp-image-1629\" style=\"width:623px;height:auto\" srcset=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-8.png 409w, http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-8-300x117.png 300w\" sizes=\"auto, (max-width: 409px) 100vw, 409px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">On first logging in to the Palo Alto, &nbsp;there may be an error. The SAML\/Duo login requires the username in  UPN format, i.e: <a href=\"mailto:John.smith@labtinker.net\">John.smith@labtinker.net<\/a> but the Palo Alto expects just <em>John.Smith<\/em>. This can be tackled in two ways, the first is to disable a setting called <em>strict-username-check:<\/em><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"448\" height=\"129\" src=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-9.png\" alt=\"\" class=\"wp-image-1630\" srcset=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-9.png 448w, http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-9-300x86.png 300w\" sizes=\"auto, (max-width: 448px) 100vw, 448px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The alternative method is to \u2018<em>enable user attribute transformatio<\/em>n\u2019 in Duo and strip the domain before passing it to the Palo Alto. This is covered later.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">OK now, we have set everything up let&#8217;s see what happens when we try to login to the Palo Alto:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Login Process<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The login process proceeds as follows: On the standard&nbsp; Palo Alto admin screen there is a &#8216;Single-Sign-On&#8217; option<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><img decoding=\"async\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAXAAAABqCAYAAAClIwp2AAAZyElEQVR4Xu2dCXhV1bXH\/+fOQ26mm3lOSIREEbEVFZVWbalTQVHEAk9FEa1a7bMWra+v1toB29ev1vbZT1tsaekTsbWISrGCxaFFWlGZQuZAgMx3nqdz39o3CQRkyMy93HU+keTmnH3W\/q2d\/1mss\/beUtdmRP0+wKUBcs73INtsAB9MgAkwASYQ\/wQkFvD4dxJbyASYABM4HgEWcB4XTIAJMIEEJcACnqCOY7OZABNgAizgPAaYABNgAglKgAU8QR3HZjMBJsAEWMB5DDABJsAEEpQAC3iCOo7NZgJMgAmwgPMYYAJMgAkkKAEW8AR1HJvNBJgAE2AB5zHABJgAE0hQAizgCeo4NpsJMAEmwALOY4AJMAEmkKAEWMAT1HFsNhNgAkyABZzHwIQQiNJd5EgEkUgU0ahM34lPzvRDgqRUQClJUCqVZ3pnuX+ngQAL+GmAnky3DIVCCPjpTziIcDhMAi5DliNJg0ChUJJ4K6BWqaDRaKDVaaFmMU8a\/493R1nAx5twkrYvhNvt9cLnCxwl2JKkSDoiff\/i6DuUShX0Oh2MKQYW8qQbCWPfYRbwsWea1C1SggRejw8Ol\/uwcCejaJ9oEAyIuRDytFQTDHpdUo8X7vzoCLCAj44fXz2IgCzLsDvd8Ho9sU9ZuE88PISQU2ocRkMKCXkKfU3f8MEEhkmABXyYwPj04xMQ4m21O+D3+1m4hzFIhJAbDXqkp6WxiA+DG5\/aR4AFnEfCqAmIehKb3Q6P1wdFEua4RwtQiHiKMYVE3DTapvj6JCPAAp5kDh+P7nroZaWNom9OmYycbpSegubMtNgLTj6YwFAJsIAPlRSfd1wCQSoN7O21xl5YsoCPfJCIKFxFLzazszK5ZnzkGJPuShbwpHP52HbY7nDA5fZA1DvzMToCQsRNKabYS00+mMBQCLCAD4USn3NcAuFQBD02CyLhiYi+JXpIUKVGNAI5OrYVG2K2pETljzLNEj2dx+EoPNsMpSL56uVPJ\/tEvTcLeKJ6Lg7sdnq8cFIEPt6pE9G+HHSho70HKnMRck1qmo4\/FmJLU90VMmwdB+BAKopyM6FSRBCVx\/YBMRxXCRHPzEin+nD9cC7jc5OUAAt4kjp+1N0mAbXY7PBS2eB4V55IlJ6Rvb3Yu3cfdCXnoDJbSzn3I7MbqZgqVlM9cAwW90\/VV0vyIIEWUX0EHXW70SHl4uyqAuiUFOEfI+Bj87AYGnFZjlJFih4Z6WlDu4DPSmoCLOBJ7f6Rdz5CC1P1WOy0vklw\/CNwIeAeCxoa90NXVIPyrEECTsotkSiHA0EEQjKUGi10WsrH05orFF5DJvv89DNJSeuQaJSxyF08EPr0vk\/AOxtr0SXloLoyH8pwAFFJRStvUXuBCFRaHTQqxRhF\/KfmLSJwLa2ZYs7MINs4jXJqYsl9Bgt4cvt\/xL0PkjD29tonRNhiEfhxBZwEWAqg++ABdDpkaLQSQv4wTDnFKMlPRdDZif1tVtAqUgDZ6wvSpBlTJgrKcmGQaNK\/rDgi4BAReA4cB5vQ4VVAQ9oZiZD4BxXILylFXjo9NCYgRy4yQ2LxqxyuRhnx2EymC1nAk8nbY9jXQCBAEbh13KPvWJx8AgEXEaq7qwUNHT7kVVShIF1F3+9HwwE\/iqaUwH+oFW5FHs6enIuAox21dV3IqaTz0vT9KZhBETgJ+Dkk4NZ9u9BqN6KyqgSZxggO7K1DjzIPNVWF0CE45i9QT+QSIeBqtXoMPcZNnYkEWMDPRK9OQJ\/8JOC9p1XAo1Cowmira4BTykT1lAIowhS9Sk7U72mFlJ4HfcgCVyQLVeVm+J1daNpnQ+Hks5BloIg+Fk0fLeAiAre17kaPXIIpVWaoSbCt+2vR5MhADT0Q9MqJEXBhWQ5VomhoCVo+mMDJCLCA8\/gYEYHTGYFX5OhiAqxQ+dG6twleJeWvq3IRDdNnai+adzYhbCpCWYYf9c29UKUYoaT8uN6cj4KcFCgxUGlyfAHvihRhyqQsSqOQgO\/biyZPBs4+a+IEXDiEI\/ARDcuku4gFPOlcPjYdDgYpB249vTlwBQWova2NaHOpUVVdiQy1hICnHbvrOpFRXI2MSAfarGFkZWdQGlxLk2QMNNtR7Aw0UIIYfwLOOfCxGZ\/J0goLeLJ4eoz7GaIqFIvVhjBt3DDudeD9OfC99Y3wqzOQphfVJBRFQw8zReP2ji74YUR6qhouqwVhTRYqJxfBd6gR+7p80OrpJSbZG44qkZVXhHyzgSYEHUmhtNfvQgfyMG1yHqzNO9ARLqGIOzsWgVtadqHeZcbUmjIYJyCFwlUoYzxQz\/DmWMDPcAePV\/dEOZ51gurAY0XeVN5nd9JytVRJMnBEKRmSZs6ETvLD2uuAL0zriWgNyDSboY\/Y0djUAU1BKQqMlDSRac2Wg\/vR5dWipqaC6r376sHFDEyv0wavpEemSY+A2wq\/LNbo1lE+PQK\/2w5nSIuMtBSo6HsqQhwvpLF2uQ58XPGecY2zgJ9xLp24DjlpDRSn0znuEXisR2JjYFG\/rTiS\/hAbI8sk2kJUFcojwho7w2tFQ1MbIqYCFJppViM9ALq7uhHR56Cy2AxFLILvu0ZBeRWJJtBEaHKQqHhRkFBTwN53W7GnJd1TLBcw3uIt7hebiZlOMzFpjXA+mMCpCLCAn4oQ\/\/yEBMRKhBYrrUQ4AfXRw3WDEHq\/y06lji4ESZxFrK01ptHLwXSoqcZ7ImdXDtV2XpFwqKT4vAECLOA8FkZFQGzk4KY1UeJxNcJYNE1CLh4wYkq92GtCLHt7Otc6ORns2MYOJtrYwcQbO4xqUCbRxSzgSeTs8ehqMEi5ZRGF83rgo8IrxFtsdJwlJvAoeWneUcFMootZwJPI2ePVVbfHA7tjgnLh49WJ09wur0J4mh2QoLdnAU9Qx8WT2bGKFEqleH3jvzJhPPV7rGzp29jYwCsQjhXQJGqHBTyJnD2eXRUVHKKsUMzQHO+68PHsx0S3LcRbr9eReKdT9cv4lihOdN\/4fuNPgAV8\/BknzR3EErMileKjNcLFwUJ+YtcL4RaHKBdMT03lpWOT5rdkbDvKAj62PJO+NZFOcVFVitvloZX7RDE1bVfGgeXhcTEg3KJqR+x9aaDUCeNJ+l+bEQNgAR8xOr7wZAQCtFaKh4TcH\/QfVSeejFH5gGgLXkK49TotjLTAFq82yL9DoyXAAj5agnz9SQkIIff7gwiFQ7RuCs1wFHXYlD4Yix0t4x29iKzFDFEFVFCplbSglho6ndjhh5eJjXffJYp9LOCJ4qkEt1OsHSWmowsBl\/vzvwnepSGZLzadUEo0HZ8EnFMlQ0LGJw2DAAv4MGDxqUyACTCBeCLAAh5P3mBbmAATYALDIMACPgxYfCoTYAJMIJ4IsIDHkzfYFibABJjAMAiwgA8DFp\/KBJgAE4gnAizg8eQNtoUJMAEmMAwCLODDgMWnMgEmwATiiQALeDx5g21hAkyACQyDAAv4MGDxqUyACTCBeCLAAh5P3mBbmAATYALDIMACPgxYfCoTYAJMIJ4IsIDHkzfYFibABJjAMAiwgA8DFp\/KBJgAE4gnAizg8eQNtoUJMAEmMAwCLODDgMWnMgEmwATiiQALeDx5I85s8bv9WFPrwVnTMjFTe2Q167DbjV\/sDeLCynTMzFCMyuo9zVasag3AF1WgMNeEe86lLcZoh\/untgUwc0YOrssYwSratInE8+\/3QD81F\/+RPfTNEyydDuqXD5YwYEw14NbpqahRhLDygx50mM34drV2VH391MV+H36\/04ntTsQ2uEhN1eG2aWmoGuPbjK3R3Fo8EWABjydvxJkttoN2zP3DIVy5rAaPm48IqefgQXz2D058ZV4VvjNZPUKro9hZ24l7N9lgKErFFHUQ2\/bLuO7aEtxqtGPxageuW1CBRwqVw2\/f5ccNv2qEYU4V\/jhFN6TrnR0W3PpaNzoNKbg4K4qPWrwoOK8EK6epsPyVZuwtKMLmK01DamsoJzm6rbj79W7U+pQozdejmB4UH7X7EdCb8N9zizAvcyit8DnJToAFPNlHwEn6bz\/kwPw1Hbh8yWQ8ljlIwA+146KXXFg4ZxK+VSki3Ah8FLXqVceKLX0epM81xxFhOYD\/eqkJm1LLsO1aY8wKC0X87qgapSYFArR7j0KpgloSsWnfvaNyGGHa3UZ9zC7JciiEIJ2rU\/Tb6PFj0coWGK+ehOcPh7MnsYXsX7WlBU83pGDzsnwI7Qx5A2gLK1CaqkaU2o\/SXpYa5cC\/Nj7dVpRiaKnfziBtHaehHXhOdEQCPjz4YgveVWVj1U05mN7\/jJH9Hjz85\/14K2zG2sU5qKbt2AaOU7XJwzg5CbCAJ6ffh9RrIeA3k4BfQQL+6DECfvFLbiy5oQJzI1Y8st2LIImq2mjAg7OycRkFqtt3d2LFHn\/sc6VGi9tm5WLuoDYQDeLxtY14JZSH9fMzUT4oRWO32fDoJjeuv6YYF7kc+O4OL4q0Mj60huDySrjgM3n4LqUz5KAXP3\/fgvdsUWhIW4MkoCbaLPi+aXo8+\/I+aGZXkoCr0dDUjSc+8sEteq1WYd6F+bitYHDqJ4I177TiBx+p8fO7SnB5yoAUCyUP4Nkth9CQW46nzwV21ffgh7u8CCtJoCP0aKEbz6pOR7nTgU0UTas9ITTaaR9QDbG4PBdXpX86BVTffBA3r\/XhgburcOcxkbaroxtfWGXB3EUVuMBixQY3PcRcATQ6gghoDfg6tTn7OG0OyaF80hlHgAX8jHPp2HXoZAI+82UPFl2Zht3b7TCcW4onpkj48IAXJUXpyLF2Y9GrTsycXYKvFSvwzr\/a8L9dRjxzYy6mDgpMa1u68fU3utEWVOOz52Zh8bR0XJWjhLWzE1e\/YMed90\/Bjb0WzH6pHZWXluDx8\/TY83EbHt+pwe+XFsK1ex8e3WHE0\/OzUeSxYsHaHlTMKMNz05W459ctMM2pxIp0Dxa\/2IXSmWX4Don5J7sO4Ik6NX48vwAz9UdYebrs+Opf2\/GvToq6p6RT\/jsT80o10Ie9uO\/3zdhdeQ7enurE\/D91IP\/SSXikWMK6zU14vicN\/0fR8kfvNOKpPTrcPTcPXzaHsGJtG+pLi7DuS2mxiH7wsfmdetxbZ8JfbitAzbEZHq8PSyk6d55dgS842\/CzPVrcMycP11GbP3ypDc3lxXh1dirSxs7N3FICE2ABT2Dnjbfptv4I\/It3TMbyQS8Tve2HcPFaLxaSgLd+YkVdSiYevcQcE19xrNvUgG81UNR9kQnplFrweZz47fYIHrmlEovyjrba0uvCn1u92Fxrw45OJe5YWI4lRhtuWmXD7UvPwnU9Fty82YEfLK3ATApmnZZuXPtbB+65qxSG3SRwHTn4202p0MKFBSs7MGVWJb43KYxFv2xGztwy3ODuxH1vAvMvoweLUqaA2offbfXi1vmT8GDx0WmOsNuLl5u9eK\/Bhr83hXDeFRV48XwJj6xtxo5JNXij1IbrXrXgy4srcW8K8PY\/G\/HtgznYfHMa1v6tDqsjZXjr6j5FfndTPe7rysGGmzLwyY52\/KWbPqQ0zC0zzNDXtWBprQnrbs1H9XEE\/O41LbBMqcBs7wG8EinFxi\/1vdV8+606PNCVjdcWmVE+gne74z1euP2JJ8ACPvHME+aOnnYH5q45iAsX1uAHeYPysQcOYcY6L756UxUWqqx4aIsddbYIVJmpePaaLOz+exOesKVg2VQddJTLlqN0rU6Dqyalokx\/AuWJBPGzdU34bTgPv5sVxfI1VixaWnVYwB+\/rQKf1wA9XV24cbUTt95ZhdsjFsz5cy90RSkoCvnRpkjFk9dmY2qAcuC\/aUX+teW4oucgRelaLPmMASmU86CsB2S1BpdXpqLacKIKmghe37Yfj2xV4fUl2fjNhhb8u7Aaf7sMeJa+XtVL1+dL2NUdwecvLMI3q5R4fmM9XpZL8do1eghNfmtTHb7Rk4P1N1L8bbHjYzfdi9JJFxQb4Ww9iAXrQ3jynkm4PvXo4RCy2DD7hU5ccn05Ktra8FKwBOvpoSAkfCMJ+PJeanNBJspGV\/yTMGOQDT05ARZwHiEnJkAv1e5a04rajFJsmmtCX8YhgrUbm\/FEqw7P3FGCK\/tL3nx2G275XQcKri7HPFc7lu80Yf0dOSg+Uev0YnBHbxgFeXpk92v6n96sxwpPDlbOlPHQi1YsHiTg3yEBv7xfwOdRhcoSEvA5wV4s2+jFjKlpKEvV4NpJBsTqRGIvMVspAq\/ALX5R6aLCC\/cVYtoJexrG3m4\/TCZ6EPSnVXbXtmLxFjXWU7T73F\/7BfzSCH664QC2qdMwJ0+FyeWpuMAkjA\/juY1N+NOxAt6djVcWmFF5zPvMoM+Ne1bvQ21OIV6Zm4GCw3YF8cwbLXjuYBpeJ3bvbmnE6nAZXmcB59\/SExBgAeehcRICUeza04m73rRCUZiK2cUaHKCofOv+KK65ahJ+VOPFj+llY2FlJirDbnx\/sx1fING81+TCkj+2w5Jnxv3n6dDe4sC2qBGPXZaJgapDv9OFB19px8dKA2ZTpUjY4sGbTWEspBejy4wWfPFXFix5oBrzunsxZ4MN36cXfl+kh0V3RweuWenAsgcm43prF65f50B6oQFGVZQqVxS4ZkYe7syO4JZfNkA\/bwpeKAvia6vbsMeYgfs\/a4SX0kKb3Tosn5WFaYb+rgf9eGrjfqzpVONzk03IDvvwWq0XlZQ3X32ehPtX1eGTsql474ogPVj24V2vHpOo\/j0UkpGVn44fXWKkh1o9\/hgsx6YbDLEH3YYNe\/BQJ0XLt2fjrONEyx37urH4jV7Y6MXvLHrw5FKFzdZWF1rcatw+txQP05Pv56\/WYS0q8PZcfSwCf+2NPfhmdy7euD0LkziFwr+5RIAFnIfBKQkcOmDBT3Z60UWlggolidw5mVhWRuEw1X28+qENr3UHEYmocHZVBh7ur7sOWB1Y8aEbLQFAo1Hh8ppMLCw+uma8l14c\/mKnB40emdpVYsaUbDxALxpljwsr\/uXH7Muyca7Lg6f3BnDzTEobiDt6XfifDwL40kVp2LH1ELYo07CkXIlgWMaOhl6s2qfBygWFaN7TA6kmBwvNpJ70sPjJhy7s8kShovK+SyZn4s5yYf+RIyImJ213YLtNRkRSoKIkHd+aboSRouu\/\/LsHrdn5uEnZg4f+4cecGRkoi0bQ4\/bh2fetqLi4EneZ7Hg\/nImHqvsmDjXXd+HX7lQ89hk9jsmSHL5pwObETz92o9YVQZTSK6lGHRbOyIpV8YipPf+s7cFWKQvfqO57AjRSmyu9qfjmdD3Mp\/Qan5AMBFjAk8HLI+ijTOXX+1whROhvnUoRi3B9QRkqlQqKaBROij5lKtszqhVQRqk+G0qISkAnnROhv1VUM21SUlRMSWdRPx2OyPBQY6KqWxwigFTT5ykqCcFgmMrxlKB3jLF2hZhlUHmely4OUm13Gn3t8dHXdJGCfpamVSDi8WLF+jY0VBTj2QuM0JKgvrO9Dc8cMOLxqykPTrl2BdniJFvVCnGfKIJkg5rqxSNyBG56GA3YIuxRinM0EqLhMCWJqC+KKFyBKEJ0TyOJvkGSsaf+EP5zK\/Dtm4sxg6J3l9WGx\/5qgeH8UjxJ\/7QwSBHYQ33tqqkmPk0hw0ZtCB7HOwQXo1qCHAojBAXV0SvgpweRjzgRCujpvjqyZnCbqdSmSUvligM17yPwLV9y5hBgAT9zfDmmPfGFonj4712w++nlZL9YSGICDQniYOEbuKnQqON+TsFjVKjRSY6TtXu8y0IkcMUZKtxbrsKKf7vRTY8DkWZWanW469IcfFDXi90dARLRo5WTAusR2SLuV5iuxVMXp+CFD3qxnl5eGkh8g\/Rwml6dRQG+F+1dfnpojSyvEes\/TVg6FSfxUBX0v\/e5HFTQBCM+mAALOI+BhCcQpKhZprVUdPSvgQk5KF\/tC0tUWKPsn3s5IXflmzCBTxFgAedBwQSYABNIUAIs4AnqODabCTABJsACzmOACTABJpCgBFjAE9RxbDYTYAJMgAWcxwATYAJMIEEJsIAnqOPYbCbABJgACziPASbABJhAghJgAU9Qx7HZTIAJMAEWcB4DTIAJMIEEJcACnqCOY7OZABNgAizgPAaYABNgAglKgAU8QR3HZjMBJsAEWMB5DDABJsAEEpQAC3iCOo7NZgJMgAmwgPMYYAJMgAkkKAEW8AR1HJvNBJgAE2AB5zHABJgAE0hQAizgCeo4NpsJMAEmIHVuRjTopw1aaYu97PM9yDbTbq18MAEmwASYQNwTYAGPexexgUyACTCB4xOQut9G1O8DnBSB53AEzuOECTABJpAwBA4LOKdQEsZnbCgTYAJMIEYgJuBBisAdGsqBT+ccOI8LJsAEmECiEJC6tyAa8valUMws4IniN7aTCTABJgCpRwg4ReAihZJxHkfgPCaYABNgAolCQLK8SwJOZYROFZA+zY\/sTG2i2M52MgEmwASSmoBkfa9PwH2UA9ec1YW8vBxISY2EO88EmAATSAwCkoMEPBgBIvTHn78cKfkrkJ4mQckqnhgeZCuZABNISgJhmapQXP+gCJy+iIQA+g+h7KWIGr8CWSYFl+gH\/Uf0yJccoSflcOFOMwEmMNEEov03jMXTiqPvLklBSO5\/IiqTOIfpTCHiIhKPCTr9LT6P0OcS\/Rmk34gOtDrRveH7MQEmwASSiIA0KBMi9DtK34vsiIK+UdJ7S8m7jQRciDWJsgjJo2ESbXEi\/U8ItRBwccT+Gvx1EkHkrjIBJsAETgeBw\/otEiL9BsTS20LIScT\/H41phSRnDY+lAAAAAElFTkSuQmCC\" alt=\"\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This leads to a screen where we can input the username (without domain)<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"365\" height=\"215\" src=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-10.png\" alt=\"\" class=\"wp-image-1632\" srcset=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-10.png 365w, http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-10-300x177.png 300w\" sizes=\"auto, (max-width: 365px) 100vw, 365px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">This leads to a Microsoft Entra ID login where the full UPN is required:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"386\" height=\"285\" src=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-11.png\" alt=\"\" class=\"wp-image-1633\" srcset=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-11.png 386w, http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-11-300x222.png 300w\" sizes=\"auto, (max-width: 386px) 100vw, 386px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Entra ID may have its own MFA requirements (not enabled in this instance). Anyway, once we&#8217;ve cleared the Entra ID login we are redirected to Duo (which will prompt for set up the first time but on subsequent occasions allows the user to continue after they have acknowledged a code on the device Duo has been set up on.)<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"289\" height=\"302\" src=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-13.png\" alt=\"\" class=\"wp-image-1635\" style=\"width:356px;height:auto\" srcset=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-13.png 289w, http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-13-287x300.png 287w\" sizes=\"auto, (max-width: 289px) 100vw, 289px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Then the user successfully logs in and this is recorded on the Palo Alto system logs in which is recorded in the Palo Alto system logs&#8230;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"957\" height=\"229\" src=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-15.png\" alt=\"\" class=\"wp-image-1637\" srcset=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-15.png 957w, http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-15-300x72.png 300w, http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-15-768x184.png 768w\" sizes=\"auto, (max-width: 957px) 100vw, 957px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Before we end there were a couple of other points worth mentioning:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Attribute Encryption<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">There is an option to encrypt the SAML assertion (see above) but this may not work with all applications. This was the case with the Palo Alto administration access as outlined here:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/docs.paloaltonetworks.com\/pan-os\/9-1\/pan-os-admin\/authentication\/configure-saml-authentication\">https:\/\/docs.paloaltonetworks.com\/pan-os\/9-1\/pan-os-admin\/authentication\/configure-saml-authentication<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>\u201cPalo Alto Networks requires HTTPS to ensure the confidentiality of all SAML transactions instead of alternative approaches such as encrypted SAML assertions. To ensure the integrity of all messages processed in a SAML transaction, Palo Alto Networks requires digital certificates to cryptographically sign all messages\u201d<\/em><em><br><\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Attribute Transformation<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Above we had the instance where Palo Alto required a username without the domain but Entra ID required the UPN. In the event, we tackled this on Palo but we could have tackled this by transforming the attribute within Duo. The example below strips the @ sign and everything after it.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"698\" height=\"512\" src=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-16.png\" alt=\"\" class=\"wp-image-1638\" srcset=\"http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-16.png 698w, http:\/\/18.135.13.153\/wp-content\/uploads\/2024\/11\/image-16-300x220.png 300w\" sizes=\"auto, (max-width: 698px) 100vw, 698px\" \/><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>I wanted to try out Cisco Duo MFA using SAML and loyal readers of this blog will know in posts passim I set up authentication for a Palo Alto firewall administrator using SAML and ADFS so it seemed a natural progression to try this using Microsoft&#8217;s Entra ID (formerly Azure AD) with Cisco Duo. Microsoft [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,7],"tags":[],"class_list":["post-1589","post","type-post","status-publish","format-standard","hentry","category-authentication","category-firewalls"],"jetpack_featured_media_url":"","_links":{"self":[{"href":"http:\/\/18.135.13.153\/index.php?rest_route=\/wp\/v2\/posts\/1589","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/18.135.13.153\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/18.135.13.153\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/18.135.13.153\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/18.135.13.153\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1589"}],"version-history":[{"count":0,"href":"http:\/\/18.135.13.153\/index.php?rest_route=\/wp\/v2\/posts\/1589\/revisions"}],"wp:attachment":[{"href":"http:\/\/18.135.13.153\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1589"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/18.135.13.153\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1589"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/18.135.13.153\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1589"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}