From 960d399c7dc8256b75a77c28e3a433dbb060974e Mon Sep 17 00:00:00 2001 From: EdwardAngert <2408959-EdwardAngert@users.noreply.gitlab.com> Date: Wed, 27 Nov 2024 16:58:01 +0000 Subject: [PATCH 1/7] add cli steps for org sync --- docs/admin/users/idp-sync.md | 63 +++++++++++++++++++++++++++++++++--- 1 file changed, 59 insertions(+), 4 deletions(-) diff --git a/docs/admin/users/idp-sync.md b/docs/admin/users/idp-sync.md index 123384c963ce7..921d66a7766d3 100644 --- a/docs/admin/users/idp-sync.md +++ b/docs/admin/users/idp-sync.md @@ -304,13 +304,66 @@ Visit the Coder UI to confirm these changes: ## Organization Sync (Premium) -> Note: In a future Coder release, this can be managed via the Coder UI instead -> of server flags. - If your OpenID Connect provider supports groups/role claims, you can configure Coder to synchronize claims in your auth provider to organizations within Coder. -First, confirm that your OIDC provider is sending clainms by logging in with +Viewing and editing the organization settings requires deployment admin permissions (UserAdmin or Owner). + +Organization sync works across all organizations. On user login, the sync will add and remove the user from organizations based on their IdP claims. After the sync, the user's state should match that of the IdP. + +You can initiate an organization sync through the CLI or through the Coder dashboard: + +
Org memberships must be manually configured through the UI or API.| +| mapping | Mapping takes a claim from the IdP, and associates it with 1 or more organizations by UUID.
No validation is done, so you can put UUID's of orgs that do not exist (a noop). The UI picker will allow selecting orgs from a drop down, and convert it to a UUID for you. | +| organization_assign_default | This setting exists for maintaining backwards compatibility with single org deployments, either through their upgrade, or in perpetuity.
If this is set to 'true', all users will always be assigned to the default organization regardless of the mappings and their IdP claims. | + +## Dashboard + +First, confirm that your OIDC provider is sending claims by logging in with OIDC and visiting the following URL with an `Owner` account: ```text @@ -357,6 +410,8 @@ disable that with: CODER_OIDC_ORGANIZATION_ASSIGN_DEFAULT=false ``` +
+ ## Troubleshooting group/role/organization sync Some common issues when enabling group/role sync. From 001e3bdb833aee925a1c32cda685c020b6755ee0 Mon Sep 17 00:00:00 2001 From: EdwardAngert <2408959-EdwardAngert@users.noreply.gitlab.com> Date: Wed, 27 Nov 2024 17:30:49 +0000 Subject: [PATCH 2/7] dashboard steps to steps --- docs/admin/users/idp-sync.md | 92 +++++++++++++++++++----------------- 1 file changed, 49 insertions(+), 43 deletions(-) diff --git a/docs/admin/users/idp-sync.md b/docs/admin/users/idp-sync.md index 921d66a7766d3..bbd430e772f5c 100644 --- a/docs/admin/users/idp-sync.md +++ b/docs/admin/users/idp-sync.md @@ -307,11 +307,15 @@ Visit the Coder UI to confirm these changes: If your OpenID Connect provider supports groups/role claims, you can configure Coder to synchronize claims in your auth provider to organizations within Coder. -Viewing and editing the organization settings requires deployment admin permissions (UserAdmin or Owner). +Viewing and editing the organization settings requires deployment admin +permissions (UserAdmin or Owner). -Organization sync works across all organizations. On user login, the sync will add and remove the user from organizations based on their IdP claims. After the sync, the user's state should match that of the IdP. +Organization sync works across all organizations. On user login, the sync will +add and remove the user from organizations based on their IdP claims. After the +sync, the user's state should match that of the IdP. -You can initiate an organization sync through the CLI or through the Coder dashboard: +You can initiate an organization sync through the CLI or through the Coder +dashboard:
Org memberships must be manually configured through the UI or API.| -| mapping | Mapping takes a claim from the IdP, and associates it with 1 or more organizations by UUID.
No validation is done, so you can put UUID's of orgs that do not exist (a noop). The UI picker will allow selecting orgs from a drop down, and convert it to a UUID for you. | +| Field | Explanation | +| :-------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| field | If this field is the empty string `""`, then org-sync is disabled.
Org memberships must be manually configured through the UI or API. | +| mapping | Mapping takes a claim from the IdP, and associates it with 1 or more organizations by UUID.
No validation is done, so you can put UUID's of orgs that do not exist (a noop). The UI picker will allow selecting orgs from a drop down, and convert it to a UUID for you. | | organization_assign_default | This setting exists for maintaining backwards compatibility with single org deployments, either through their upgrade, or in perpetuity.
If this is set to 'true', all users will always be assigned to the default organization regardless of the mappings and their IdP claims. | ## Dashboard -First, confirm that your OIDC provider is sending claims by logging in with -OIDC and visiting the following URL with an `Owner` account: +1. Confirm that your OIDC provider is sending claims. Log in with OIDC and visit + the following URL with an `Owner` account: -```text -https://[coder.example.com]/api/v2/debug/[your-username]/debug-link -``` + ```text + https://[coder.example.com]/api/v2/debug/[your-username]/debug-link + ``` -You should see a field in either `id_token_claims`, `user_info_claims` or both -followed by a list of the user's OIDC groups in the response. This is the -[claim](https://openid.net/specs/openid-connect-core-1_0.html#Claims) sent by -the OIDC provider. See -[Troubleshooting](#troubleshooting-grouproleorganization-sync) to debug this. + You should see a field in either `id_token_claims`, `user_info_claims` or + both followed by a list of the user's OIDC groups in the response. This is + the [claim](https://openid.net/specs/openid-connect-core-1_0.html#Claims) + sent by the OIDC provider. See + [Troubleshooting](#troubleshooting-grouproleorganization-sync) to debug this. -> Depending on the OIDC provider, this claim may be named differently. Common -> ones include `groups`, `memberOf`, and `roles`. + Depending on the OIDC provider, this claim may be called something else. + Common names include `groups`, `memberOf`, and `roles`. -Next configure the Coder server to read groups from the claim name with the OIDC -organization field server flag: +1. Configure the Coder server to read groups from the claim name with the OIDC + organization field server flag: -```sh -# as an environment variable -CODER_OIDC_ORGANIZATION_FIELD=groups -``` + ```sh + # as an environment variable + CODER_OIDC_ORGANIZATION_FIELD=groups + ``` -Next, fetch the corresponding organization IDs using the following endpoint: +1. Fetch the corresponding organization IDs using the following endpoint: -```text -https://[coder.example.com]/api/v2/organizations -``` + ```text + https://[coder.example.com]/api/v2/organizations + ``` -Set the following in your Coder server [configuration](../setup/index.md). +1. Set the following in your Coder server [configuration](../setup/index.md). -```env -CODER_OIDC_ORGANIZATION_MAPPING='{"data-scientists":["d8d9daef-e273-49ff-a832-11fe2b2d4ab1", "70be0908-61b5-4fb5-aba4-4dfb3a6c5787"]}' -``` + ```env + CODER_OIDC_ORGANIZATION_MAPPING='{"data-scientists":["d8d9daef-e273-49ff-a832-11fe2b2d4ab1", "70be0908-61b5-4fb5-aba4-4dfb3a6c5787"]}' + ``` -> One claim value from your identity provider can be mapped to many -> organizations in Coder (e.g. the example above maps to 2 organizations in -> Coder.) + > One claim value from your identity provider can be mapped to many + > organizations in Coder. The example above maps to two organizations in + > Coder. -By default, all users are assigned to the default (first) organization. You can -disable that with: +1. By default, all users are assigned to the default (first) organization. You + can disable that with: -```env -CODER_OIDC_ORGANIZATION_ASSIGN_DEFAULT=false -``` + ```env + CODER_OIDC_ORGANIZATION_ASSIGN_DEFAULT=false + ```
From bf4c5448d14c87a59192542739e407b25cb6a640 Mon Sep 17 00:00:00 2001 From: EdwardAngert <2408959-EdwardAngert@users.noreply.gitlab.com> Date: Wed, 27 Nov 2024 17:42:29 +0000 Subject: [PATCH 3/7] html tags work better when they're closed --- docs/admin/users/idp-sync.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/admin/users/idp-sync.md b/docs/admin/users/idp-sync.md index bbd430e772f5c..89e7ceb6076bd 100644 --- a/docs/admin/users/idp-sync.md +++ b/docs/admin/users/idp-sync.md @@ -317,7 +317,7 @@ sync, the user's state should match that of the IdP. You can initiate an organization sync through the CLI or through the Coder dashboard: -
## CLI From f6c35e0d8a33a87303de80318ede0c6702db0444 Mon Sep 17 00:00:00 2001 From: EdwardAngert <2408959-EdwardAngert@users.noreply.gitlab.com> Date: Wed, 27 Nov 2024 17:51:14 +0000 Subject: [PATCH 4/7] md spacing --- docs/admin/users/idp-sync.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/docs/admin/users/idp-sync.md b/docs/admin/users/idp-sync.md index 89e7ceb6076bd..ae4be162c2ec5 100644 --- a/docs/admin/users/idp-sync.md +++ b/docs/admin/users/idp-sync.md @@ -317,9 +317,9 @@ sync, the user's state should match that of the IdP. You can initiate an organization sync through the CLI or through the Coder dashboard: -
+
-## CLI +### CLI Use the Coder CLI to show and adjust the settings. @@ -359,15 +359,15 @@ settings, a user's memberships will update when they log out and log back in. } ``` -Analyzing the JSON payload: + Analyzing the JSON payload: -| Field | Explanation | -| :-------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| field | If this field is the empty string `""`, then org-sync is disabled.
Org memberships must be manually configured through the UI or API. | -| mapping | Mapping takes a claim from the IdP, and associates it with 1 or more organizations by UUID.
No validation is done, so you can put UUID's of orgs that do not exist (a noop). The UI picker will allow selecting orgs from a drop down, and convert it to a UUID for you. | -| organization_assign_default | This setting exists for maintaining backwards compatibility with single org deployments, either through their upgrade, or in perpetuity.
If this is set to 'true', all users will always be assigned to the default organization regardless of the mappings and their IdP claims. | + | Field | Explanation | + | :-------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | + | field | If this field is the empty string `""`, then org-sync is disabled.
Org memberships must be manually configured through the UI or API. | + | mapping | Mapping takes a claim from the IdP, and associates it with 1 or more organizations by UUID.
No validation is done, so you can put UUID's of orgs that do not exist (a noop). The UI picker will allow selecting orgs from a drop down, and convert it to a UUID for you. | + | organization_assign_default | This setting exists for maintaining backwards compatibility with single org deployments, either through their upgrade, or in perpetuity.
If this is set to 'true', all users will always be assigned to the default organization regardless of the mappings and their IdP claims. | -## Dashboard +### Dashboard 1. Confirm that your OIDC provider is sending claims. Log in with OIDC and visit the following URL with an `Owner` account: From aefca02d8772afdd43b4490497e6943d84285eac Mon Sep 17 00:00:00 2001 From: EdwardAngert <2408959-EdwardAngert@users.noreply.gitlab.com> Date: Wed, 27 Nov 2024 18:16:17 +0000 Subject: [PATCH 5/7] md and steps cleanup --- docs/admin/users/idp-sync.md | 312 ++++++++++++++++++++--------------- 1 file changed, 176 insertions(+), 136 deletions(-) diff --git a/docs/admin/users/idp-sync.md b/docs/admin/users/idp-sync.md index ae4be162c2ec5..9ad90fc11fdc2 100644 --- a/docs/admin/users/idp-sync.md +++ b/docs/admin/users/idp-sync.md @@ -17,35 +17,40 @@ There are two ways you can configure group sync: ## Server Flags -First, confirm that your OIDC provider is sending claims by logging in with OIDC -and visiting the following URL with an `Owner` account: +1. Confirm that your OIDC provider is sending claims. -```text -https://[coder.example.com]/api/v2/debug/[your-username]/debug-link -``` + Log in with OIDC and visit the following URL with an `Owner` account: -You should see a field in either `id_token_claims`, `user_info_claims` or both -followed by a list of the user's OIDC groups in the response. This is the -[claim](https://openid.net/specs/openid-connect-core-1_0.html#Claims) sent by -the OIDC provider. See -[Troubleshooting](#troubleshooting-grouproleorganization-sync) to debug this. + ```text + https://[coder.example.com]/api/v2/debug/[your-username]/debug-link + ``` -> Depending on the OIDC provider, this claim may be named differently. Common -> ones include `groups`, `memberOf`, and `roles`. + You should see a field in either `id_token_claims`, `user_info_claims` or + both followed by a list of the user's OIDC groups in the response. This is + the [claim](https://openid.net/specs/openid-connect-core-1_0.html#Claims) + sent by the OIDC provider. -Next configure the Coder server to read groups from the claim name with the -[OIDC group field](../../reference/cli/server.md#--oidc-group-field) server -flag: + See [Troubleshooting](#troubleshooting-grouproleorganization-sync) to debug + this. -```sh -# as an environment variable -CODER_OIDC_GROUP_FIELD=groups -``` + Depending on the OIDC provider, this claim may be called something else. + Common names include `groups`, `memberOf`, and `roles`. -```sh -# as a flag ---oidc-group-field groups -``` +1. Configure the Coder server to read groups from the claim name with the + [OIDC group field](../../reference/cli/server.md#--oidc-group-field) server + flag: + + - Environment variable: + + ```sh + CODER_OIDC_GROUP_FIELD=groups + ``` + + - As a flag: + + ```sh + --oidc-group-field groups + ``` On login, users will automatically be assigned to groups that have matching names in Coder and removed from groups that the user no longer belongs to. @@ -54,17 +59,19 @@ For cases when an OIDC provider only returns group IDs ([Azure AD][azure-gids]) or you want to have different group names in Coder than in your OIDC provider, you can configure mapping between the two with the [OIDC group mapping](../../reference/cli/server.md#--oidc-group-mapping) server -flag. +flag: -```sh -# as an environment variable -CODER_OIDC_GROUP_MAPPING='{"myOIDCGroupID": "myCoderGroupName"}' -``` +- Environment variable: -```sh -# as a flag ---oidc-group-mapping '{"myOIDCGroupID": "myCoderGroupName"}' -``` + ```sh + CODER_OIDC_GROUP_MAPPING='{"myOIDCGroupID": "myCoderGroupName"}' + ``` + +- As a flag: + + ```sh + --oidc-group-mapping '{"myOIDCGroupID": "myCoderGroupName"}' + ``` Below is an example mapping in the Coder Helm chart: @@ -84,49 +91,58 @@ OIDC provider will be added to the `myCoderGroupName` group in Coder. ## Runtime (Organizations) -> Note: You must have a Premium license with Organizations enabled to use this. -> [Contact your account team](https://coder.com/contact) for more details +
+ +You must have a Premium license with Organizations enabled to use this. +[Contact your account team](https://coder.com/contact) for more details. + +
For deployments with multiple [organizations](./organizations.md), you must configure group sync at the organization level. In future Coder versions, you will be able to configure this in the UI. For now, you must use CLI commands. -First confirm you have the [Coder CLI](../../install/index.md) installed and are -logged in with a user who is an Owner or Organization Admin role. Next, confirm -that your OIDC provider is sending a groups claim by logging in with OIDC and -visiting the following URL: +1. Confirm you have the [Coder CLI](../../install/index.md) installed and are + logged in with a user who is an Owner or Organization Admin role. -```text -https://[coder.example.com]/api/v2/debug/[your-username]/debug-link -``` +1. Confirm that your OIDC provider is sending a groups claim. -You should see a field in either `id_token_claims`, `user_info_claims` or both -followed by a list of the user's OIDC groups in the response. This is the -[claim](https://openid.net/specs/openid-connect-core-1_0.html#Claims) sent by -the OIDC provider. See -[Troubleshooting](#troubleshooting-grouproleorganization-sync) to debug this. + Log in with OIDC and visit the following URL: -> Depending on the OIDC provider, this claim may be named differently. Common -> ones include `groups`, `memberOf`, and `roles`. + ```text + https://[coder.example.com]/api/v2/debug/[your-username]/debug-link + ``` -To fetch the current group sync settings for an organization, run the following: + You should see a field in either `id_token_claims`, `user_info_claims` or + both followed by a list of the user's OIDC groups in the response. This is + the [claim](https://openid.net/specs/openid-connect-core-1_0.html#Claims) + sent by the OIDC provider. -```sh -coder organizations settings show group-sync \ - --org \ - > group-sync.json -``` + See [Troubleshooting](#troubleshooting-grouproleorganization-sync) to debug + this. -The default for an organization looks like this: + Depending on the OIDC provider, this claim may be called something else. + Common names include `groups`, `memberOf`, and `roles`. -```json -{ - "field": "", - "mapping": null, - "regex_filter": null, - "auto_create_missing_groups": false -} -``` +1. To fetch the current group sync settings for an organization, run the + following: + + ```sh + coder organizations settings show group-sync \ + --org \ + > group-sync.json + ``` + + The default for an organization looks like this: + + ```json + { + "field": "", + "mapping": null, + "regex_filter": null, + "auto_create_missing_groups": false + } + ``` Below is an example that uses the `groups` claim and maps all groups prefixed by `coder-` into Coder: @@ -140,12 +156,17 @@ Below is an example that uses the `groups` claim and maps all groups prefixed by } ``` -> Note: You much specify Coder group IDs instead of group names. The fastest way -> to find the ID for a corresponding group is by visiting -> `https://coder.example.com/api/v2/groups`. +
+ +You much specify Coder group IDs instead of group names. The fastest way to find +the ID for a corresponding group is by visiting +`https://coder.example.com/api/v2/groups`. + +
Here is another example which maps `coder-admins` from the identity provider to -2 groups in Coder and `coder-users` from the identity provider to another group: +two groups in Coder and `coder-users` from the identity provider to another +group: ```json { @@ -182,7 +203,7 @@ You can limit which groups from your identity provider can log in to Coder with [CODER_OIDC_ALLOWED_GROUPS](https://coder.com/docs/cli/server#--oidc-allowed-groups). Users who are not in a matching group will see the following error: -![Unauthorized group error](../../images/admin/group-allowlist.png) +Unauthorized group error ## Role sync (enterprise) (premium) @@ -192,87 +213,97 @@ to synchronize roles in your auth provider to roles within Coder. There are 2 ways to do role sync. Server Flags assign site wide roles, and runtime org role sync assigns organization roles +
+ +You must have a Premium license with Organizations enabled to use this. +[Contact your account team](https://coder.com/contact) for more details. + +
+
## Server Flags -First, confirm that your OIDC provider is sending a roles claim by logging in -with OIDC and visiting the following URL with an `Owner` account: +1. Confirm that your OIDC provider is sending a roles claim by logging in with + OIDC and visiting the following URL with an `Owner` account: -```text -https://[coder.example.com]/api/v2/debug/[your-username]/debug-link -``` + ```text + https://[coder.example.com]/api/v2/debug/[your-username]/debug-link + ``` -You should see a field in either `id_token_claims`, `user_info_claims` or both -followed by a list of the user's OIDC roles in the response. This is the -[claim](https://openid.net/specs/openid-connect-core-1_0.html#Claims) sent by -the OIDC provider. See -[Troubleshooting](#troubleshooting-grouproleorganization-sync) to debug this. + You should see a field in either `id_token_claims`, `user_info_claims` or + both followed by a list of the user's OIDC roles in the response. This is the + [claim](https://openid.net/specs/openid-connect-core-1_0.html#Claims) sent by + the OIDC provider. -> Depending on the OIDC provider, this claim may be named differently. + See [Troubleshooting](#troubleshooting-grouproleorganization-sync) to debug + this. -Next configure the Coder server to read groups from the claim name with the -[OIDC role field](../../reference/cli/server.md#--oidc-user-role-field) server -flag: + Depending on the OIDC provider, this claim may be called something else. -Set the following in your Coder server [configuration](../setup/index.md). +1. Configure the Coder server to read groups from the claim name with the + [OIDC role field](../../reference/cli/server.md#--oidc-user-role-field) + server flag: -```env - # Depending on your identity provider configuration, you may need to explicitly request a "roles" scope -CODER_OIDC_SCOPES=openid,profile,email,roles +1. Set the following in your Coder server [configuration](../setup/index.md). -# The following fields are required for role sync: -CODER_OIDC_USER_ROLE_FIELD=roles -CODER_OIDC_USER_ROLE_MAPPING='{"TemplateAuthor":["template-admin","user-admin"]}' -``` + ```env + # Depending on your identity provider configuration, you may need to explicitly request a "roles" scope + CODER_OIDC_SCOPES=openid,profile,email,roles -> One role from your identity provider can be mapped to many roles in Coder -> (e.g. the example above maps to 2 roles in Coder.) + # The following fields are required for role sync: + CODER_OIDC_USER_ROLE_FIELD=roles + CODER_OIDC_USER_ROLE_MAPPING='{"TemplateAuthor":["template-admin","user-admin"]}' + ``` -## Runtime (Organizations) +One role from your identity provider can be mapped to many roles in Coder. The +example above maps to two roles in Coder. -> Note: You must have a Premium license with Organizations enabled to use this. -> [Contact your account team](https://coder.com/contact) for more details +## Runtime (Organizations) For deployments with multiple [organizations](./organizations.md), you can configure role sync at the organization level. In future Coder versions, you will be able to configure this in the UI. For now, you must use CLI commands. -First, confirm that your OIDC provider is sending a roles claim by logging in -with OIDC and visiting the following URL with an `Owner` account: +1. Confirm that your OIDC provider is sending a roles claim. -```text -https://[coder.example.com]/api/v2/debug/[your-username]/debug-link -``` + Log in with OIDC and visit the following URL with an `Owner` account: + + ```text + https://[coder.example.com]/api/v2/debug/[your-username]/debug-link + ``` -You should see a field in either `id_token_claims`, `user_info_claims` or both -followed by a list of the user's OIDC roles in the response. This is the -[claim](https://openid.net/specs/openid-connect-core-1_0.html#Claims) sent by -the OIDC provider. See -[Troubleshooting](#troubleshooting-grouproleorganization-sync) to debug this. + You should see a field in either `id_token_claims`, `user_info_claims` or + both followed by a list of the user's OIDC roles in the response. This is the + [claim](https://openid.net/specs/openid-connect-core-1_0.html#Claims) sent by + the OIDC provider. -> Depending on the OIDC provider, this claim may be named differently. + See [Troubleshooting](#troubleshooting-grouproleorganization-sync) to debug + this. -To fetch the current group sync settings for an organization, run the following: + Depending on the OIDC provider, this claim may be called something else. -```sh -coder organizations settings show role-sync \ - --org \ - > role-sync.json -``` +1. To fetch the current group sync settings for an organization, run the + following: -The default for an organization looks like this: + ```sh + coder organizations settings show role-sync \ + --org \ + > role-sync.json + ``` -```json -{ - "field": "", - "mapping": null -} -``` + The default for an organization looks like this: + + ```json + { + "field": "", + "mapping": null + } + ``` Below is an example that uses the `roles` claim and maps `coder-admins` from the IDP as an `Organization Admin` and also maps to a custom `provisioner-admin` -role. +role: ```json { @@ -284,9 +315,13 @@ role. } ``` -> Note: Be sure to use the `name` field for each role, not the display name. Use -> `coder organization roles show --org=` to see roles for your -> organization. +
+ +Be sure to use the `name` field for each role, not the display name. Use +`coder organization roles show --org=` to see roles for your +organization. + +
To set these role sync settings, use the following command: @@ -424,18 +459,21 @@ Some common issues when enabling group/role sync. ### General guidelines -If you are running into issues with group/role sync, is best to view your Coder -server logs and enable -[verbose mode](../../reference/cli/index.md#-v---verbose). To reduce noise, you -can filter for only logs related to group/role sync: +If you are running into issues with group/role sync: -```sh -CODER_VERBOSE=true -CODER_LOG_FILTER=".*userauth.*|.*groups returned.*" -``` +1. View your Coder server logs and enable + [verbose mode](../../reference/cli/index.md#-v---verbose). -Be sure to restart the server after changing these configuration values. Then, -attempt to log in, preferably with a user who has the `Owner` role. +1. To reduce noise, you can filter for only logs related to group/role sync: + + ```sh + CODER_VERBOSE=true + CODER_LOG_FILTER=".*userauth.*|.*groups returned.*" + ``` + +1. Restart the server after changing these configuration values. + +1. Attempt to log in, preferably with a user who has the `Owner` role. The logs for a successful group sync look like this (human-readable): @@ -459,9 +497,11 @@ https://[coder.example.com]/api/v2/debug/[username]/debug-link ### User not being assigned / Group does not exist If you want Coder to create groups that do not exist, you can set the following -environment variable. If you enable this, your OIDC provider might be sending -over many unnecessary groups. Use filtering options on the OIDC provider to -limit the groups sent over to prevent creating excess groups. +environment variable. + +If you enable this, your OIDC provider might be sending over many unnecessary +groups. Use filtering options on the OIDC provider to limit the groups sent over +to prevent creating excess groups. ```env # as an environment variable From b336e3bc95422f44ce4aaed69a1b07d6c8305de0 Mon Sep 17 00:00:00 2001 From: Edward Angert Date: Tue, 10 Dec 2024 10:41:35 -0500 Subject: [PATCH 6/7] docs: add new steps for org sync through ui (#15768) [preview](https://coder.com/docs/@15503-ui-org-sync/admin/users/idp-sync#organization-sync-premium) --------- Co-authored-by: EdwardAngert <2408959-EdwardAngert@users.noreply.gitlab.com> Co-authored-by: EdwardAngert <17991901+EdwardAngert@users.noreply.github.com> --- docs/admin/users/idp-sync.md | 31 +++++++----------- .../users/organizations/idp-org-sync.png | Bin 0 -> 81509 bytes 2 files changed, 11 insertions(+), 20 deletions(-) create mode 100644 docs/images/admin/users/organizations/idp-org-sync.png diff --git a/docs/admin/users/idp-sync.md b/docs/admin/users/idp-sync.md index 9ad90fc11fdc2..c089f93e4206e 100644 --- a/docs/admin/users/idp-sync.md +++ b/docs/admin/users/idp-sync.md @@ -420,36 +420,27 @@ settings, a user's memberships will update when they log out and log back in. Depending on the OIDC provider, this claim may be called something else. Common names include `groups`, `memberOf`, and `roles`. -1. Configure the Coder server to read groups from the claim name with the OIDC - organization field server flag: - - ```sh - # as an environment variable - CODER_OIDC_ORGANIZATION_FIELD=groups - ``` - 1. Fetch the corresponding organization IDs using the following endpoint: ```text https://[coder.example.com]/api/v2/organizations ``` -1. Set the following in your Coder server [configuration](../setup/index.md). +1. As a Coder organization user admin or site-wide user admin, go to + **Settings** > **IdP organization sync**. - ```env - CODER_OIDC_ORGANIZATION_MAPPING='{"data-scientists":["d8d9daef-e273-49ff-a832-11fe2b2d4ab1", "70be0908-61b5-4fb5-aba4-4dfb3a6c5787"]}' - ``` +1. In the **Organization sync field** text box, enter the organization claim, + then select **Save**. - > One claim value from your identity provider can be mapped to many - > organizations in Coder. The example above maps to two organizations in - > Coder. + Users are automatically added to the default organization. -1. By default, all users are assigned to the default (first) organization. You - can disable that with: + Do not disable **Assign Default Organization**. If you disable the default + organization, the system will remove users who are already assigned to it. - ```env - CODER_OIDC_ORGANIZATION_ASSIGN_DEFAULT=false - ``` +1. Enter an IdP organization name and Coder organization(s), then select **Add + IdP organization**: + + ![IdP organization sync](../../images/admin/users/organizations/idp-org-sync.png)
diff --git a/docs/images/admin/users/organizations/idp-org-sync.png b/docs/images/admin/users/organizations/idp-org-sync.png new file mode 100644 index 0000000000000000000000000000000000000000..0b4a61f66c78f8918bbaf53e5d9969d56aaf58bc GIT binary patch literal 81509 zcmeFZcQ~Bg)(5PUAc!8F1c^>`h9J>NNTT-^WiaaKEeVMly_ZCd-rML#F9~8W>gb(O zM)yt5^PKbMJn!{=*Y*AXx^8B>=e~Ded$0BTt+hYB)KDb8``|7H1_rURl7bcn2DUB+ z238&c9{SGYiaH$qf$6HHD2GutLcfXrN5M*0*;-v4;|V%VfPoomi-Gg|5%li^^e_7L zY)lMn^e5);d)Zk3{uWy|8~fjBti0b39@u3kU|`5%C@VaB4aVGQxs&|5*Q?xwnTiE2k^*pUpH@`r{fb87VCdsk64+5 z-mu0DyueYA{jcj`#RUF8ZYg9d;5@8Q!O@!jXXb%8i5LGUFOVQUED-1IC)p=-|6N5) zvY2))rvFv(`{>(G$ds(u{#nEOx?9-)s5I+KR;>HFkFbgy{#ip=ELFe%ZU_1a6$M$W zVg=@e$p7wZl(&B>xN&5_N{7ltYH5PYWi;(m}=K35Bi%R6(m%cbHm4H7M=hFVK9xIf^ z^1D2BPcrgIsfQFux^KPr*)A2L)Fn(w50@=BZkY|l#Gc(8FPQ!Ljpq@y{(arXzU`(z zn%e$c5d-9YzAAs+eo4t!reWlE(w6+h(8y@_!z456DC;&!(sivg_KnfaNNmpQ7k{=S zK`q;6RCV@8j!sjOiN7-9dn{d*EZjg}f3~=s(N)LT>v_=QyW#9XZ)iB6_y6dehW0zh z+py7=)0xd!P1@%6$~SH&qF6|dgy1KM9Py6q#$}}kbWG%h|11*wpGq~nBZ$8W z{Ya|>o1DZ8Tb$vCYKxV#dlUUnJ#a-So<%?HI;Z#^vGd9Zl& zso8sa8fR@JW0{IaKc4sF0^R`lr6*n_{%bN&;8+>dNP?6Wj6pMrb&7V*-~>)2M%)AU^7ROJ@Y7_AV{5#?@jkYdxBo@T-TIPQ+>=uhrjc65Pc3KLRNbRB6%ML@Q+7o#f^p zM9$fWUn~h00Grfsx*kOJn$6U}XX78Qx0r%klD(&XRD6{jf@};}>aP)tMtJyE&`W`T z+_GN${A}gS@+;4r?%Buizt#*{-20|d12k^e7bleOTGSj#f(T!jmKwJ-y}71)@L)Ff zkt$@}((Hn99QRShm{`+_C9KTINJ~S9!UdfV7r2P%k71i4a7$}9-yKXBubxX5_%?1| z_kfOWZtGXxT#WhVSl)cN@Z*+D!qLftC0L#PczBU^!NrM0J+2Q>eI!%5Nc}027&0Bx z)j3%@0g7ZR7k9PJ+s>Tr?mAlxs;-(W(c2brn4*z-=FmjyvwpJ?y;Twx@okmdmDlo! z#N)PF__YH?FlQ~qJgp*h({);etix3};0977J=JD4IC;F?5OEBZ;^^Tupa74Jltc;| zt7$%r6bK(z&yaX@EE8^zDom@@F*L5?U1{{c##2oMJ=IWN%bjj=H+cKjGKSk?b8MBR z>_pN4^}NM&{wIf7zi(yGjoSS5WDYGg!mR5Wm9=mjVh=j&q~03eZFk?!>X}0%evR5) z1&VC^dl*+WO!sCROVw7I#o#FS;xJ0LprZJRaFB4bsF22>=sYLvyL))MIdh}O?$$BJ z{Nf@YL)xdVdADwCMEf~&Og%1M>oiW#oF*fgW${~K%M~+FU($(@J*>=KM7PGrBUgiJ zB-6c2k!1aCNuRX308hmW760)*P<%iL`%WBymVNmZz1{D1hbY%qk7t; z4Y2zBXuFeQcqK5)Wx0t>7eSgtW-{u2PqN#Vp2o0Tzm|1^qt$UeovArzxYYbo>>?>!=|r5yzn$*@->R$uFxS5qgQd!`IohEmlXSnILSe;{5!{ zB<&QL!|~NLL;kY?_OcQdnm~b=Q4!f%F(~6^%r5a%GZ3B_5oA>dp*b)Y#lG4*V`4!{LH zW7-H2zoJ+@H2svr(I7}1etvP+uPml6e9*QyK+iDw(WMY$gVUWag=tyX+wZjd=Ad@-|WUYw^z+rwp})q*f^5!^|QJ z_?TCmaZPcWMsryEUb^<|p=@7SGw&sXgn9{)**A?hvHcqyAk)-b^|a-tT4MKfDKEPX z9nck+hf(_^!j`@lxoBJk5i>?g^`~Fv_TIZOr9w&0;ERG=18sg>+}Si^s;9Fh(`y89 zSFg5M_IDCtHkd=d|KPy8S90%~%~9vVc6PLZ8pZIi0ab@%s{5uh zH420b7R_R*VL17WZO<3y)s1rJ{d--_V{P}OAQ`NdR$FBx*^669V0e7F6biH6iEnXQ zV3c80=h0m1Td;@*y7{2?T!x47g?7xZ?k~VwTLgGM)7UV`%-?5Ri=|5I58rpZX-J}Y z30b>9uAa0)=5o|_J}nDecJGmi(s6*3cY8j9r=odQY?nEA)<=V;NV4+f%L^_>z{1SvG@nhDNz2SR9&fw? z&d|d$)So|~tH&KpNEoFnPiDHWp@FLQ6=RncBFbFewCjF0!4g);G0yAMyz9GQ-Yd67 zU)~l%8{)9{g*xE4U#wlq1P%o)yS`VYCzU5AUYCxXlAHHk)JIR?Q~}`6vff@xc&T1> zk58gV?uSQ2isHdj>teX(<*L>A0V9{e)L%4&8Sy87mZ-cUtv=TjdfRw@bbTrZUw@y+Mim`AW zVE}GWH0{UicuzgZix808a)jS%-wQcf7>o!y+cR!(Rwe}!L~U(7V__SpZx;)~k1?oI zI}(zhdcXgI@#&FKe~4e=*nxBECU|?Y^t3a-1L}jFE)8dsdJnV}PZgLq9g5*H-7b7( zp}%?u+gf)TC1O9AjB9neG7v2wPV$zP+DsISH^I@K=4dA5br1beuI)aUSLYmRyst&_ z)@6&7kzV43Ah%(%pUO)?uG-KR|{J&MHA1OFA^#>WBI8CMcyPSG*!-`jG>g9G9S#G{Q zCmauuQs6j{R?(Ast?=$)Z?rG9ARf!XT%Xtn0S@!f%JzYT;xUq}lsA?nFXgdrqeCm> zzW{gaK(UHFk=>fp9)Qtle_PqBmJDyxg^k`<(*dCq$PX;bti|{w$6m6kw1yl9{E4!L z0~;eh@)%22UQ0_cPh(YpwHP&T2dGBNeu_I&*HLb~?8h{3eF{3CilZmcpP6g+gxiYg zhmJOY_nzCeqkQWOI^YxweZRzq=;T_$?+~fsla$>v3{M#ec;*N;iJxh<Vr8Hl#cH=z(~(L z1a^V$W%w>GM*_FI;#xHV_+RygI`2q_Z@+*;>B74`ro^pm2z^d>hCRd$zZorKj2i}p z65ahm%l%N-;I{_;K06&_PC$Z?>IRx1u!@bfNK3no)PABywfK zw>5gX-M+PVw^_=c251qX1&DF96{q^lp*dhlPli9>WY67yz0xq%lOJK!5UQjq{gPpB z;G8T8M!9bEq@skS)cjn6T<#&2SYm#QB3^N|_3-dxirDjfysh;X3DCM~PoCLk$)xyB zas+I0J6RL(N**v#Q0j6Jbzr^zNznjwG@aob|%_ofx@ z<^uAA1=Z1&o*$}WnJhu)%1bfjMiL>CBs8SYdOjf!TT}4w!O5h3?@Vcbo${Z-!t8J2 zl;bW0GiZ{i`IEY|QLvmh##riq7K{)5dljIN#~`6hdve%5hIf-I`UQ$|l;T-Hia4pZ z3RFUeJuQoZBW2E_qCC%30cYzz@%!&wNllxlheAxS#xW)DBPzdS#Bo@p<#v5Q(xTQ0 zBYc+KB51uLlPw*BsiOoQ9-eJ;j{4S7xRk5nzGcBn5WE+u6jB+kSI5LUqVra((X+=? zRIioTyK(*}az?)wFKLC2*H%-f&3fL6Tg;gcP6tTifixbpciSSs{40F0YcWTi3?}K+ z^9gpxqp}Lj%!Y}SdisEudefDQ=5*lvZFXGV@f$T$GZ{HXfgXV}&DJ^WQYnV#f0@;b zavY|t#otcU{G75(LOx_8E|U&PNmQnXh$=f@E3_7?TOQ1fRMAd~A1-F>+cD-MuSewH z^x)LZet7&*N=e-x#Q|K$+$L&U^zG=rd3F#XNdB-HmX-i zjlJTl3tR8_o>zU?B2AIc-4i{>(Dd5$(R1wiP($Lr*L8B(4BW5>>2gO(J*rPo;Kk&K z!R<5us?2GGO*2)&@^DPFrlGMQpG2wG!v@7xh~7p_;YA2OiMJ0v_0v+p6i=HLYwhqU zp`Zfj{L{t(wa;9cJ^Z`zH>R3=Q;0NCgGL;{8NyUE4Pl?*7u9FJ`+%v>S64GL{UT^B zcQK#jrzhZYTFu`#3^aGaeALj`6Pkg0`J*0|;q_EfqMB%x=kMKpPB~EEUK^pX&*?b` zXIY{(ASL+ScG+2!O{qwAlA5W2pYxCGt;Hp?7gTh{Q`kFt)oVDTbn{G%SZt7;di|7{ zB%sJ$D*+9oI)|dREI%*I;IPXGA8_I5@e8a~EdWY4>%~o_ba$=oXL_K6nlxFEyZh0Y zS1j*6kuLVMVGyKDY+oxVA>BG@mX^EBS!yb(-1C=sXY?~xhOn4j+qUUWSz*SNM=cao z<)v&HPs%)b0R-jXCvOE!=3i44%DWW2*dt~F%zkyd6lg5MMHH46NP|^NfQ1-Nr*&g) zZ=c6$Pas6p5^c*on;n^0Pn)=+efth=dK&v)v=;Hq`u~J8rYD4#?ddWY;Kn{o97y;KU@y>UZx1uF^$YA)%3;DjGeiduvHR zMVm6K<`J-H$~1Er;A&b=;0Ev7NA>Z8=>u{JazZn zK)0QqCZ{1Nov45JXB?_|OE{$4K|3dQbu`20re7L0BPsm-C4i7>Wu7Vyxs2&w7L`c9 z5mzROg^1sk;5qncS!!s|v38^nF{EQyA@517`=*GuTd9Z-6Ky`QJQ~pts1j^OJ|@Jv z`*S4Jt9GG>(#eEdtfD?AhXwq#goH(-%1djR*sd=c_;#7^PNt#zTP49kXj<#9De%n^ z?kgHtef5rZ>t8D@H4|p5NwOpLEsh2Y1r2IZSnHh(CS%i)b8;nNo3#GD993MZ;JntG zs|nUjuu#VC&E+Ub1ueyN+~FP`MY(VX)mkBY%d@9;S0M$ESFzaba@#@naZPY?&$EMN z5ZDI1+-cnr>@_c)YGMiv@iVOMf5{tB8Di@XYQKhOa*%)pVnb}CEGl&#@p8btM2s5| zJur*td%N|%=YlB3fcR;R;}hNYKjwFf>Sv-s3%r_Z?$gk>X>nrspU7ZtY z`W_#Pz1zH;8YWqdp3Y9>#XXY7d>=Vi6o;2%j-U3R-2ScgGCXSce6rkWjzy<#d6~(> z9_}D5E9Gq?BH%X0}xA;g;;^8VzDUllBGv-;;{uP^r3eiD>cyFsj zG(f{S9VkY1XSYcA@fd$t1ilMV)bu?@r#slA@meFZc&T`f`-}Gh+(YtxdZtY#QmfJ1 z@#YC7A(^E*I zDn5pJYl-?tKQ<0c92ztpe+x1Rf#t}n2MGYP>?L2TIw>L$%9SEH4#=-ORVS1KD=j|~ zIx@?keijR@(mByWqp7VybD)Jj)aytQ{vgVNO||`m!%q3WiEamo*`N=5-6xSg(b9J0 zufMEJSsV#DX82G^)C%lpjS-N1}@i^?xuZd~d4sNtvH&dU(EM5yRKHr49PB{Q{CHzn}f9~iUIvuqn3 zidgQDB5fi&+Ovn)h$rxUoQKQqtJ^6;Hu#=4B0iNNn5#9mLdbhB!Yh-W@fZLF1JxTP z(>m{QL#)GhS6(+*&d>H{I-CkNC zay+Ek^&sWDQMnm@or@@AzU~*`&Tpl-C1LdWv^^}pOtPZ++-JnEAw2UnxS)aE{mH@%t&xj6Zk8aY;^CK=_js&C1no5%(2(pF`(l z&%zi?E1Ri{DGR#sag3tT_MqwdS{rKNBMJfMsQU4UUGoucY->W`A>UKuRzZYMqKQGT zr3^EmZf1=b^1?7h74pM7CW>@4Lt`X7YF8bpk_WhzvDJ>fK2J`u`H=YP9b{-$$m9`l zg;)Cl{Qd!mw;y+OkY=L(OW_m4vmpU8z^!B(o@>{(yhVS!{G z?x&_M(aN<wS-SYumSw!n&*Bb(cKLpZp+zk0$U;Q78XmOnVnm z34a;YXE;s47>KMnf@ntI9ZCJvz5<8*WvKCwvI<43zrk7AqC3YsUY~v=&RRCbR|Cni z(TvinGiylG1U(Cmf*XOkNOxX`XZ<9F(`$s*BHB5+<8i>Pbm-4lI4aKr7YYp;U7khvUpj;M8N5}FzqNvl=gf~vygw4xNE8#T8W`j7wp|H&B3G1A zYiUmLL;UJw+_VED{e2#a)w8q{b`KJN{*6HWO9xX?4HVYZG4V_Axjun~=zNRE-XGKd zJ}V&?7|C<+HWT32v|``)s6t{)P=)L7@_x^7=V$k6#GJF40!ciaTHJdwq>I)0cynL0 zuEfr_8Z98JUHqpXk3V}C;O(7xMfAahfX8RWv#Q71; z775f)==_0M|Esx3(wO!EY{mM2&?ySpH0XH={h?*}&z$q*jIhxs_ zlvf4)EieD!iI_>yB#xA`o9aJ{MmHkp&Hukf$d;S4Qa|wA_`x;X_hsMZ5_Q}CTLyFb z2cFFH)cdv*(+W;VBl}W4;8ye=dsophy$zs!kMt}t(APPyMAoHX+<={X^i%tpV1$Xv zmkeYfDOTRb`1E)0%Uvdy0*#C(wgFoUZEakkC{^|0+P%+QADarYZeG=W_nfKSR=m;g zyPUq3;cbdApXma8s{_LC52QS`wR_>Ec#p|Lna&Y%C|&mbyNQHxo!DlYm&RSI@JP?O zlRKy%^0zC^X&vot?nTD+&K`E*&o$fdy8AF)2m7op zmPLqVoUmpYWxQcOHxAhLMQPmHEJbQ7&S{$@F98my4R&LfXWFiyE64U3zb8{WR3%$m zN>|9*w{OmCor4~`$sEh1A?tkTt9fiZ_g=5ejf|00!^Y2ViZo9>aszYZ%LwRcA`bB5 zQq8&~W380O-oAO$7{{TR_^{k%r2B##`zh|a%FlwOJ|DNMGgR)E(`}fHpYiuN7q7Mm zrhspk8;Ukb-}S|hlm#>RK~-t|Agz(Jb4QACMk#`2*M6+^@q*i^G=4Mlv&(T!KDWWd z>&Wm0`2(e%^COvCu24>1c8YQArf!YCLe`gwk|k1cl9hJeqqA0K?Vz#EyT<) zS6v*_rGwh4O^E0vX3cc={X-<03*Bz~E=<;XM)lV`09Ae0mmx=83nXo=%mkXox9j9w zbAdU+dsV4FH=j!UCK!XlQ)K&bsZ6RYdZRo;?=iUT2i)dH@EPqvO(p`@g<-ef~>N{ye1lcqCVM&9dC#fI8Rhs4fumoo4;UZuKGxlCK2 z;C9OmS9M5)f0K+?jzI*2HHqTbE62JfC~EoX^vLkMCBU#=W}wn^b*9Bq!njw8I|EvM z>5*YEThN~*cE|)n$oh1PfTGWeP#ZsU&8QfF%rb1lo>xHOUtSiOngRqub0J<1Tke&cXPj>`iMdD z!5np)F4IjS_jv@hXgMB9?A&^CgwT+TSgIIEh5pg9l!-w%SvAyWH6dwEw5?HOw?&YO z3O2@J0(alioa4zba@qzXRzvpkt|RxFlvA)Szkhj566sav;p^wmwf}3it5@O%5y&5o zT~5YJ66i+>d~ z@?udAHGAq#Wu*9fJ!;sv6Yu+(dEEQrWP5$Dd7o=<-skoS5q+i?yKoEMKC!04`53_W zY!%~nJjitY+Aza(O7#2rZS;6(|FXbO> zJv?Uxdc(h(%}YLQzkTz;rR^{>fIw4c_hiA>)+-s&nZz}&Mnj-$yl~b7o2>&Hbh#s6 zklv#c;U?nl^XZEj>=OToSW4wLb2+$r+2-VDZoG#!=6D4{s=MW@}jxB>$3z~KtZ`;U!G^E|TUSgV0 z**i+i6rq(oeNhiS%=)N$w0;XRH9t==n#5bt^tI=+_v8xiK-2IR2GjXigZeq~m3NM#P* zZrrsGLE(X1E|GJ4w>Raq&)k@u*}eAPF1XI;!LFWm7Tmy|hU#7dWfC0sQCoA>nkCLj z=is&zYJ*wK{qyr^_oA!*f=aU}`R?u@DW{9-lTFo8pg|g7{h^l(Z`|d6=9~Q&v-;~A zjE)}HkR;oERAQs_{5^%~c+IkV#vJ*QnTMeIbELZ1m%36@D<-gc!sX_v@LtoW>KT=< zm;X{yUXh|%A9Ab^SdAzk=@OT=2j;)5BBug$#DIZb(p?^q?DRa<9g=kdx*!*)Ea&=(_Pe=pmm_E z_$k!k+|_c6IYfA%fF94D>3XB&z%uz6?zj$GR7d4o=|p__hycsS{jQTw`Oj)NS|{Q# zH%Br?AAY+ifUWOp{5sT=iBS@GKBN^;O#YREk3Q(xWWde(jVbvin&x|{jE5lW3jt4K z+5c>C!cI?fY85u9fxrN#l_?!~Gl`JYG?M(?XND|yIkS8eqag7DE%8BXqL9KDzWm8) zBD<$<#?CUnXG#)$Lack5$N1ZtYEEA>9*18rkED#H5*3Ni(jrWSg5z4D?t}u=ICgc9 zE4$m4qoy5~d-n4#`TZX6b=9=|ipI2cU^`)J#pROOb0Xqawh3zWZS{Y%>2Hk^XZ2p{ zXL4tgLiTknDP>7IFHXBgrVnlgrII zcmF5G?%wE0zNNC?;oU)4?tlq$|3R1?aA8^McMlq9bci{n&ZM35{W&EHax;JB5VE`6k&%#CE}4Oi~o(G zk0iV{J$%%k1V7!44BCxifOl=1xBfu9Fw0gn0t{4|ob}=1`=SD*-v3p+O~L@TTAP*7f`zvF0oIKpN(F7#W+~ zQz=0rnxS#(f?;b>Y^u(jwfvV<*kHVbFam=T|HXDpnT_u!AvX(mLn1?&jOXksCA@wZ zOVQRB%&76H;Nb|Niny?y@U)>HwF@*ttF(5?35IAI1W2noXx(LT7$w{|p45{vw+mrVVdh+c?D#1pAsl%bB4-$20(B}Vm6u2WTR&hJ+rqAd?MEBOB-+&>c z@PHA(Nc2=xhG}nnz4d%pIP=X`OQ%oYyke=Kk|B6qQW4E6d)(h?p(6~JYtXBsN`h%h z*NWFjimW4KAzg}ER&1vm+7&g!c0G~J0=_RQ0I@zeGx(P~N9=n{1i=nD0k=0fd{$HI zm)QFpJJqJU8n-Lb#%i)JAM|F7=I&%?lroKvOawLk2;Dh)sP|&FEfzI%={?&3>L`vb zAk`FiSJjYY-?t1{bR}3yBkDg@AUFi{QF=IN-XXK!cFU51onA|E0IDnO(^0`lMs}&Q z#f1WyZ5Q;k?X{=WBrjo*8E)BhJ)@MPm} z-A!eF^KlBkQp!3}$q3`qak61mYZ2y+Fjvzfoi6D;rm6J%n%z0{d&|*77r4C)GW_j9*6H0WFAmNrm;&+3*mbGsiZVylZgjw%jK+*i%x>X52rq@1pq2 z#!BCQqe4J{i-qlf!@XEk8T8SJYXywbcINd3aTs6TXebfGgAvzX&>dE- z&#$80W=_*zDk23~6c|PFeqOi}>7L`E@2A#zNsGOXkEJ6xO-saLvX$KCt!<1PmOlja%P}Tzvez?@=FT8h`>8gaj9k z(RSdlHRI}M`&N^Xn3c`Fsy+#I@Ph*sH@VK|FW>s-C;}|bO4_%FZEzXiD7+OgTlh9O z7l6_}CMAVkYzFZ$DM?=`t^I`gpndmJVVVr83w39qnbRwx1-fM2Lka$#avqEj#KmKl zn*^Aq$EdKi#x)x@TsCCxE)R1A_c2|pH#oSW${DHTN~!_b+ZA0D1LgKRe)tBp;-O?L zt=CLl72Q?3!O4U%$HNSSLJnBj8qrzSD*WIv$7a?(=j82t7{(~bL4wG3Q=FM{7w_}v_zdtgn4L5 zHlu{3i*8?`?#Irh6z1rAuT?~m9zR>D7c5NFOwOLfunrOjvmQw&=Pfn4or^G7LB*pg z9%x>?$ze2c2$#05A=x)8)_L&^7gAVM3WQ<`bkBS}^Xm;ESjMn_PnHSj97=KRdMyA+ z04v@(yu_f}Oj`Rn00lghLX9ds+@~J9Uy_m90^^6f&AKW}`erk+%>o&iXtnUGi@IXI^X?@nWHsUoFRHZRwF-Tna%a{5_b3d4M}vbO$esWII=P`xsem(8c~hZP@-) zn;>qfdud`Flg|EXCq1lc^F#Nw)zN$mj%H$l7c}fs$6ya}_nUw=cn+?VdD|9D`Fg@h zsiUdbnDBr2(dY22iE zWMwga5@WlTxv}_+Pv`%V1k3(eC-abN7cW*F2ey5Pu4WH&azXFDuZ`V|xuCH@Ij!Yb zU0n_icmHT`srq!q&8yHPJUES8+`U&C5+eJ|6)&(4X-R^4n4-d-=eM#9eDtc6GbTu} zthni31RkyJhu$c(qA`<8;3>yeFn^WD^Xz&KW*0qtm!xv0)3MNLD>lFUbE#N z4yU1t79ZuS=WDh}A3KpBBr4`8I^>Svh?(=rB|sF<9;-}?F*}|ObySbdPEbsmm807q)c7s|A1=c`9}l|VnToOg634|gB&DR7FAnf8do)RZ{JSA5hN z4iVNCscJSJGwZDT92VMP8_H`*zQeEO0U=%{ho+xythX)VKyYv1bFv$&(}g&WQJLhN=qc>)hUd%?Q@X*mYHB1;S>ht1ZNfIe zZ8wLMW|FRZ(U-b@2jFWsOpC;B>Z!%-kd;{+(O#RIX>)T&`6pJBBW}zA#>EC;Il<77P%}lN@opSrk_ZthPW(`vHKH0iX$}6P7t`nUH zcS)b}(Fs;bx?kk_T*4Rj3Upf#Sq~W9E>Cxl%FA6t@ZL0+8r;gLk(C2(@p9z&5vv%kN+}ZEe}f{96BcOwDRfM$^4N*DM*IvM+2ELxQz| ze!xZM;%8g4=z^~_(VlX|S;NxDpL^en{h`;FZMV!Nt`(3JyyH&762b@j^GBJeW{Y0^ zSy*eGAkmf9c`Hu_U$E7W>}STzBHm`>3rX&^Ocai;XkYSsa<&B~#q!d3!o(*(#jM%L zTm~%ZBbhvmJm(~5Cl(qWPYvs5p%pcp=0oF?&2gA|3X;y>`P31$%(U-rKk3U>gS{C6 zM{A9KegQNPy_JCLlYJGT0>hb)9;Pv zbOS$S5Fz4rm1d`m2d*aT89ijKmZD7U>MnkIqS*|}0qFdC=A|CZhR|*tpsVYy7%QZ- zZFS3nKj08b9byF1Tkfr%?wsZidtrE_$n<M@kvwS&uV(+fL2&lPGKLN_#MqT34m$hC1OU2rwT2-=o z@U}?XOrjYiw{FH|rof}+ZKAW=bInN$rYqZJo9Wc#K1+i>fwnp5p(nxO*h(St-Qy1{ z;MtKr9lgC$3bWq#+o^27bX=I1-bBS3t)Gplwh?&6MES;D_anb$Y-&&0?mNwELfX`8 zx_8Oyy$mxmOh8b|%~7thp8%YTkXy$Czx~F86m#DO>Hz-(36qMOK=4Yn&>o3%K1t`~ z%s3#c)TE2A%m?W@aq+2zdKo4K3EK9VA8#r>S8w=oV}@`1(!qf%-EZ5yZL(-`*T7^y z>iX*H^$_41KeYC(+O6a-Bq8d^?-q7a+$spp`xu$Fmx=0hh|V%Uo1`m{Co70*p+GQA zK?cIVhb-;e$*3Q+`FcZ?r?I@=w(Vy4KUsPTyGq5r=N$YB{q@5 zuU7SdxF@4>HpjV53-kI4Z1*5x+8S+nhMAJOKF+pBYD zK3jZ7$Ts^hF@hK~X?H&Zz=RY#>vH0V+phiXiDT%7<9)nq;C}kG*gfTSvMs;V?)s*9 zNYEYu7z2#e3N)}&AuRX02w3n7cs21fb+6)Dj^~IEurS#**^ccAI01c>9L| z*%LH(z{!WD#hNbZn=7hWh$%v@l?&TXTK?irf>{xnrd~69bTW; zWxunG7sB+aXex3)pvXATMmpHO#eiXZpz>Ob?puc{z#WomlHGsPRuqgKwv+Poy04;{oIobmTPix6zBA_LC~7|AjePaAH8Brs8cC0mZ%!PIlfQm7_Q!EF zKM$9vzZxk?LsI=wCTFH>!JU%F+U!=kLckdyZTZPp*E=;eHQ-TY?X%@{exFl^&_LDC zK_j)fJ}xGe<_Yko+Mj6e_A+f^-DZzkcmt?K^%V6yJh1^CvDI{Ov6`XZDoFij0en~) z>=i@U79p4DSfgs{}PW>f<@q9e4;tjn&YA$9v*_{@y{K0})4(%UP;;mLB7 zeaB{Cs{Oln8;MO?Hzj)2bBR0#O?keQe{M5Bq;Vvkn=Y}?N_)E%zA~B%b}lI^^H5tI zr1~BGR_Em8re*=JcZyziFKdr4>1Bj(++(o28(?xK=T}x(S{5f7umT#D4wv^H$aN@t zByX4q4F_8I#jVn62BiyFcwcz$@UZe6R<=#OB>LvyCA8T4O)eSWr(egpX+J>-m{Msm z%K&;Wb&-@4gQ&QZ_jO$rAnIu&ut@tve8nwU!x5cQ{S@A4@-w~W2livV9b>#E#!NHe zXWfrvb|SGsv8$w6_R}}9z_CQ>Sq>%~uArh6NdE4f9z03JkGHMed85gZ$Iqs^5}V9z zW(yFI|HNzjrYU}0<9NG&yyLnybaz@rSXdnIG%_;MO#1G&S*+$UtpcAx9XAk9&S7}Bs@ufFxH0Ci|sbWMkAUgV$h7$hREUZO0sSOE4V?_?Zit8Fw3qtsQ0 z-_+AN(lCt0M72#r_zkzDLJQg~Fs>_E8?VkVV{ax7uP4A{Hn0 z=$CDK&vn|FjNxQIXzAPX=UT8~jP;0GSIyQOLrJ$;q_zVCTjj_+`3wPIg(3vO-E0c) z-o5MF>gWuY)2%eOnlX6a`w0fcK?upRCx=G5Rzr6>*YZ@8T)1$?UQ!1GXMRpK@IXWk z!y1^GApE(aOV2achNqg`?Ul6qWU4yypG zU^`j^DaewNGAVb21m+LFlR-q$3O(swHDM7MP1B*q(H)v;h*flV&*xNpsb@GKBw+2U zJpML2W61tvMfHtrlliV~G56lOT`zdc`f9#HD(*_{hn|7{e|*UQr4|f?$o3Zy%;4P( zBgDd14Zg#j34zBq&dj79OVbU765cRnvfv$2(U2NURoj$jd|duWoYwguIU?N4I2lNV z8?Es=KC3R_J^|5`9w9kCT{ry8o$E^rXEP5rqrTcJiF0JbvH7EH#^rTOw@i0$0_U~xh}edQ#o)!Nx! z8zasO%18y#2Q%r0epnA{_Z!nTDTBxJzSq&g>5fz%&XrQ=OBJ>keE-U4w~xbrCXQoX znA{3{vp795F>BjqR%`d`Gc&@}GP7}NZ=|L`w_axa#H%=_P}pT0N`dZA6u zX|m1TFPiX0%t0!1c95hayzY?#N0y=ea@A^q{eMOWomf@Qw!{h#deny9{j|VP6G29& z#_%x8tMb8v2f=;jf&I*xGVdwi&g6WVA|FtpyVJmzgNqqgRD3;jUuZ??9K+*gDS}|L z;pG<8=D}5*_?Ug!bk9g{sp1nt7OSo-SUyZuZC4&tx%Gd8s?P+I^1Odl*Yt3(5A~q@ z-pRMpcZ5f+uQ;Z9jk6r;^yd#O41AC*JiQIO+>D)FV%m)9n~Dx5j^_rmhVJsDl=op5 z1yFUy#|1P#VbRRBr*$`j?t_xkQ6QsD9h{lOh1$;{dC}z{N7%A&9Ozj859>MmlHhm) zUjO9KwP?r(?$x}mdyknUs|60uLDE|646M*v`8co`5*cy+5jqiiq0!x(!A;) zo}SqbchCoK0LT0I{}7npGNZzVMjC8+*#E0Wzg3C0=X zR(P{#y}iRMLd4N<|8y6={Cp(B(M-he0_cdg5T0?mbz|&AZ=;PpZXJ`h5;na=EB$Ut zh@HKC3ymEJI^nuMZ)BXTKB!-gjz~TOR1UIq{!P^XE&Gdd?C4zuis3h1W#tI{{H845 zx`9sEuEe0)I>P{MCZ)G(9GOH zpKP(QHeBr5?6K=YZ70o_jHmtl&&6dRN>&+n5&;c|Wb1Dy@)~WC3geRim`3Q(=W8IK zgz~F4L&>d;2cV4vj}>x!G3N|OMR>#89-X!(!7h8nxsrK-EHN2mL6mmB+C5OesEKqx zN76fM6=so_>>l@+jOnP+F8cogWYCEQ(>w9#SUhGMyJ@r+wSGq@m!S9YhI30(lSH~^ z>eK08zjzL|lTVvg2b0b>-&N0jeXiQcWF7$t8#MJp+aIL+b#QB(XqxdU2WL&GF@!Li zj4=$xr=A40??mt7EuKKHi)aWCNY#lq3ZE>6`x?7;x#x@CFC3jLja+(gPOfBsuH}T# zBH44As(9RGp*Y*r)Z{$3V^I5@WhL$^v>@7d1Xj&5(N+mcLuIS05-RR|Snr8UlcRcT zL-SG*Jd|ZZy_cdxrpdZ0bmBCg|9TFARHlZJgVKvL`GYA>#{m7ZJ_zFK(~{z}q=>Ju z|60S*VF4R&zUvb+8ZuN#fGdjLBob}WmKZ2~iaPHYgbH_ep$}kiyuO%d&kAb1Loa1U z&Y@A4>krhi5GyY&RW^}t*V7-VF2!Zd`ccehn z1hU?0Fp*T|M$~4c#Mx=7Gd?s*3_UnVR-3mHfX=)emPg+UZOTpzoHu_imyGVe3v;sV zi$gxP-_+{f;D$|1P&jnGz;YMB>lVTkvl-c`(fI-4%kq(jW?(PQZhP~<9#0EFD;k)ph=lPuHoIl|Gr_qyY{<~8TM{cupom+5gD+RevT&yR9mSF_mkN7uVm#^Al#8wiazc^SH7=mE-> z4gZ>m%7OW~veINQn=?1kB0QWZx93B{LZ5hm!la&FY6q?RB;$T68%-QeDqzu|tr#ei z!|5IU{`zH~~QkW<^k684^{(o8tNg%QFK0M!- z$_sIYPUCc(KbQ^<5VgstPPG1a(r&uV9;_(^Ent;luPNvjnVLl9wBN691l<^LJA$gE4zJWPx! zWcU6@Tj3TIT_N{EYg{SUPH6?5(iv>Q@6M`%6XM z{oKE@oPUiw7QCXO3_zS!#S##~%BPvP$prE<#{);JaL%<#$`Lo9f(Qm(mFjA~Ftb(k90LOQ?Wb zCA`j>0`xYVm!eF0m6fs5Z-*;6WwDhp4`K;EAYJMfPGdi|l|SBO`fp>iE!nIWNJOsz zgpa(ATG=|UVlKRt@TKURt-uOsX(xV9Q$=3h_PNV(x_*)Te@?N$G4pqc1=JEFOm(k+ z^!0~d1P~ZjHnW$XGkN~!it})s#R^1)&J5NG4F7n1K+S|7)6tZbs-Ey);pMJ85MJuO z(KZeJdnNvJpfdpokJxv&Rk!}@7EN&y#~5zZQz-Pec>=e7=VDNwuZvFAAp_-38QBK^S4disDYNd>jTK< zApS4H^nW|}0B^%9L*O=qbNAz4X;2o@!?7e4pH2GqgVmc=Sd(FQ*{S6ga&2+VMt^i85ZN_n z-fs5WK(|M2`lBe1hU7y3?hx|I57~^Kqhh2dC~$jHyMO|iP8MZpt};yMQR>Xq2b9)l z)b&T3TfKjO4Ahm?Sn-BYH#b9?iYt(0`#eB_(l%phjb)9Eg#+Kh{t`Mr=qdqmV@ko< zLr3)skx*1D1p>3$=Is>2Uo&8(Qw`Dc326w5_@&>?X|(U50KsRpc7e+~So_+F!!R49 zoBA%~X3iI`4(mX~Zs72}vJD^Bsr-AIla~j)4RZt&k{>=>8q>R{_Px9v?$GUK>0s_w zm5`EtYG09C_&SQX6KvHp8Wy*5WRBOeez%v|=DdoU9@_ClVf{L`eVb7sZPWMO_I1J5 z59#3BnuUHic3HdE<2fx=;HjBi5g3+$;mP{^=FgBUMqBoVbz#a>Kn&Q_=(tnUq`r?nFX{?e{#peH z|tOpW< zCd=CBt>iDq(#zcn^&El9i;6O}o6f@_0IiTfZtl;5@5BO>#o2pHyMX6qCqi&5PimTr z1p@44PRfcH5g-I7&%?zc;~nt6-Js@p_GVS^;^Hk3#D*{5UOBsO5PCp&e-Y^?8VA0z zb!~YFmaEOjpEJV&PdOcH>r(BSPobH8jdfYPjdY!#0aGIoKLX+}HHhDDLAQ!Q^s}hY z-L2t+l_FKvsTu3fpRul}L_K)DOQ)Ft<%_xTdA@UwxAJ5lb(#7QnA z05w{ej9TFjRzP^`_Z67+2qWZiAHH*z9qlwVYR@Rr)^q;tKu2|CssS0Cmf z>byTqBZ5N-gi|&NL;yHP1_nI|LxeSqWj;Y(yto)%0T52v;9mOHbjN2g-=R9D8f`9C zta^1f-`=hyeICpV)Y(djB#QpIK&nqqbw#(_p!{+{N(XC)2eA67Z(Xw%V z+UTB-qjFmy1p2Nmww|m{K9)>%najcE_#nUQp8D6?r>mHyJ!^1rytX#uUhhL;cUlh6 zFF9?S^0u{LmC>W;%EtFUrncYn*xqbw+c;xl>PL+-?=BzSfQb*P`!abgiq^h1_C07S zOJD%T0fZ(11sD}EdA0SX0m$Ko(}mo-TD>lF!>{X4S1-!+58m-q!#ye=|MBR93)TIly3J$O%MD@}P4!j_cn~g{)f$UdVb9sdygWv6xAF_BpN)VR zOBZW=bSQ!KE6nI*eILhnGKU4rPgV?oQQ)mR-Ct7Xh#p)AYb>Ug0ox{jfk024ZuHk; z(+5DF5K!~IFABC?J@1)C6vz!fmPJXe7)5|R_%eD2NO*gqQK?m3-w)A`uUP*!Vb~DA3QRVJx|;^?YD*!Ak~?Q?t;cq^Sq`*ITP5(SPB=9E$NZ?;el;@ zma}Ow$3Ozu&38z~TOgE{>TM={7UH^}x;Any*mgFA>pJNR(U34XTD(xe(Zd#RS!6%> zV@9Yem8C7BF%nC~1=fXh_#qmOosXppcU$V*1>C_uz=Y#FVtz=sqLQta(JfZl4#fQM zF?css){^iV>3O7t^MxsB(0)84vBCHbAnuf>yCmw0^|ZHtW-WcrPz%#N_D~N#Glr{r zBBbiz2vu3q`kxZAsy#7`B}-G5PyKpH7eU6i7@lE4OSMXdFoh-nB)>qt>hQ_xr+R10 zpVXZ7cWJuKF3t^d)FA9%F&G$qEdD5J7;QV_nTZj20o354GMmnqo@SR89xRV#OlG}k zT?PjB-T?WMo{vlE%RzNzZE3p4TeXeO)El7qKD6CQ=VI)>$&J9)oHfl6M z1;S~}D2(>Nyz#O^v(+Oq^Q?|@nT+qV!T>%k9!dZ+Mgjd-B0b0L92u(9Ps(K~RC|{xN#7oySKpw9>biAf{7O*R!6%h`E;eMyLg~>!;#_raysbIxrYTG}H zTjJhoph|ZNnJ!eh+k>{}Ozp`aJ@=Ei_ksH-bF|n^w4U~ngKmLPKxgf3@#HoPvNEUZ zv#^DQ>vA@YcAs;V6Md7?eCr^7d5T!C?&B`l!?0@5PPG}}i|2i|SxkGk-kI3g=FL9( zI&th0LF}bV33QItv^$tM>@f#8!~pROsG9}Om6U_Ts4#mTN-JNPzNUr{iilc~RGN?L zwci*XTxcsip%?wy(bX48&V%%LPQYfFz=p@5f5Y$7>mZ=KALv=Ep5KFJkITBL+(9HF zYD(2;ce*UzGqT=E-pXVXH2#y(?eod}H|}@7GBjVi5sZjBah0RP=K?@0 z+I1yjqsdT>tQR^B%sHlx*oQ%?BjI&57w_DVjZaPad-?(R0omqlB0FXxC`=tKT0Lyb zy^}J3*d>Z49}|GuC*9u*EcRU!!21G7kErI@l9{kSq4D!gK$J7>J>3jE=RM27?^JWw z?!w(40;McVRHtwhR_z(340%!SeOE{~Pn6?vtM3t`QW{V|Q#n3yqSZnj>3x-id%4~U zTODsExAjtX8|7+)dA7sQTn|dy2_d;)^(*STTNyV|m%~W0BmG>ctW&SW&gjj@SBp-J zcbijfx2d*wqckzVs(#!%*>LI7VEbD+iIc0_XL4p{V^Uj5r;>?9weu|}5_=l1=g7Mz2b13cFmRrO~5tAzSMPk7OF^AB|$+yDaNYxm=e z7)MLS4|}U1>aRMallCT&Pv}bV5SC8?3*bZ+1-_|HjQU{YTM{*6+V=4f{s$#DT`gf&xM|!rSl*8cY2z+IBrU3 z6b2n?nJACV3(X>^JTEFjZn%Nm=(vIVY~%nfFKeqoT3nrfAr`jSCG5M59Bu(Kf}GyV z!$4JAj&EfczNls2f3~0N71Hm_8l;~dM<(88oeOvb)nBm$BnI>LkaF5(`Brez zU~Hpckr1>PxRr;dWyU!z2Dv?_!da zhmfeah{8HbXgH>udeVpB*IiSFe$L#7W5IL5o%~b`P_jx-imydK3}sKUX$%_V^ZY$&7RpbqK!pYpktCcPcq-6E`~ehN8BIo^lZvD{G`|4BP*DrF(D?vb?JUUYHFb+q zB>?6QRn;mjoDI6N>BB2i`Q!&Bv}wFfD{#R_5ZpF}#}8(q8YunVi^Zakj~S+}k`O*o zF`WItEEJw1MdN%?gVCef#{ZO*=<0aw&RYBOh&A=G^clc2l62Eli(qxLOVKGdg*iX4 zjr_)*O_U-Gi^zP8VfvtdJ$a^P<6A63#jvdlHGfPS^m_3)pG-@l0|&>b$NT<<=^A_C zn_Ota?LwK9$O89!0%d`9F$>otuf8hGuBZ0=Ca<@nWV&zhxvlEGUU$S>l53nIl>*i; z;<)gSLL5pbJ(>gjr4x`nW`r%JFMD6^FQC#sD&hK(FoH65sY`&yz4F6)5ujm5 zH=t0tWii|K9N$6Yx)+OWeQz?u<;_J#J$nht+`dGT7%dX1Op#de^hP-Dcm%K*lk?}~ zK|#NaXrd&@dCWcvj&HMp#q1YeJdPzOPvzEr`qGHW#d@)Zw&aO)LGRa3qbbfHF)53K zS?f;5S**&w0VGWwETb`-m4$Kn{my+zf`z72j;tgEQ!&(^0wwebHP^k8Seqm&eDG__CdZsPpvL5aU4UgJF| z3RT#y`V#TlgZ2TVNSDddelk0hppQ1iRiORi9k_|k1;Q4hty zw7MEzGoymDo%QcG1%*=Jf!5>_$iprEi$LC%4 zm4zUV5v1T=`5EyGF&fG%+SfSm?KB!V`4VD1IXRnm5lak>rf_8FXa}SCX?&%0h*XF} z-&P1YM&(EG=h$kb(qEd5+nm+qSUnR*V)EU@PmHyq-%qtd1Z*w%7Y?lC+Pd4%bGHny zMX_03t=5QU9bw07;v+VV-N#Z28kO1J$NpBP`za6UHi7gXyC|Pf_x^6ax#`Q!o-2+b zua|Twm$?`1r_?c(;cJteM_BKBYlH(P15rZ|hpOL>lR9-VyBx+^`ZGqn=t_^6kTq>7pz+8P{n6OCOTj?aaq>;p0J*yf? zuj*s$`;)Qr#)WPa5z9U|hdzEt&sO60F`!_dqI1|DX|&nlQ4Vh6(EcrO_x7my$4CvW z5Uw8{&g(X&;-VrQb2s15ma7o<()|Mz)$wM)LOzi1!<;TGil!{-PUtWN1c}oVU2z*XO^$E+;-dn9_68br@tYl&8ThC-G3#h`zXmiep|?Fa@z3Adl2>gDfKP>ka8~6RQpP`SW6sJng*;XjRRS{sPWtp zE{CZgjgKGih_&~2_EG4V#|WDYBpCL0-4gAVp?*a6%WNMgbFg)t)4M4qMW%iU6V@ni z^BB?H6R0aFZDl_|CgfKTi#geMe! z;~V#TzsI@$CWKY&g}c10S639Jwsx-KYP7h)hNsmNTPmKixmm37`8vvSH7k`g{#C7& z!=*aww~JQLC@#v=0R4F9UP5V}v$`9r?}it2Tyx34-R6DYGlxj9pgAR=pr-;>vU`~{ z*iNc?&sw+ge^=ftliQ}jkhvmbJgwTtejmcUmyN}u6cKyEXZr77pN7Ww^GwFp=Q6Y# z_eWpznm6d2O^{N(;K5TSqAP9{M${5hcq!tv`$SxO{mF4@lUT`xj0P^G{ay@qQSQ5v z{T&|5CtlJiWnevDAqg&uBr5 zZDse{JEWmhfaYL-G)0KOS{LH1LW$NNRU5EpL^&vJ@%MiNxZ>fQK|s#)Q>H|9 zW>v}Gz`q>`ch?=H`iAd+9IGIJ0o9D?vTD&^pzOcU*^Vc#B@hk}tUju~`3o@pR{KzLMsDgSB)MN)KlP%MTR6GHYY75eR@KV7L-Gx*iq@!alcd zLAY+8^n7*cSP_RBiOXAEgqBQo{}1N(%SL-(;uM)cgOcdnE@ssKOkVjrwkWK~ln?y6nONWJSL>D8Hi6`DoqoGdnKHE~svk-=zPT&A4H=?uw|mCabu?Fj zy;$m7Dm+RR)l4l~BK~e(W^IIYx{9H?I&Ou3ej?x|u^qiPmreLTo?HI25aJge{{?Bb zcL7rLN6+*hP&^ahfwqrS@K6N!o9O@?tb?D?_&M9xHGlrgZuZ}8Jb?xjJA@t=RsAQy z9l+2V1kt{IG?lIRnk2bjuE9>xB2|4C2Z?wZAx~M42S=5WeC*x7Kj_7yd3nrkl?FCq;+1{Y6q90}Q+L)ulk+L}Y?}7I zzqy}hAJ!T~CYkc}R-NaV5L9HQ0IR;I8Ql*}cN-E;8IWpoJ<9ub5(m;? ztkmQaLN-+WhIYeD2K(fE)YK|BhrDr6#Ndmt8S&1*6+(Ls_|Lre=HMx~Z{ zA2zy3Q}QZ;1PD@{^Vx8gLOu@VLIBgE8`?X-^@Y-R(?5&nH|krU^06~ZMe7Lvzp3pZ zLBxA-Kw?c)bYmc)S+kdu*PvBE#mK>?_Ic?Y#q>1RB>T(b))jG}Kv=wIj*%_CA4p7< zLMzQaj^j)_<#->2S!|Cjo`%PRO433lTxaVTjKvo$`O@F!EZ^&{BD}))Uis^M3a5SC z`2EniQ!N1VVZu%gKx|UGy^kef(<-S`bsLm7m;LuU_v5R{9d9(3-P?nb4U-UqRNj-E zj2eDZ`T2_`nDKz{arK*N)P@6G0f%RONrw(e4X^MY|J01v#i>4BB;@^ERsJ|4Y_J*K zjlqmQ@m1uTFSrZ{+!);$7>Kss#f96+!TFvZ9!<%RWPNYIkW@r@Wo^g3=s^9xh)lhF zG*#eQZh|wg-KY z^rHFwRb>HH;%YZ1n39O01dzYLYLdA&f+}1$U#caEdhTzi5LRXr5RjO+Lcg*+r!z$t z+K;-}iFy2dcjk~J_M{8FI4uF~hx1N4G)?s>$d9vYGJfF6m4_Ip;@d%4^S1W;>2a-q zq%KXOOdpceyahI@-uxYz5!%ijQCt;`Eh>*)raGNUK2JjkYF*YBsQuL|1%0#9h-D^@ z7^B&8IbBK=ED90~NEEJbdliv#9^Uta1nrDt;Z7ZoT|E`^m;YF<1_=BjlyMb4atd8( zaN&@YRG+CJ;RnLz_Cl(EZ!bG?I2rjV@uxe?x>vfO1e^Nr*=pq3Ic;7cQO@QRmo?2Q zk{U-wVIOqA6YF{W9gAP1Lo4v7e^hVCZ8G~@oHWfPOZc~?L_~D5sl%j2BBzk@tnRR& z3)VWdJp$;>np`;(dS9{_+%k&Q-E9~vO$@#VGzcpRzt=4gWA{L%6<)n`S-9yFFiQaf z0HI-g@St$d-0ve{Ff4>6QE;}`P&9jNC&RNXJ;imA7FT<}Ofl(1lNbx4QN2E_#nQuq zRT&|HfliZ`X+-+dN3cgt-_zG%yO(lSChxTahtI`w^{mnF1-A?lUyinhAw|(ZE)~gc zqa}tC@qet3G01*jbzWZ?cfI$0A=IgRUZ)w3rhub`TC3=?0SMDqqctb3+;8(J+8{X_-PaD+ zA~-yq#$6se!z3jJZfM(}?(5q^4h%2NLj4n;8>gh9 z5U45i)ZfA}(%A)7q+#Q$DLC!ii^^H;@@mIV=*lsZ>9DmuTJB}V$kjm(%U>S1|7wXn zyn&<+`T9p}z0wBmKkx~Oesu71z4+(@>sYsOd~c7ZOV9D*wNH^j)rCap7h>&pnrh(FH?wCC7KQ09XTQm6QO6FoCytoem@=`y~LC=O6K+1X3K3 z2grxXW&GW&|2~Kj0$y%flO^Y$iN+VyXAHoz5=4vqPir^>FIQOo;r0LA8XzRFvQWAI zPiyQ0FZaPbH|BqC{SA254e^UCLUQ)#?rcSDw0CUbEZpVHUiB`)cu8Jz(JO+i}K%M4>PBR}smpwF13uZCTOD_@0P7k>1 z24cHlnUBCZe`*ObG{p!9QNr8F`}>Lz9^=0A9326hTVQV(D|ac@u{HP#LA7DGkczhU zMjMdZkSHG~w(Hmo90U@p35$!MDz65Z6FA-7x|{vV_5|A}eFnor<#y13gb67TSw*Ks z+_06NL!bDC%{P|IQ=c3;jm#kG(5-6~Wj5!*Q^iKR00vtMBDV3d#I?j|i|?DnCDevL zDfVK^%F#{HW_uH3MNZK3q*nx)#O^qaWL~;a)$m`7puQ#1UoCLhOF`YF_X9X*i-i_^ zX4@mlL6W%3K;?C0xe;2rPDW7vp{nlr<=81zGzr%Ws%ZZ#-^=uK>m*;4pQ~J}(vug* zRt@RrcYw{`@)o&`+(38z8;}e0rC$AX9nNfhU|~&s8|K;3vm**3DT<>Uf<|ISmxUr11{wLJvUa#&{!gbQ_Ga_#xv;~=7%ZNP=*G$bxaD-rO*Uy zSC8sMQmwV2^-pFNeVrM8Pb1&pN_7bY-kb1cbST7O~$FhI93z0yf zks$B$q;k>t$fy|Bir%6e!<$?~UBh63uI#%w_=5LJlQtvC_~h%L^v!hb+I@GJ z(&Tp}O84<};koVhf!=&JaC)w2&necF+JxCihUiX+OI+O-{-Jtld`5*&vskgn*2rbK zbqwA_m_;HIk8^r;`NQO!>-I>u8jU_N5@9-uScJowaihr~{i^WY=m6IgT5^h9 z{?}vYgV_b@`*5(~fF-cgCwn;>K6_X+FTPLb*C%Ed`!lB%0me_!O*i@}{d%!oC%EK~ zpy2B)NmWT(SB2Ks#v6T#W?ccNN?w;r&fzrOa zPQO@A4|gd#`dq)E)|m|Asf+EuS`3{H{FQv_{9_}STug-jvr@j@{>N8a*tYU`3c+XZ zk;P87sgTCKHH1tn&)#K{&2|1P(;H}10D9nA+M{t^YgujqU=!c~>jZsEQm=aWBXo+tdDV*}wgx&`gFOcwr^mo9j1ZMq9J7S(SVi_#;ENN1GTb=;H-(yeT`Futqw z|F!(HAjl@mGpAvRw@JRoXLyF{Z`W}uJzik*vEPr{nM2-73?LJQN7p#8&7achPNEBe zJ^lROb<)YK>a5kWy63YbDP1N}d%Q~b?(e_h;S2m_Gz5m`jj+As$o{$obC!$oklQJ) zW%t7FGR4RzHX-|so}nVQFE2MJJT&6`5}k(iuVzs?qttyOIqZbA1MH9cARP51Tu z_6Ce1 zE;W`P|M^<1rS0EA3k@ZLX0^e45^=o2N@6Su&*1fj-Rx6{e=n1~4(@mAvGr)iIYH%T zj~bMA9-nULa*BbU`gNVh8g^&r!!O;~yl;Ass?8|tCSuDoi@LK9fBoziM1S|z0(4yZ zMlxJ;JcH{;TtQo54mnmgJS!rC@rJvO!TVL1A?fY2rc6*3z_mE@dvrwjecw*IZ;@&i z8I-;Fe35Row7^yPGUEmo?U%RiDMOwd7CuBS37W#p_cOrI$~nQVi!bpT`Y7D^>HUaD zRP9K!LQTA6=jJdZ@cX#j+P}Y>T@9Lvq5&6S;2zCJU!)^t+!fT=5jIswGlfhlYpP2u zJ`~~MK*g6Ha}Ebg&Zh@6vEIEq`~~Xx94H$+_QCF{lI2i;5Uz$z(qy;G@Frmzk-FwW zH$%Vk5V?!OFSIa;Tb8M_t>GiG(0MJETg~y_*Ssp$+(%yd(Y+8Sq$&G5Jr&m>bYh~6 z;Dhf*;YQcud;{FrUV6bvUI`4KCE7hF;Q4X>Et!1>G zwnLI>1Yt`>9alV!Rc%;NbJ@R1-V*$1CV;uFzlKWna6;nP0I=EUN?qT$c>CntiRkew z*H-bhyN2ASMrejUqL$wLwyV4RpVybsqYT<|dZRf~-vT5~i#bHDr_IF+V5buP+n8!c z!gK~9n!Elq?ki*cGK1?*;}t9X=jrn4kI%e>*WxkRi-UMHCXwq?VN zNdSXsN>|SCVn3m*ZF(a++^CsxvXkCw;>iYbIa4vZX;#F8X35m#8^sT&hKS%}28$pl zYQ~z+jgGpwzFvC_6_x|t#Cy~e5h&GUs5un1&I&f(r0-8)Q{2*STb!qqZnzXo#+swn zblKwH2_yA&dA50P`D^wR0(fON@2!n9=WQx#tSQ9_kjuDr;(D2fjyso_wxyfIqc2(= z-=;9GDbWphX~x&GRn}nFQ`f{#zkDzJhJ1HvaNGJ_NqWmpMxZ?{SqWlE#q+K(Z1+pd z0Ieyd>+5~(e=n8XvRPRvTYNe`8HCD6F5u>Mi~zq1`w{FtdaHHW{v06L!H z|Cizjh}?7D02z^@UD!Vb7{EOYffUM+?jOSZKVcp3Lk5bb^y|NJHyIj*EM_lSl^t2x z-n@#6@V!Y{GIkY(gec&Z%up!=?K%MK8iAvpCMOmrYi)b`*_4Tz;k=NCmx-}Ju(sy8 zQpXYX_?Y5{h+@+8NnROglI~>DvOF2s(z6DfhsUzf>OVR80Vb{rT!6bJ#^KM2;Yd%P zK2`AcPG4wrG#~0UUN5j+6LUE!nCIo=%cW3${4mARtfA#hnW?E_a?k1Ct2(Z_?<7N3 zJU4|A659Q70psAr(UD}H(e2SxZoTS=JL(dkrj%S&^#R(6LOmb#*1HeA80pVtRFH7q z5)u;T)zpkwtz2hN;>fcnq56(+!2vD2v)NqPVWfv?k&pbJz>WJ&R;@K7`12_^codL8 z@MvP>G9ZvL0E7zmhnQz12$P&U#ikF5h(quG4n7Ll*JvFUnA9N4|0%~TN@Teni$?m?6q) z-RUB);~XaUK7qh5O8SwZ>ib_SWrfcbG+6S)1o$CwsjO=Eng-8|d^RdQBJ zd>@GaSXlyLIDVr3&q(ZePdia>E8fjCWiye5UlnJQH(YoQ+)7J%-E-|GNgM#LDyOEy?5SG-S8`R<^khU8t$BUVJgQ4MJmFIiQjpCg786F<;hVf5^ zh=HBn7S%_I+XWdkRX>~w?-@&{aNW(;w;3}k-7b9tKaT-M;LbCNet4SWm_0R;6nDK* z?^9yP#hiXL#`lr?FxI@JWS)B#ZYpAyZde;kcjtcHAG^V^?6mO`9B#dwoR@pXpm59V z-f})UyxnxrX617S&8%gS+aL5ky;!NWOiUJWkK2N_^5-sP#5UKcZ~G%-as!$K?vSFa z4G&XO(~}QM6e@W-FVvNQwv)+<$L}EHao$%S)wXQ~iYr%nnoi^GDL_eTf#%rLVrvh4K!H>!?7qXx%fP zGQ@|jfr@{5HSTKztf8A?6ikk_wYBUNly}UDBkfJsl$L((OwUuAUy*t>iKRowgvY%= z=$QgcnO;@y;L!df+ku*ZQ^(GY5uS10wfnpDAcy+iQjOCz{Ey|WMEF&r9_O6lL@SnU z*E7>T(o1o!bzmY>R?x>O-I`B+S0mxD`fK{ds1;;r;<`076zCfGr!IADNWOW1dGzm}Kn&S>7uH)JvTTNt~3eb5Vt05ya%wWYdNTO#(`*q3`b@!(n+oHS3!6J)Mh?;984QZT7>12e$q z7i66f+m@LtF27q9xxXE9tB~2#@ws}K?xrKioWBEF&gUOGo`t;y6YJl;RMBl+=q)WG z12(g!ZrXEc8~OIL%_o}8SHIe*cdAT8Bj!~)pOD^|x;{L;u(+56Bh0|#FF3CQXqa6XExD#wM~91Bv;AI!6A^S%fBF-%z0`wm2az0eD_U7 z98v}cMb0g|Hh5(if4u5S^WXYaiMq-9cy*0ZxUPS#wZP*9>+IHc@jQ|F7|Rv2c=!pi zj)9)X9>dc2QciU}chzd4yMy+-0fR~*pa~SCsa8_23=Q2+I#JTa!P%ZLs?po{bb}wA zlm1CfdwHpJ{(A0P33ZrMySEy)zro=gLd8mgnFcSBF-Sg@HSNoH3q)CbOGps4T4-wC z^Mvk!xDaDqA(pO&~H1dyx43W|2#xhD1+WS-iTMG0uNDd%IORt5f242 z#6STHUuf#uZC}Fa^+Egot?s7F<&+K4i+v$LeZeFJ;1raa&N4%B4A|QCRSRMHJEJY` zjvG@?aXI3d`h5&=1u2x1@r31=M^pHQr>A+T?IkuNsKr;qest3#P*97I4Ex;OHnLNm z(TxMb_)j=)hJbK}Br&QzYM$ZFtTqCFN;|+ASnn*y5c-t9@ zA@n?iWO;kkHxwPW%zJ~pdIg(_@{i2LF+gfQwl6nP$${=LQef4te<$7b2l^|awd>hZ zcFNmVQMV0nLwFn%pzoyKl$DpeQWn`Yb#mhf=pZAl0H@V~KgF=!m=ULQX96N4$SqJR ztMY$Oyd+0<`ltp}aS9O}Z9#o8x689Di_kVNVDGxf@OE?M)*}<| zL7IV0nJju-W>!|$BSZ~`9g@ZqMHIp*qySYIoq#Bhs&1N;1JghqAK6({Nz&ym7pb?n~d5RQPA~ZWtA>y zQc?t@?BUZy1wxIk#pZInhr=58!Z!m0v3yIM@6s&2UZaR3G1v@!W7SC>^mn>DrM~~A zh~A^MMcFkW45llx3t_vAWxp*T-vcq{bI>D9B*uEqWRw+%@{|`A+S8%q)&imFY|+Q5 z62Xvfz}~+a#nauvWz zMC~#izOxmXHx~EirE=XIP#F!S7H09G!p=d&9WX|?TLDx^mbz>izGD0b!STTSiz2{m zKc@@bIJPhQcmWP)T8wfiF@_A+SgMyqU!D!`T)u^*VqJrKvGYwzvk;@Y7eVC%als9YCH>Yhv}Z5g2nIxFO1{#0VflV6*pCnn zvMjrbOYM~)tz0z3?V;yV2li0+U$))*P;QNx#uPr3#XLr}H~hh8J2IK}ld> z_bhrf9aXJU-q{TOO)3#$mU9%^;F+habMuuyby57d-2jh=7l|B1+-J6>_q$7sls0Evk3Vf`S$e{SAb z=o0{<_~Cyrm0u4G4Br(lUmPkuoL&w_!7PkhW|Wl_zV_(E$O8@kmhP^eMq&Z3d&)8l zF^r3rOYnHp*#%@}JXHL+zdm}nMl!&VJ9w+Crl#wTk%CAfK>VPDt1JTXNQ+gFCPm9( zOKqaDLe0y)ej!Xx$8L1C?kG6_Q{6|g%&0b5nl)6J&=MUY^%L0>x8dL&N^K733FkgI zUmLE5AuirItlw!L_cZ|TSA%I8Yj)Kg6nsJuD6)Hng>HH}-B~fGKrPY*w0c?&If|)a z>z%Re?!hb0bGpRsGB1PczT+$gv!EG;+7c zA|u%Y=(Bg=Oi!7| zY_oQ!4n5EpH(y|{RKaPVF4}yHc)`l1s57U=P}D&e6O8ng&T_ioR~@3*{ATvn(9c{% zN*4uh;ZHlkm3d5*!L^9>hTR^*qDQHx&vr8n-;)X2eQ74DNpmkIrScI~dw2N+zJbOl zSWs%ciXE{}%&vJBLTFg&@C=XJhm10tnfZn1ZxNAJc1c`1j%xOZJr9l4+dMptib?0G zJVk*gPew>Q1v6w6oD{itGJXAq5xJaxFKmGC*eEB;&4hAXL$-8WkD8E&yCq*#QiWf< zU#-*&qdw~NFHTFwH|*h}8xropokBvBb1P9nW%Ai=wL3HPUrSO&3&z;tM0^O1}% zG^=_vXBvq3nmU~I!f@$>gjvaVR=fJREIj3suOfgF37ch-@*h;NQSlM$aHPOkM0tC5 zO$kpILcqoLsKEXDD+1h)3g+D@UE4T@!3{K6sULBolr!7B6#&OAyHo*N2NjPBCs0yf zKhd#i7<7b{QP7Y1(5` zhDb2cei_iJI~+_SR$pkMT>X3j?2(XCzjhaYb16mx#yr4-x0z?^f=V<|lK_zkvmV9q zeRU>WWKx`p6Z|L~*SkNM%46b+yO(WsVlgfEI^vV2n2-T-QNXv?02K< zzr#<0@AqGb1^9wPGyDBHDRKK>k)mqnvE&^j<%N7{-7hL$)?%5h@BF3xYrf;FNS#&a z7U@`U#e1x90u_4P&w}DJ&xy~l+WA`~cPP(c+RpRh?6 ztBW5aeJ57Q@#~gKu$mJ)JM9|j*Q_>+443oik;{>dWRDTEtgY}V)o=kY%A3|pL^u4QmYtWc zywXj3nYVgVw$h1zS}ApYBoLQ6hHKtGu|+B{?}bZv4TegXGjw=L2~RGpA_{FQY#GBk zvSv_DC2u-|a24=P)J02P`uOv_V4n%jQ{x#ux;`j(Rhi1ZjTcn`(uD-cq!o{YQb_l? z_?cpVC41O~u~naB<6dzbRr9v&%OS;94U|`F30~q?Z}PpO9BS$zPPs zP244mV8MsfE!j9zN7*)jkn8Khypj>#Xm%4Z53R#F8aMHp`;M@(`zS3}=cf@M=f#E4 zxi%O7)X#ge>LPYg6a?SCeOrVJE<%to3aWPoX^JP`?N^jhzjttM5(Iz0I<_{(Y3 zfrgq_e()Iv8SnhlMDF_JfOaYjWigP`2~%m+SyjLiH`8;(DGJzOp>S7NfOCWc%_m?J zis9L?Y2miPSDb7mj=8y8V=1x}vqB6-#+)3JsLevcqQ7i2{1V0-cc=2#a7}xBl~F~8uRxW?M65m&bc$?XhWScO9257oGmD8?fc{i`bi}#ZKj5t8e zzE40st2^q8WD*U3NIx=;UJ__rs357<;!E`y65M-HBkVR0>yAu~B#$J+b+wTlTc2vO zXUKp3?M$rLEYlEfgq*jXkEdfM)hw;coLSiaBk!%FqI&zbZv{kNuU7LgPW1q?wf)sPRFO_{a+yvu;g}WG#1?l7q#2L7=&xe4? zfbwcToc(-%?F)B3#5w5v!O2qTU=ptPyxp|;AJfkk*;8hInIhPqg7GN%mqyP;!b)0O z5*aH|oKO%R;p8EOlAcNd+iX_+;~nVTRp3Ee?lto5eROvzJ?G$-Qh`TZjOZ&QHBh2i zl*+3?hVXwCp9Qh?H1gmSUm>yH1tT2vE-#M~wv^5Ps>NYS0*E;Zf=SI!q7k|NUY6$_k&lPor*W(fVUta>G{*kDq0O>$cNojfg zNzr?tE=dM@Vm${u;o+$K`Q3$B@69B$$AkYs|K!k0k*hw zTAx3nYDe|< zS4FMm87GLw2HXBW?G1U!?`ISOQi_jPTC`7$Jq;miXMy06p4IQv_>s zPC$xj1YG4(j^~3P&WZhpR{c@f3pIeU5IYO|R1#AR0~5k9eYx#_50QV)3P(M138$E% z_FpIWBV{T%|8c-`Fne@Wu{QStEbQo6g}Pt{q5Ei_bg9WARH)=3%eTny%QzSp`u@y#$dD@?8& zx+(h_@L!)!iI57Q%_c|j@bOb!*H#QLKFFqi;>ePanA6j5Dy~?gvBw`M`KMm{f2#TZ zS~Qiewt-X3KyK8K+XTn!N;Sv6+DKi{1^5JH&+)5m={T1-Cz zjT90ME}rAVKfF>;{u(CdflpxK?Aq+{tcD0Bm6d9Wh@9@G2}%FVYyWvaQ594!Zb(DA zj?<_aIdEZXHybe*MXG!W`)g(j6{SWH7ylO4I@!#soIt=M{vSupzjwr+2I!8F4SrPp zYb!odvH>l z|H&F|wkrh|kRIcL_@OM}p7@C8J(hAF>a&*6Vwx4?)+le5V1M)Bu1J!c=9Mk2?m4MWevf)bvFe zXpx);Jn3F%(uJl$rwhio4F|HUgF8banzRT&D^uc&|`zS;olUgzEUnk5VRy3Ja8yy6YtxZdv#EGRD zLU3+l;EijoK)(Q7T05QL`tWRLcutnrao1;#i|c6c$5(RJp<-pY^~0Ylicvw$Vk}*m z&AmTUB^}orZkegqZX3niv$9qE9D+$=BPR$!Us5S^-oLwQU`uDIzqhgU zoCm*WsQ&j*uJspPMP&vbYI&WlX;4iJx5ADI6m{3^K3>g=M+R2Tk-I@k*s@b zPP^ZJKcgq0ySiq<=)^mdZjidmodr|FBn}B>dYwD;*Jz_tpV;hV1$I#ydky6)yGxzCO28lG^hzUR${)fA;Km+%$#HPv-`r1P68mr%8p( zMwA4LM=k+AUAp7=yR}%>=<`h5XS*T7e-sE^FAtQ@VDT5Gn1m(zd9`7Ou;ZplI@2ZSI^FenlLG#+m8|Q%*P?j=15gfvb*(jD zzqSgj%cEhouVvbLIl~$|N7&)!-ind4f-0!Xw%F)6-a@%*1HBgNKSfWM46|%NiOGdr zT5DFjB%TApu%)Bith9#@^yNART(~#k z!k+8zh&b5*vxTJ~=8|>+WLP&#KSqQdXvX!rbg$M;(RZv1d{R5Aw^}f`cWG?Ayu2*m z6ocA1eSJfbNj-FZwdCtSbKZ4MJmN`(c1x8FES|)c8W3+jAzxZ}B`i6(s`v0=pTm)Hm&?zgMj)@%kRyU;N>MC4&2ai&3&Nk!;zm6vVo=gIjn zJ-6rhr*t7Z^qgMg4?`P}_k3)GzaGx43D(+I77drEQXcLTb;BDpr-wUs)rwcWugQ{; z&QMO4P(iHBJrIjZFLb`HXqN~t{r?yfAfG8KnAMzC_iLFo{@7j(2=K5NcltfO8n~tz zC7NXDJTn|N;|id)(7-}CtQsJ%QYlVJL@mMF_?>E+6;?3tvvNGbnJCh#LhVd?Hzu^{ zxH-jdy}RRX_1a@t9id7IuMkMm}DDZAy-nW`8k@K!-)YSAY zC0dFjxsVlQIB954&|moelz-0qo~Z2#6Rf|pD!)b@i;D2jhW;Y5(CH<%T6>$}JDjlr z!))4{)k#cue{rJ4?+Z2X1xZ(k_~|`byY8822xd0~JMdNGCM3I;qO9*lgEwsbn$VK# zq}erLG=i-BSpnHa^cf~+-LDqCCTz9A4BH0aYE3n4Wuoz4>I*DSrhAAeCZM+(oQSvL2`u#g1xjXhwTSNR&vPF z9sT4aYF8cap(%4>zUy}DaG{*{e^HQllu?UK;PkcCIqFmuuDe+p$?SJK z%}y>p(oF9~+A(0EP`N@$8gSV4JRR!}=^KJR4*%MfyYC{J7PW$kuI^mv%DFKO=75Z# z$%h!-J8F|M(5tGX@Jbf`1L>AN%ITW%{?fbNuADx-iMDH2I|#vc$7Xbkrqmd8%0}NE ztNLR$^7H<$QlI?)y(0Ym2Ipr9x0;V+D;jHKCsmH&%i7M`U=o@fr@Tr&ch`2=;LZ5{NkyvW&9s|R+H4@EO_@x z1a?$oLn!8Q-ZMcgrD~*aZqR!H}`OL#Vv{FnH&a+~{lX{Yf~9udW#yw(QZD@J4-$6}BTxHUy45y!<9WpkJ_2cmIG@nMF8?>FL@8&Jp zP6j_up4>!T`o~BWAfv#F&3XTR_n|*AXa*u55mvY|07g% zh!*`LIhiR^PKK)^Q z^Jf>A?yy>@WV*}*+JkL|o<>*o7n6(_l5$mcw&)&KHTrYCvZuyq{WO^SS5*<64HOz5 z@QpU_^>;U6UftW99(>jmNrzqML5JP$>@j)*U7LkM-48*i9GAv`h6*UTJS=Q_pP$&U z>oU(YzVXd6p2cZ5WZ`X8S`*)Rw#G)tzagK~n!8H1I;aOF4idY&iJ}fLhnAwOeQm)W ziP)?}o9(H|%fy(A^8yZCdzaH^&Smh8S0nk(tLVd?|HwgeP#zyYb8_Bata_e^yB9dK z>^@V`s2lo93!Zx`HSE&qM4FP;qXhbmsjfbxG5Am6L<30;@!O@vLN&d1OJCA%t@e@J zD{@gOCdB`F(DN619gE?gsH%vx1Y3n##|6T*5@d-2XnG*p65Ib|IEx|3xEqzt>=%HJ zSvgtGR>jfi$^&AZ{>S1+OiPKTf~?QT@ZZmY{&!Td7-%Xw5b6|>1}VC~;!pP?0pXg! zrnYM4UqzGZ_kehlNiDJP-*fE0g>9my0C{1C_@w#&au(tPPoe5v#UKBA9|0Pm;x^_s zr)>JyW|abHhoKiLbbk>$eh~wYxz7D9<^P8^{jZNU`UVtnR4N%2{(7G=00~mUx#~Ov z_?iA!Meide6R>C10m@;2RUe!rfDO$&D=!)QtFWL>^(A3YX?U24BQ@iH9z_2m-SaPf z`R2_VcG&gFu-Pp!zM5u3d-6m#!`uJf7@&kj;BT|ioEjc}9{C!i;9uwKYbb$M(EDFo z_E=!jL`qBJU<}cETZhb~=_wOI=}TmNz6E+bn@?U;`BI9R#;TO{dIn;#VIe~ z>P(t+|N4m7KqNp#JJR*FPAd=bd71`h!aDY|XV1Xd*@n@FKf zKswzp=hfYr&``c4r3>h)WmkBLj4#XeSV6K$zEZ&Mcjpfm1Kk#M+C0}}{E~Mlr+3$T z6DtWxNv5>0?rzqrcPo}IC*?Ju#mGE&E}XbdfmaFtP{D!NK-3Z&IW6ZrITq(LvM!qy zsmwP(V4YdbulGSo2~LMxIgB@UG_6p|puGfO5v(WT87QXV9huF>!s2{gJQIgc^}TZ) zru4lE_Hm$Ev%!Y!SlC^qudna8&E(W?xA`4&eH^bMp=0n9Yu~l@ffRtvnnotbV_K@! zs_6~8syR{l@hDL4pBy!LkE6DbSMultKF<=J+rUxOP_Zber)wbiwa|(1vEWrmU+}&i z)Tl`e?^Mi)n`^q^c2!@Wfr;tRj%-9FkPpw_Q&&S{hdFEig=!Gvh7_wOQowalyN|p^ zw?9l~w>no)jf&cw{@~!Cw9ds>vZDGRnfmF+FCby>k=e2n<7JPSL}=S}J@8l(!;6nE z>#jfey;JI}O94nV@*k6YQi7QoW)zJn;qCpQn*y&CYo$3cWn-g!@cSTx$U$UwUQKH8 z2Q6hKrLDwlnK~P53`tWw>2)APBojrRyREv~VJ=RVyS2M6N>t!F>^iTtHD?Ngk+Qbg z^~C0C8uAwQYRTk>^^&&Ykrq|wiNuGV)u4`Vsc&}ctxwW@?xP3M{1eyEP&n)x5`rJc z`$ufE&szFLIXzmMn(2R@KYQB$>7-n{MaIzZfqB-LD@y^Yl+mj^oUj+$k7Q<%p7Tko zZiI`3>dxC@&;W8#Ubwfq-e--R7c4ryP>5bc z+K+R-nG;58lvm5waH!e`6`}4VO%9p*g1>P7q^3uRidq11q_J7TX)FH-KTeFIp-;$` zKeC!M70X&?BAd?wky&JMIQbyUIm2{i+GC-vaLght3#1gr6q(vd1=$^t2J4F%6@=vi zBg^8H+w_r+GU%?NSE+XqI_Z{Trjp7_Gp46yT^3AYeSl7G`V*v`|3g+hL+`bIP*`mZ$oxh(7?uf4xC_NLmN*>#qN=><{_4U1yeBeZ&6Qgd= z@_C^epx4Zd5ZwtB)KY+$*gkWhRJ00+inx4MUt-c$F1ir{lr3|BHKMOluC>sgfCmJL zQ4*p!LDJmbJwB)<&EM}R#9`mo_LyX^1w~OJ#fvy-5_#aZ!YjB#%#Y5 z@(8{jJkxiCrte!Qw3Jl2OIofx`+%IfKA@VS(3U>J={s-o>S!l&yj9z<{&?&J)5MaG zQlrYJvPSP0mDkxz^QP_K5El?sXl!T?t>Ac?#w>+S{K>C z8$EzI27VJ3Zy=VBGf{NRp zzCA3MbRhRt+dWJ)xqInTbi0M?*sKw%@T0OT{I<+6}pw&Sz@Z8x3b?)R9=fHWSJg@BSJ!Kpi2*&W9rhGviCbe-y!BaDN!{ z-9Qvca?Ffi&WJl*WhFuW=42FMqU!6Z^L=`0&QyxCo`-cuP{^ZXLF4rot&I7?aT~v| zQq{cWhUyZAqlF$k%mdqSVXsz(hcAf?0`)QXe>k`Ezk%grXr`iXDL4Qu*G_?mcdtvQ z4i5-A;^uh0BErSHe9FD#-T~fzf%N{*-b4@Jfo8YMw+>ksKgwt@3Ew1?CpHSdvgXtt zYDpt|=aG6D)iz@JEYT#DyZX*VGrq~^r`W~%3&Fh90?bt)k66Cxk3#0en~9mP0g8;C zDg5{@0|38XyMCp}0S-G!2U{;Kn>OQHQS8rF6BQO)K>49(F(=$T!5HR6eC9Ct@8_;d z{y{y8!IN@tdS2!-E3dm!sV9X*&PpOd0qK6m-UbLyKM);Rn85eH?;wmy=)2#-nX{|{$o;<#hlyfwY3r(qXz1;1 zQ3A3pqZ$vC6-?T>n+u>9UB^4)vhR-mG#V%>+jq(c<1&tbwV&;5=}5j{ zK5$y|7IAT2ZH2OpG48T3WIda!`t#Nxh6eL;`<03i#n{{$Cr##K-iJM_PVen0@9K^7 zuB5;!&hPtfcjSdU57Og8de4WP$s^l>3T;ymC-@c5qAz;exX;zn=E{}s^P@UJmE#3% z(+BxpxGtJ7eX`d1H@C@CzvSI55H1l__rv|#NtEXPDGe!wnq*Uv+aEV#Fa! zgVz$>2mYKad)vf5tcL`qiJI6V*f()7%k?09^X!c<39n7<6k@}|1Z+jpP4ew-`ve;b z=k=U^_kAGhQ3xiP0npVkOj2HTMk0wm?Q&&wgI6X!zxdtAU0yeCXE~`dfA_l5Wb{>y z-TFH@Ep4X>H{1uej%R2DTdv|*iNd?j2y)Dimzz}9b@bsy+WG1LTL38bqhPQb3<+Os>FZn+ysFi)`;ckDG= zsy_PhMX~4IO_<3@O3MCsXs&*UoqF|_evQ?Fq7Calkkvc_L>}Oz2`U@{J10yn-#bxj zuDH1$Ys!}iMAtPouZJv#pgM;o+DB>&@h#wE*>eN1KiACWx7<|4N9)aiQ&xc9zjtc- zyK{oxWkJ~$=zMYIk3^PxD*#d(A)R;q<+Y(m-^dVP+tD#+wNjO=H@f_A4-A8#30(QR zQuW3Ga?fR#6dUKcp;5hogX&n0*k>YKAE-0*12bvAR@#_Xj?a5Z2o&koz zPdZ=j2B3|(+S@d3^EmG3>)OFX&`s8E`bGLBFTF!n9ig{#wr2g`;Mx)yb2^@*>MuXT zfXV#rxNuAN_TY7 zyM_Vv{3g@yuH6xez9L05-_N7`XI6-xiK2ZI1I*r6+cQ7BXra) zba&cwERZe-q^0#UZr8DrgFh2YK3h58&Vv#1!s8F~$b>3Ng@owr0j>h_<*4cLvb%~| zl=TV5&`dy&x3b-2w@&@tj>LrBSZ^|Ka4g0N2teAp zy9*_y-&!B;Syt9{Igo8`FRxUuHVV_`BhuuH6wN=XHsH^@r9l`)p*=+BMkBI6|HHI2 z65LRqzB-_if(VN$g6Vbe+t^{%bl7*e+d*GX{c@wER{29G@LeHV?sdRks;LT}ZIG(7 za~)(WYZnQhjImUw6xs-XfNg%(vg>j$-~7fdX7x**oMX#qSKbSZ^^z^s(t1}UWp)hl z+fIT*i=%;h6MwmBmAm1R*piP6=UnuWvCrATa}$W?rHQR!{Ju89eLP+ceWH6BUJ&5tc-rPNmYKj{sK0g~pqlyLLmVkQFo} z<_M>UDum9;Nx2D2wuZ|ffU4DrL_0349MD?(Tg(W+A8}B1~UP(2fZ@Y!w)3p z=wu$%bt>&!$Nbxv;qGqlfFh(yknV=S#SP5E@rbMxu;Yc;E9e4t?qHJNZ7aO*qZ&i$ z_|_bTt&eZ%lC=!V=&uJ-r{Z>@XaXPct_MXbNI}jjR-JyP{tjP}kI{TWv9g|li8mTM zlC@o$E+g95v^I&)jQ@z|q&HhY6_L~|GJ#d4wJx*huD8V|d6POjv18rVWk z%c-yS$a06BR6str>aGlpCV};_W6aTG3JHg+Z6OyWY(kfAP!Ch+8XXIxP2l zgYD%Br%E&f`M=o0!yL7viq;eizKO;+nSH5(Zl_(39=E|{T$wr}`5g$W3q9QRHxECm zSIWKRq&nKOGx(7kKjgt9kgI0<8^;J+2(w^)oWl1`p#g^9y#!T;b4(7p+4oJ?nJhb5bn+>;{X0TMhLu@ehTu;I3OR;R z&e5B1LZ0+Ai}TICpw{WZ+)*QaDIJQCqH700(YOwLf;T&WIJC1h=!w@Z&vonV<;V5P z49Wa`P@IOK@#Hn}r$aM=Ab3~cw$0q9V_wUIl*z&4Aek0p-ibHTE=t5jxxTB=E9aes z9rDiS5oEhXp`~`@3EX=^9lyCB-G6x!zwO2;>rN%#;dKY^djqRR+p9C!Hcejt5`&$Z zT}uBh*+8TY1_@7h-vt5n$=c${@6cqC@}h+WX5yhCdac>d@i{DNqtwsk)O`E!#KCuQ zDql#S1>`$@atBP(t{+pe!H?$aQ6O$JWqt@xNAvUtu87G45ivJ-*%co0tf%JE{S4AabXVzt z&1!N_M1;N*Z3xi09rbNm-}Yw|Sqc@XRoN{g0wkaU!tXnPJv{AQ1?&3&k#wHEEJXO2 zp0*JN?l_7$Re8X8CvJ6s+}Ap5ZkxO@mE98gsZm9rk^hGUu(ycD)_OE4 zZWeE2=dF{&w|-dW9o%!~%!)wvO>|7N5?ewoD8-_|V&=l--IQ62gvAehbehb|gQ9{Y z0ec`-$;vWcB{FX>~;%yEJubW-sz5cxUAs36nFM^61vsey&@t#*ahW$#s;-{rG{k24@ zPd{eYywsaQ6|5xP@3v$sh9Gk;iOie3%wNBl8AEWoo zVqiV^L^QegX^xG<_3;Fch}=yQ$fVJ7C!98_@NV|y)y&l-1N;nvQY)Q^pp?|}KZ7yz zLBis zW%IVfv!;_7Dx2zk)vWeX*Q$I?-SVnK(b`INRip7m%p3Bl!@{16@d^j(@ZDa)Qio9Y zkF?Hc;mq^h;oR?HL>@SYf8$uvsY9~lZOP8}Puui+4tI9aZCys(<@ASZ+I+mN1ky~S zvo{5(=LO-BH9RPiT5vBIdzbAoon_q{!EppAl=~Zs#j&^a_$T(Z-)|Ao^u_R7;o+aGoDoRQzI&B_J&T335cZ?}zf>$F&B2(n_59H%7`2p%*sVI*k`17ST6JCIT z;J%wVYAr|4=ugaP!gq+Lc#2Jdk_0?VG`9U&Ko2PLS2LOy0bQJJ($6E;7cAKs^oFjp zjxo0cTL8N8vG1G?Tc4PQ$X!T8u-O*)x79m*qM`)pb%FsL+LD(^qtL>H-SP60c5@J2 z**7%8`8uU4ua}{vH7^7YxP0!!Z3yx2DtoDDfo!w&2lKN#=*7_)m#WJo5vNHlzGcL+ zZ?n%q(KgSKV)RpcO#ylqo;J}_g{y@c!^6Q)CZL^Zm-1xEXlnoSmdnYib-@K`mIL=D zXeZ@IkGyl2$Z>t8u-SvF_Xxs!NeicSLGav(@9~|r?@)&Kn(Zjab$*l`lV2h%5N!`w z=0+v@M;j+dZ%L-{2}tWFkFb&QcFOc&=u{~)tRpurg5J0(GE{@L>T zCCenC^TxwgNxJW)m|Ca3( zq=yz>(~ycR@Xvk}X~RC`4=67_2r^PggT8%3N{}~-u$R|^v$qC!Yhl`fjr!2^BpPoD z+}0}u-rZE$c8U}BfpJ1MZ!eV2&-4}VcQU~-cR*_}|5bjUojX;fMyWUfBBd9$+9m`u zfC++(^LUpdOBdysz&^H$5`y6FG?P3GKHazGoh*98#GPJGYLor^nw67A=Z@D9bADgb zWjA7&pu<3Ck+jB(Q?{_SmYGeDBbWR@uElLKVcPYp<`h?9vq}R?UA|9u zLT@TJ2n9RE67=#nWhECh`M)dISlY)i96NMQL#%~I+0{v*by=crU%ufrimY?bD=;J{ ztEK?C7fM=RW@e9F0>MF1>J=XS&((bH58=WFDl$rG3+?^WQebM1?WCe6wei-=*8J8U zh@tfQ_F5H69<|pzUHXEFf+t#~>3izjkFiROP^6v$hYX;rnHD9OILQF;YXA@A6ND(2 z56A={N&Z>cUty;zr6TQT&o2&6d@Ln%a=%UP*wBH&L(%=}hsx`kB{GoJdscNY377+c zTsiov5jp-%hvydjq~fXF=~ZFVJHA5HHVqS>S#)dUfg}OL{1#Y53Cc z0+avcCkelN?jtsKm!r60B_8XvwIArj6K$bJP6DYEJ2v&kb7P*FNBt$unMqH`)_^t! zs-QeTmar+tidZ>3f|K2zt+>{P;~NAOi4B60>lwS4pGSxJ@0AOYjkdY;ge!sT@-;`^ z468SrZ%YZK&^b7LZE;~SuQQWP$SN<8&n_>APIu}_9X-qeie*f9&>dcvp0}oe$?q^8 z1vw-Q>dr}0VX~F&JJtY*H{zG2hBe^^MIm&^s0K7bv>ZG8BFHV&0fh#99mLxf`huiA zxY6K+ftzHvU89zOty!V`qWybp_B6KSS5KLh6lR$y(swa;93aw9UXrc`(W+7Re&qN; zioP@vLmU)$S)99OJX28zH2*ZDW!8bpr-0B?0r}Fn&s*5)kvcWV49Ww@ukP0Jy>L{W zD2Y>T2H)a`%Oz$Pda5a)|wN$;N+MK5X&^kM-|OBDu7 z8m262B+rfE=zBB$k@se&T~y^cLF(m!Kc;%|1`GS{2Z!Y7OX^*cSBT%%0r@@oGZS}v zZa|11C8i2nR)v>(O>)I`^mP&};UN2cW!5tNDoL-MX_GuU(ew;tFe2LKRA-;h6X~V_ zcjV|d?gJrS>d!>L?$8DUV4+wi)9GPOHHpDUD)m1ZABi@YVo%mPCD7DzG!8_!OA0q6 zCc1iYB%e=3^g7v4W{v_QMg7Ojs5QZNxmRRVnCMW`kyEQ-6cK8WQ%dyE4pU}6qHk@M z|GalKoU&ElHvJfPN}$T%VwsSDz#oz8W%pFC9YbR+{k zszX^t7KZNd(R@b6A&BkSSgZRLfV6Gvc>&yneifni&h{NSPu-`Ojw$g8v_Q@B&v|hU zQD{zJSKKClB+n%1$~;-u20S6^ zRe(%%GYj6+zE5_B&S6Y;mL%V;gTT}VD^mj|+029|7+%8M=MeYwJv$&7!_?N3Aos&| z*)E%i4Sjc1Oa=-d2T-f1ek%*mr6t%He-^wdEd8rhP8~}F41b3$i9({k{sINyJxuVE z9~S@H9|8RQ|LF@TbKz!^zMZxKum;bCUNKkf{3V2g-|kkJI)_xInMz#sZsY3TeD zT^nQ`O-g2LfKQ_jY&mD3sHSElk_zu2hA313*0CPbwRUgf`4IoibFwtIhm6Ca%qp;c z7eBYLp(Yq7*Njruv%QoohZ7zzhENM@^SG>r_*B8H2R}~U1y4^OakaS4nNT<7eh)^P zRp=^}0fZ*!sZTQfs;fEX^oMpmJ|<>TunIdl>=jPW%q&p!-7APGHWT2gtYkDEFy}C$ z1Pe^5Zz%$X8q~Sq;9I>|6$+X{pf5H{1?o`g`S~U2)O)d|p{rII`vTMXP-T&-kIf(s z>(Y=N;1vImea{qc%@~MLd40!e&&K&D#ktvNXlO|GWVLM+h?)lAX-kW3ltPQ0fC+SQ zx1!eyh<)BmtQo*jy|vHv}8VTyvi>U zqTh5@tLo^iQVFK8tia#+x=}~&-9T2`T4u<;W>E>$MxqQG$2_?%0?28r1vtE&oh{3+ z2E20&!wQelqj!m`63b(M$Zog!X@WC5l554S@%>X-H6`V-UQXvqx<0D6jGcIpmQ$!3 zt(Rabt(R5qN@?0H77pa54|nIgLQ?o&0K@jnY(I~WaUuJ($R8WXZlvCuZ@Dki@?*VhqiV1-5@mDfGjW^uxSh^EquM5{n zpkMgl((A55WL8MnjMPFF)4GU|(am(LA+0D@qirKDsRACi+uO$FQNuePMF1{2?I|Mi z&bQ8?7+qNOgHo{%FyQ$mv+0JPPVHG(TCQ+~8c_#L*n!D`C7Xi*^Dbjrwx|;iAY#I~ z;pt$upUIG%P9;=#`l)D-qgwQ3$SY-bxgZ7Q*lUCF6IoS4v7Ug&#!&M3+OU<{kQe!_ zuuOJs?XoPzJ1@Em$-AuTRZL6uazWHmt&R_jAe7Kf1$w_3M)iUpfQJuPwJcRC2xY0p zG$vieahfT?Bv=N~!rX&4z~9{eptlx%!S$!6!MANZe_e=VUhE)8bt(edX|9BU=0TxJHK`O6|5IeblvNUE(07b( zBt>8(hiKkVv=RuHm#t(HT1s_qV`drJi#tg`dVgMC)&HS7oxlIW%8P;y(A`owO-)+a zOH|5ufGlagM;*kAGWF{u8KofYcWQ>Q!_g!H0KmG&1){MT17MH0eD)S|mw~n@7X@s7 zU<43-Yr6yAELXiQMpf{QH+sWtUX0I{X=>tE&>)!%k3FYoU2DCZrI3AnI9>w~#n3pj zY$Wwoi4QvelzvoftQ6wrk%0H~OvxYVXSG7{9Irxkz^&6Z-Zs0>6Ex6f8}-{{IMyR6wUN%`hC3J(Cx@RhG`t#6Ce?wjJxUc91N8Dpk8nn7K@Z6rtN&xak5Abh!hk;W%$gw`HcmCbdsKV3^RaVXdn*+K=CZpjDZbN{60a7Lx$d@;z zuB|*n$!Yd0n@5@A2W(iEHKw3Tq=se%m{4!H$(%3|oHD*g)t<}q;5H5SlbbRQLqrH5 zQ&Ud+)}TxT!FRvBUySTZTyi49ctAG2a?ch3U!O!+JJ54(RUKLb z8UtbOM^%!Fm}_4<3o(tWivrjGc&H?#_QlJ+1s!*cd)a&`b8ovPbA0ggHkk~;N^z&T zN@buBuv$kO7!A1q#2|80X)wILX!zOp==6z-26gWZ)Sclrj}*rvLsu1j|E9x6!%=Sv zfggQa2ARhlwM56=Xl!;%Gz~=Tqfdk?L>|uC%=^c5Y76Vc>FA2&c@6atCe}qVE}#I% zO0P_%W%;?K37{}=+~E8axG4<(QxIcxNp28l8cVt7HWpu3)KytTuBxo8{^N$QM{w>{ zfq6jLk3?uCy3Tki=aM%7y!ZKt4CrK>eTXmx0)~O`jKqNSfLt0oeI6uce#_Wke8uAx84iPS-8IBWKLNqx=8ypdV}I||^?tcl(`5c3 z{D$kEe@$36I`^*Wm`vY$HRy6+6=Vz2nI8|ieh`+sS=QZc$v;QxIpCAXww&t~#I3qw zTmTcaH7`YfT+0I6iHazyIhQgBn^!WBx<%fT?lNn<8%lQ-`uWyEP*WgH7k)c8B68Q` ztg;8vYrpCHyaNE4_;W6f1?AQ~L+B{uq<50vyaTDY2^d-m%Ebp$SYAzc*oHF=kKTf_ zOfIulcV@uHCg#rZ?#A-|#3GG9(NEkvO$niyg?C{?ayNPzM(fm^wS<9Zf%-W4_~`LR zL|N+!_jbEn>Ru@gSk8{7Yb1HDA%*!2?4HT@=i}_0S5i zvDyej_`R~;=-k}0G%RPFuCyGMpQIlg%xZ3QTdVQOXPPF9j%OvB9L>Kq8A=#5S*V`R z=0V)@;u|>i*VTMJTB8{;tvK%P&+UE71t>_QN72|yc}i3(xc@ptJcXW<_$+eN|Ok2dMRG z>x3Lz3w;*B_7C)~b32yQbYbseDy$O}`FHd(DZkmoeWn(`$3Yl#D+OW;Z*q5c1kZ0^ zjW=sfQ%4`%qhm&f3pOvBHo}=U)<1ayOixx2Pz)q!7Ca8k+>{i4v_dXxlDflS`%{~* zqS*oBvT%;o*wh168!E1W@fQEO5Rhizd+n-tWd4j;A?7RaTyZ1T4K)KPgW&gZOC4XTN7vg<; zg^#M)Y^yB~#xD(=EfEm4|{eS4(H-}~urkWZtR=)*<(_k|Kd zR>I7`VW7TXJi7K=gMuO|EM|+9l}n0MAlh|@A_IkOvuQDan1FY#JZlV88Oqg8hNOniQt*=Z5vov_F}R(j<@!td~6p5nHue+o2}5n^#G#vqOjDOfrSNS9TJ zgM(s*4~l2XR8N@H-CYP5NSGN!uUA6$de2pEkdD z-FsvG!4n&hMH#gV20hD~r^$}2RBJfac~@!0&Jl|R(XBFQ8l*q7VGVswh<=_YH~r0z z#^_Tfk8eCxn8<`oZq%vU2J4i>qN@d?65MaKS*^nK@bGwMHO}UKUul$rw}iYc{|uiT z3*)$P^C|-3v4Y;6kGT%m<;dfsuW0;?KYVEO_%k8N)uJi0JXZ^m4nW}Z)KWfSV?(DhCsA!TYQL`LpJGk8^l9jvTVm<@TGV<~REv=}X=y(T+Fu7=nl4o5ONbPi!mct+ zn)9`>Zl8Jw`ciM{HaX;H4e_o0M8G#qvryteHV6dsSZ!OElp+IV{Tumc(*Ni`+ZHtb(E72-+kHme?op%Ylu6NC;O zKS&$>nT9IV9b?Ryj;Shs&k(Hh*y`k((>rBy9}3V&MhgAZs5bii>G?FjBe;i1U|l2f z^B=k$o?-YCqWN2o{l3OtB%Dzu-xI44g0I;R4IR+P=A0iAm#z#mH?Hx{O8x>q&9dHZ zVv>yk$s@P79(A7A5ij}mt;#g7{la=Eod6uQ$Iv+Q=63g#7J4oFX{X--ldk#nfcmXq zwlFQC1aj7mTpE}1Xy#I(4WNlms(*ODF$m%?>VIq2IHmr zca~~iC!TAndQ?xD%iCP)$2G$zug&W@Vx5RXY4jm@c<9qTn+9DT+T;BAOm|Ae(zkvMJ(0w7 zDIo}Y(Ozz%elWa#z<(TqMUEtswnbF&mHd`W*lT`|>Y8ats`BKUc!UkdL?a=&=MkzR zvgAIS5TD%|O+9lQ@rjwdy(5X{*$@>=mMZBKGLTtP&_PWNL)l&)=_0&->-PUp_m)vn zt#80LokIvB14v1SFra`mh&0kEHKfu=4$Y7%4brJ}mw@yTQYziu-Q7H!bI$)f=bY#3 z`{iZrHH)=j_TKls@3^ktRlfW=q$S!1c&2!64K3t0)S^wZo`&;HKZF5={~2TY4W<`f z1nu${(be9@+2bv*vl**~Rn=hqj=5R`y?5xP)jHiOxscm^Anh(shiLB)wvSh~Koq%D zbDp0FUGzw2uC_THoEc@{ZbU^VNCXAdcIvw?97xtoWkT4(3`AJ?Mqi|K1;aN3u!)a@ z9vxM^S9yz(e((m)ViZ|!+HD+z*9j;q%-T~1$WqA))NQ_G{<@!C8?1V3*B!_7t&TG; zXqQ&};xXNbi+AAGpv52OEh->%PA~eB@^Tf52fD}5J7MCJehG>vAn8|r6q6xB^Q`WR z>q5d<@jNeuZpEk}k?y0VhSXm;KZy|x`}@M1e_O|R3&86biVW`}jRHi7rRM38-2(YQ zHoz0MZbTDY&Oh_H6|#BGL+&r{Bqj>vd6+mxy#%$CNSJ<)82a`lz>|Vk=<#Aub&J@; zHY~G##;X@*pQyAw(31VXNsb~fHqA77)z?O387>E-f9)4_nOjJ!EX@`G8_TraVeHB( zNW9--b8`!&j||mftjJOoy)#@JE)7r9AaSSEj4)6g7@5tL8rFPg_cGo6GIuY(H|^bC zsBVy6NR3>{$_MyD`$u943~+;PX9P8$KV7?tnDe1&Om~xq>pAvbmMn1?ZD8&qxWRY{ z1jfMvGfOCbjohA}i*v26G<;n^p?s6QV%`=JvsR~3ZctcmEmwTG(wwRydUw-VP^e^g z`JjyrNNsrV!DYt2?eQ~kJI#X~vHC~s-@8E%S9~zoO$CM*+M3mw{c~?27|>TVP4xOBJ8>L* z)*zeoCT}k6aj|zXb@liHke2`b43m)wRglmw<~KYkem|SMkjG^x65u*00q@Dl68*&E z2uhEsc7Og*A29zq0gTb!Zt-z?t>ci?-s__SK$jKn8r1h zY1nV&u<`Vi&mBpGT~Wb7%albB?`yOZKzGx)qx!AJH|JT&Yu#*|bG>+(lWeQ%a}n>e zAx~Y)IlwvZ$NM3k{7itVA!F|PR`ll`<|WacAyy2dK8eaL5E@U(uF$mE;!3(px#43N znD7xT=!4h+;YhMW6*zznL5D*33PlKnHO^rFGw!$hyju%c_G2g+OGHbFwJ)+i5>cgS$^Y7vE52Yx=y-_d@`ceHibt>muWE<8A>c;CnzK0_R594wW zZ8t!kSZ7N2$QfLHXn;K2M$&0*4Uc!!D@+Rs#Yi2Rk@QP!$g0p%y1w0K>I8cC zQn$Q-WlP=bDQdyVO@zi;m*vRFWN`_Z?w47Ck%H5Pp`4EOmI~EL0cUif;&@+|2|+gF z49<;r@z*|b-j9u5{7OKM=yoy@Gs=Ws%(n36EhY=cmYuUe-Jq#v1fBZ-m zS(Qd~O>&PI>KC{-spknOuAjZVk*{YRdq#y3cays5d8U8Tt~Mp~V|?dZAJ>R=Z_3sP z;1^@G+Xk5LVR6ANPFFjHVKr!HR_t`3Eli_niJUf1m%LITbls?Rc`z>43sLuBw@9cN zcBd6ZpQIqBr%@z2#Ss} zznZSo`F6GtG^880nv~=SJ3mdZa3zIMQjj8 zVp9+^%)4E}-wON+!WRH-AikyC1`7htuNde8WTx{CDb0u%N z8^Z{pk~GiN=0K6NlDRCAqW&S<=5uG~+h>j=)S|X(&9{;&F(BOxye;e?8EXgJo(nXn+jWa$5#SiUK45oaX67 zON@sX4;XKf_;HL|7v3(MLgJoXR+_@%M_{)F4={cbU2x)i$BUKZi)04_qjfw z>hSl!dibkc1m~=rl1BHEL<-&M_)P?z*}TOo5d|g*`%(HvqD!9#Ix=m-PtsoNU15*U zOQGBnOy4kC7y!!qVa#TT;q}*xum+$E#p~pOT>yNnTTI7{#5Wx?1fFXnpV22QH3gL8 zWD=hVhO%UdKN|f;OVxor{w1AW#;rEoRS32ppOcPwU^Tw&L1(}(_}h!XyNOK3= zR-}csr_fCvc2GM z*9j(^P}hv<#g&eK7HHHYc@rgm#jPel#}u3w5fgniYX`wf|5lmp#i6te)Ml_S74K9> z4b^B+dueL?n;JAP8`CQFzMvx5gI`Ezlpsmi-=lt2G)*91N>@91!x^M2}u5Sym3t_t$;p_tt4P-nr_Z!$0 zTCAcr$k%K*>rLg{Q5H&S+Ui%AdqP&mn)Bnu^{QGy6H< z;ygAi;%s45$U3&==RG(4mGPlwo@%2e)*jTm8TQ%zW+r0h#V;O=8*LMRWX8|}=Pjz| z2eyy)8)%;M)qpWpU*7RMt;Z)#_z_kDvUNYGq6OVwr3~#E7-c>}yzuvrsI~3mAfbJt z`8(V+_U_=rt~EYrq%Fa;N{N=z4jT*0Yi470oBT^V(S!ollls`x8{Ov1J-c;h>jM2| z#tc2Lv${LwbQb1;*#YDm+n#D>9S8@)W@pkPEGq02N*L~Y1xi_{ZFQ0@i}QV6>@#lAk+{Kago3tUjPDN08=@Rr?Nm#dBC#2zgP_nTJt5u@aO=z1ZChI4l;;c8c z_mNQQ_OIY|g#GO2guOs+ELX&B@ruZx>_!7)+4{=~DSI!^pIHy*MXe%}9#=^K&g|s; zgR)m^KDYU)roCU-LLY;3DfmRpZ|%x;Fhf1Ts@lZCn0OF@eV+*5^I}rr8JO=p`18{e z51zw2)DE)m0&2VzCuhBlK|DR3hsH@gLbu1q0bwdYVkTDc91l62b;ddP2UOzgJt~1^ zA-yQigYezE8kk$66v_q>Gc#MEOs@|`X2<&_^5Ko4S*lR5q^G1whLF{$!qQC?%DyiY z=_4nH!onnA(K#iuffzy|^boL%5Nm?vNsx#gWTl)D_iDTCXF$uf1VJ%h8mC(Yff6PN z6Ks2$#F9Jee3C64rMssdWfQw)Wx@@a!#|QYj1Bly6rB6#i2eht2W#i9;83cA} zyDG9BG2p-k?`Nitx6{P6)Htr;7ay_FdTABE$)5W5q8&X5sRxI2Dh8f&Gy>20g8PKi9{$k0lArk&3_Yt1hMm|QN5NisrUWFgHE(~GwCL2{1ma~ zp9o-+T3`w#Xw$tN3v_f9(_fcAra1rVZEfJ^(X-09(M5m?K8qZNU*QFDT*@8C-&XCh z)pXKNgFydR?QCiu}U#0nwQ*?jFfXTp_VgU zyHE7e!|J58^g6uGyu&cTTCMallyyL``eyUD$rt0Xhs~uOw~Rs>YnN|*vTt{+&n1Jv zMRmd^Us`os21|rr@5X=7)EZ03SM=7P)X>cE-v5DfvhhiAqy*FWZfnW-WQDC@_|`Gj zaxE%CUD{RYGqcd^;7+uV+h8?>*Rpp$gMpKd!S2ov$C{h!JFhHqz5>mgczq^1kZ-w3 zM?v$g=xSk34AU^D_d(F+cKa$DD4z%+9N{sC?|qeDRHSz^B+5^r;0eGWbGeKz79h<5 zCvPA;5U8XgYNz$KFEw_VR?wKVh19@)v}*ww1gZ%NV)NQSm3X)p^$m6M(Xo@et~dAE zx#5SC-g47rNGTuuCrABDyGaM$MZUpQ;^Z_V;uqFki}l&Y1RYmHBc^XFOdH`VrDQG3FFQ?W!e++W*KwpAELF>FvHaajDY$q(mdhKJ5$t{3 z{u*or)(#6hlJGwt&tA$!h{4C?OzF;m8n~fv@i88uVw)1fVN$3hSL6)5Bxu^e6FG0nfa+#2#^fV`lX> zs}rHbzj~mAxKT!DxFN?I7vE2^y4CY|e|*=xJ6K)qax=@ec1KMxIN$A9S0^S45n8+u zT{RqnIv8hy6nKK(J|f_qmvr=qF&hOus5t-!To@Mz_=pqOktf%&+L-R6GGK) z71@At%d`)95$7+_bDl4Kcqu%HIFx4%^i06SH^CU1YZr|2OAz~n$gDK!bnL(lCf#T{ z9+Zc7g)yO}frqi}XoR$3pOE_02|Fl5d5XebBAf*6J4A`9HFC8W3`!w3%vexXnw;Hs zoE`Vb;h7<`Xg1bD^`$uubs&T_Z36I(7+E_G2|n2U(CX@wU465Cr_m|$j%RNqKfh(Z zXHINV?VLu+#p&DD3}Gto)W}O8>x?K_&c`5pG)~mMQHJcGu@Zq#sOAaroxc8^gDOVpP=XO5~e?x!6bb zTvgmMj|Lfw%3B{I0G#KhJQe4}R3-*waX4!y8G`Ps3yxe|Cj?=ka>PiIkbk$`*m&l&$n&LIcKbu-=7(s!z@xhy1#?EMVUXwjzq#nQ=o}@fR>qAT>R96jxB21H~GPb z?=XLbd?+)f(pQO+$Mtmr8q(6&&MFi8?V?&Rb2%l^o6nmMCloe>)Ey4I#s>!Bub*pRZ7|XPE|6q`r_{6jo(Nk+P*$90Wjwa)a=11?#lnTk%UmjvZTm`Ur zYfGbNb}J#iaenS5=_8p8fPYNSZQ9w{VcC1M8a!j)Jv20w+W#F;$&fMla=~>5XC`{$ zf(pr!v!3{nlKH5x6MYuz_M?bvf3kj2gP~+hwP4SD+&NtahQzs)hCG?QB!R9o6;>}9 zR5lVzb_o=E$Tl_?^4bUg2SNJZ_5*$?#(Pe{+M&!7 zxlQBOs6zqZ25euvP?u)p`qY80LwUCEp59?>`448hJb5bGzaJhEVl+f@4!9QB<1Hpw z8)B%u75Vwj%8F-e>sdF_(Ahyo&z^9+tUgh9Z$o~f3~Ejc5_Y6m91$U1;n%N1t9~x9 ztTKG;^aa9x^KF;7Z31v8H>?7(?pMR1722(EM)n<=5#Mv#&pcFIQ_`2sPv5S6A2u72kvBQRnA@xbTe_wO@G8TBk zg^Mcewt~#eXFK8_!RW25h8QWkK7=44E-ds2Q_L^b?9)Eu-FRDG`v-yyBXKQ9<7j@H zOxJe-SNWdW(b+^U~w>dxjW98(|azFAF^J#FF6OE#@soU zADeqxqwKFPQhq$YRpOhk!LCGl^9Euj`m9+kaeUbrCi3ZZ4WCZh{Qx&6v~SvecEmuP z*^?3;^d*YLgf6!wD^F;*xmR)4hh>rCoALhfd|PA!((cBtZKtn%N;1C#9Ld~^zH;?B z>E!34@ag3zI>x`0Q0T?}b#P(zBR(Mq4gBXceIz?Fxpp^^i8m1q^1qG`;=UM~AV?_V zzfaS^O|knCa&h3J`;qw1Lkxrh-+l7JR!<_-68!pKHwSJyA(@ev*WXYBkts&uDN{_h z#Zl$!dGgV##8|P@z3Kh2??*LVb`1YkDmI!f1!~x-^k}IA^&=M8Jbe;hilGT6R`W+%0!778AY+Ovk#}EXecX3e*JvS z2IM=jBcB-?E5yLS;Krwkzryysyut)A?Hk{}8n_;j|@Tk6e6!~VUf?u!tzChL=1DWv$Cc}%h|;R<8tYv zH!COSnCPx#TTVLE8m?hy7eQt1gf5o;V28@xl^F&h%F{GHFV!F z+f?!qu#tYd!!M1iGsUAG3Op4Bmb$w7CbEqVZytA%vu_kSYIS908(6pd`J)bLH#f=I zV`7lnbbP|?_`pCKh;^0WzQ;ld5vV0VH8|&0h5Zhahax_=CP(|$K!J$MYfq_3!YpN5 zhX?ep??)k66Rn`2;K;l`4UZDD4S7f&%6@?dDJdwlI;=>Co{tR=<0o50dS9hn0FPY} zA!cJ!TxY-FIiJQ>pA9M6_e#fwV`y?56FJiZ*K$JHCxi+-0<{F+?o6^88vyOIXQ8$s%cA{ex znARD=Vt;^g$&wz%X5^nAOG0wn=&c$qeLsq@qJ6iCD6$l4idx3KM)lvajy*3^{nEh= zOoX;LB#aY1N1o%EkbIx*OLj$+S_veB81*$5!+gvd`HpbaqfWj&WZ_8B!vnXI zHqnMcMHeSVG>Abwzgq>1QImpsUU9M7Gjjzkz{T>XDUa;Wp!k9+ot>u9HpNkFCf`#0&=W9%m{XZzyV)ZY2Mdu9f# zY0Fgbr@FlPV}?Ewl>CRERJ_}QPBvHK4aqc36cryR95tnIn^jb|j%Beh2!6WHGg3$? znD&g*p$)o)fR7CW!B3SE{FdS<{$gSndEJ^-#>ZGE9ZZ`e1rK;EUs@H`RaCwH&B>xF znhH@I*+BOGy5B)j$_CasK*3mhX0AuUDgVY|sdKE5`eyw>;N6Wij9)?!fyEF;O3fIP{wi|>0m}ChgByL5_DLJ;%akEqe?~bsU=)ZGCO{VC zPKMQVf4#jvKd{^!?zTMLPFzL3fK)^_Sx*eo6i_&j@tZ(jC-c5;srSQ=_H}HRMa-Um z?@;m6;ulQMsz3V46aGZ)a8h9WVp(sQ&Zh{8Oh(!uYO9ycVVm~}!C_`YR*1+G=@J{a z=pgR$)+8RQ;Uu23y!zcYnfKiF6uP4f)GD(o+74v`c3qlSQf$tWLKW8$^@840ml5YL zlFpWUuUvn+jpWx9QjQE{+kQI0FP?k@3vIw-1nU9=4d*~|79H1C)p1pi+6al(key6* z{3#GSckk|?)ielR&_7@ed4aahwDyG9-Tg;r59i7vrI8*9i6pst_x3K>F1XQk&P&Vd z9LQYJFF>08l6|%O^7Z2TSCNP7d?{^KC&hMNQ!uRecrGveNW)zaRmX+N<*9vJ(`l#c zvAr+u=NXt4C4uOL)hK(F+tH()7J&@Klou8v-#dP>WU*MWo+)pTy=shVej_gP%NL~m zEi5c7hZv~y{k3=+&%9(c0DEa9O_+1z+r=gjHmyb=dL6luA{&zfUNTwh-LdTX%(7Wr z6aEg@EsmFJS2LN{W>oV?UCp*HP583Y<`b`GhgIKi{1{SE>+ose&DG?1umpxPP3h2q zBC1O6*fBp04$aF@j5^w}D-HeXX944z9e=l)jt|O<#E%|}duAMPv;?T7)<+IJu*C4k z{6vG8d<@6BK!SsO%&}mfq^+}WQkEffbQ_Y1*Ns1eAS4Xs2 zAX|(9!FQ|Io`7#g-9nJm4tioHqhiWCk*)^Y8Pv;4&8K?b#elRD)3CIri{Ex^U|E;( zx|7a=rY4b>k1#F)mQ=9P%Vnn0Io4D?eqGuYGum&TO}1}0bNP7yweGQ~w;oV*_G#*9 z20(68rR;`*%uGYCC;Tx90tfr4K2J1y)Re3pDIga{rfsx&{nHv`Vgq+BmzUC_?$4dFgKVJ>1FXsgAA|tBNqv z*g{*<0hna1Cd}YTqC<0;ctAbugio0Tuhl<*P`ci)e z%Ovv4bc0)1$9D&%m9}dou=c&#!>oK2Ym7~6)*K`-HH9hx6q0SYn8$!eE#dbg*R`Dc zmE=(bEdVgKwlc{I>~pmGyIFgUH51j8W}Z>E)*&{^U&ubUl_sXYe}3IhVE+};#g}wF zPW?@=?%A|sJl83ZHg|RPbdb{F{n5{<@-LW9bLA$v>fLnMAPR2@Fq3Mh#8TI9?pu#I5JqnsP0?SV5*Bhu0=m zH}hl*Tp}n0k@qqgS|-kT96-x*;JC(1o~hjM>_KctEkcUKg_%9n+%k7+&CBal;m!lrp9HbQEDEKPp@>h`3|`at%Jmyvn&qJtJ*HTMjShQ{~bJj z#s{cNtg+74o{3+k#F*tkz(kksCi{o9N<`e{PVfkX&MpE(3dCJx$nN(;XBk0$!BmqO z>61;_F1wz+3KqnrM1%9?KvBPH7R(P_hA0y<>Qf4Ef?A9Xj z=-tn%ZzNJo4US(4CNXX@>W6pY!k)t#dF{L%#)V|5*>*_F2Ca{7}afW_J&bp zmKt2fD}780Qk|yYY$%(0h%OD|C%YHEe9;_2#6~H!5!n7vAo7{E0urzsj7>$F$bsoE z)_Q%xR{(7O6nl7s{vgPHG`%|#l5o20D{=LA4Sryr>XL*wraJf7k0fVD>3dv3WRvd8 zT?5*HMON^-Rj0gq)6alA932yZ50jut+Z@#bD(1*L@FI2k_UO+ z$A&;XJ|0p^^n^H+x%p}NlA>98LeW~TP$Y6|Ykxdu5IwfXTy_*P=M0MOO}FD6ntA!4 zg!prd(+g~ELHao_z-NfUC_`M6n|4%+#M|`v4VnJcyh~Qp> ziMI(+H<9iBY;D_UaUWQT1jKQSKH6g>XI6lmCRNL4o#VZn-PRM~xk~$oq9mh0QycZl z*bTmhc*6*LTejin39;D$vI}uL8{yCjy@HgKp?*}@YCGnI1ww=gXK4-yvkNk8o*S)+ zq18k^F`$R_zS4p<0dPGzK|#uXq`u`JK&_SR5Nw2F?ZH&D}c3xUEM20DzB37u9zI`lg)ZHy*8ZNd^x7F z2q_E3#NKj%20)+2qJahXwGs7PZilayQlp@9b}t)KdG3xp)DAMvaHdd&6ufmK=iaRD&rk9|Afa2^+={abzt~|`&B5EMWM4zigdpKTK71ok>4sz zD&gs%kzUJ`pN0R~bfwfyn`jZ2)Pzk<@$;$Bw#oqKHydc{G-+%_D=$-R>Ck5xvy2?^ ziq?`KUs{T~Ti+CzKH8BL{u%dlG-!FC-y>fY@Ynmg6ZsMOkqbH+fi>D9e!?RxyRq&V z!RMXz65R$N4hA)&eo`~T8{?FNtKU9K{o6uQa}d)4b|SgpBf6!4j7S8aYy zn%UngP;JIKQ+nGA>uD9BEYi96UB#KDEE$W?QI`g2Jj)vQ0A757GG+&vJx!h6B9}>#vKuXKgiz$ZCQe>o;`#}F+Z-XzF(r-<*h>e>(FC1(Lefo-?N>I;}-_XsnKOQS-9BcOv zZf{$E^l896}YIXRWNBk+7R}ZFz0o04qwoBjnbd)+7!fV zVdbcMk3w-_HgW7a)`y>jV2)7wAN3sqMVZob&nXlUA?TF&kFk`}{cB{GUt&fDdgi(I zrD+L;v905~?U&FZj;f8?B)(J|{eHOo5+hV$Igs6Y`(VF~A{3vq@i>|#dHszk?a>2a zeWI<==?>b#G*1Uyd=>F?DF%oiS`ZmB=-W^F;$3xgB7XEAP2JxbBr>WK$~2QPOAFvg7Mq*x}`d1apEbDI4@Ua)}lo+O*o zwUzE+R?8s^HUbIG7;BikN)DLTSYzYk@66L`hqkRmPsT59Qnb|7!E0@aU;@dTF8j4^ zY}B8{$54Yds2_Y}eBBydG{L!&1JH$An3VPPGaKo2_NJ*lArk5)(!t)%2?l&CfSGB7 zIQ={TKq$|CEX?qGO&+L@sB7iROGS(Z#nIK~V;j)#omB1CJ#!1ohwlf;`UVqQHC&^? zPT#zFBAn>m!$ojUk+S3w5eukqQ4F+@nF6#Bit~#?`*PAL>F&m{VI=9;s3Dmjw7-!7 z+$u62P2i-&$Gefv4f`D-#mwB?o`s$`dh<;{Jhn&R=_&6?)9hE_DHNCZcFe7@XrA-B z`b@k5Yb)v#U~LAfgeM3GGO*ekd`C4;bNgN5u=X?7id-Ap9fuNsFV?ysibgO75L+Bl zkaGBrkB<{b`&VIV4hA0EjEUy1M#9Dl%~_ zneE1c2af~W)xxMEV3(DlsmF$D0<*=UBetE5XVE4r>OH!rrWoo^CT4Rwpyiw>;D(_t z@@tXcH5{p!IhuOVY9eFgMn~wR;XQ8(uA5ob~A31|2ARzFoPJ8=d z!bjiKTT4qzNAqrczS^#KeX+!Q3KN8caSJ|nb#ckZxjBS3_+#%W8)F3_5Ms@|(E8ux zPs$W|5dFSuK*=@7@l)b+#E0$O4h-t@Ii46+i8!DkG;k*@Ai<+z7`gMu*82AcNX#FC z4era*X;7@Jkl^g)_r&grkZW&D%d*P@{m6%AiWGs-*2T)fG3bBsl3bT%8X59%zc(i> zZ5AO6X)8`g;HV*ccwGI$4H)8jskYAg=zb4}XJG**)8Naq@`;Astb(37+=V3#-#t+w zA^(Fo`Fpf=^2ixLYF#)eFuyo9rGW~RaYB|BZ}KPmMRCB(D8-(yKfAt&I7&hugRVHA zRUZ7g4gLKoPLu&B`4hF>D@y-6x~u?ldsuh%ClmeqG!2{vV9YqtjAl{)1k3=K;Q`34 z+suu%(0@>DB-%SD`u`Win5Lf;F9OWPU20VE-!{}rWPJb5Y;T6jQ|9jBfvOdW@~6cA zr%ZYONkfc=gX^E(PnriGnVgLN=%U8>@8<-JWr`UbS}0IuU)2}kY+-an2mO5im)=g*RiS@t7iW0`gJ^%{bds!pNRwq#XVrpyTW%slhl=G_TU6IAhLqo=voEacDkG|1?S83~j;8)>Ga zEXdB5q!xWna4`5FbZ&NVP}OJav^Y=>&Z^d*OK#Ce$zn>n;Wyn=f)OIcFwZ><6rX7=G|JIYPFHK zVj;~!Y42A!aOn!Gsx&-mE3TwlM(Z0IUMhvLmuJEh{~Eq3z@!NI9VDxQjVwLS_neeU zeGq~3eTfAy=+c~Ft7~a>raZ!0!UB%8lFXEuMJ?iHeTir|zZ zhF@AgfjcYKLcjZ>=isikeqAIqO#`-I;4tNZZ`$S1*jmXSUt?ovn?L(8@v#ihNz)x4Rn-lf-{6WV*X$Jy}aHQM=^P z`LfS9#Hr$H;~~A{extzLtCKvEj~D+*S&ugz!2O9Ek-Z!rCyH2{|D0Z3E+}{B5fsDG z4Dz8y==w|w;8OG6l;YlW(e#~ytI-HGG_TCV-tX2Es*R79{9KL0e<&u{XJ20Qo#o}^ z5O1yz@QnbDBEvwoUWXzQ^>{Q@CSV6zbSqsfuD!f8)GsmjRHV=vSt(F%hN`@@F)M#l ze;i}!q@VvPkCLB`EZ@H)d()9P${pir@H8h)d%LSHRF!Z4a*;&R=g`1f1xT- z@ZLcGS_$Cl*wB=ZN+u?mZz@-9s~lEXkKhdycGk}=U|ph*fxUB~A8@E$SO^}YaJ7+W zLksNt$+@Q@=psZK>GX*fzRl$Obi@Rmy(p|^ck>yZyP#`hh-!DNR$i-Up_b%He4*bY zxyJJfMSYP9^)P2L?Y!LFT)_eXu$JgWw<0jj3SIWR2eO(EI<_o3Laj0nJ3{hGOSK$V ze|?N+$p5A{VJ?y{#r5ou^$C$di1;if)X<5kh6!?nf?poloqx zjr8;J#{MmhsM8tFzNhf@KE_Gv-n6-?9Az}AL%(K}|1}X|ghL+Yu=$q?(vmc^*VUM^b9r z3!v&%?n~OqtaZkrn`}?D^o4I!*7sXqxqiPn-75g#S)t(WcQubPm&7F?GjiU&g4pBU zNm)1o#J+_e+O}ZDz`)ur_i6TJCF)@9_i=ebW^9_%#)I3}yGLK2Sj}b%0u1QS&4n-+ zVO83g)2LAc7(7HX#%RVQz36v67+j+(W)Xg0%7J)AcVXoi7p7Sg1ITF)8z&hm zW-1!ndG(Yg`63WFk|nr{XF`K0n*^9H{O68j-{*XtWE0u)z3%38gpsO(l0YZ*AbQ5(r-O!}D97^Cki7A_4}8vpJsoO) z?W|oMDCN{+=GaL99{#DIK^$@l0FyzEA2q|<6O|+&lwWi0&v_ePAp%ae#**pSSAg)p zKwir{AYKV0euf=v4PjPH6LNbm@@|<8$2mMy`JQM!=Bpz!|2$+!`Ki;QptB5U^WdB;V7${bPhSLY*HQVhn}QBJBAc zmOmT}LR(VMz=Qz7;0+=+g#{k1(edTl8%~))tz~@qurT6md};CAU-H$IlrOiAzsLM6 zjW8C4eb1F+_q4t6$Lz)L7mkCU#FjoM&)lt^vQ@KdK$dW}{MAsckQO6W zLcG35t(@N*Ab24jTz7YO8+KVrpqDH1Vm1fE9ar5D=#1ap1jEFAce8v+z#t+s*_dyU z_`I2EIn!cEH(wPvc>mlrol@q55jmmNz-%hbbR5Gs2nKt zm#73d6C~cZ81iy{22R?6Ps;H^m){tN7DTa}3?S&!%@;#+kVZTy93j1Z_t&WcBMM`c zX7rA>6#T@DFbeB_&Y`eqIG`Mc^^sZ{Ro{1czN(^@`h zLLT;5Y?oD|4lVti%trwfcS!fJt=CUkqld6#gFsO7jI%d%XXIH2T0js(TjN>&0G)K8 z&O5EkW>?L;aIRF#R|8j@H)nS`#oxCKhXY5`?5VbXSxr*r?6=4VE_KJeHZR!k2#WwO zVQ*DH30t5q$#c+K?cJ{rhBnU+Y9y%G)VaJakCk5oA!1`2ohM1fov){-Yxxqax(+DH zx-n7zCz^^Gqm-|;(Q^ng^Upu^TL_?$Le42OVx>gMA#6oT=06g6R*WZwf&zL1P(b?@ zZN&3BClnwLE8mIIh!S zJ2_ucN;n+fUj(Y8aVM)npN;@^eNN2zf`2^}11or(H5vCzbi`Ok!|^z1j+(A^!v+~t z0!%y^dww|mPke{38=kS7_*F@$BdkH72VJ#1cju*3eM~Uk*5@ zKvW1i4nf@-o&W8p*gwFQ@fuPQPUSorNh>N8{Eig$etp>8rMhX#-4`s{<~0cxFOrC^ z(xy%oEL2Q=@ueis4ly=wOoI`S$uO^s`W`gMYRj8aAa!Bd;WcQ=bPkKL_&@KqO3!T79{bR_N(>R9 z!4yCsMW4tU2*@--l%ZJe=%o&M@=nrZu##6nspjc)hF`6gTX>JdTS!MK4-Amq9w@H2 zWPTfBqh6AMz92%l$`#>J*8SlqDV;a*>~6>~KfC6|?9PFfUXG=e_KcNOwKeC~X~b_(%cm3aDhIJZml5GTaW^L;mSSjTgAQG`PxaB`AnJ<+6N>+s^MWTwu z9U)-t1lz8A-Jk(`KBT&+Xu2|L-=ON-w*XKWSG++Qzxs4^)+k*BFN3$W&3{R znM3utMsJzi%l2y0@^BVk-8+9?viQA+f#isUW7CN3PGQ{YABCHcObR(icfLUK>LN5(N z({C2eklLl6D2Db21^a;1pnk7WjZ~{=06D084o@n|;1(KrFyFLnyr9KEhD-_5LE!^EL`M~q` zV6yZ19}^RP&CowLS2#zP=vIl+oPFSO{X32-1CveH-Ov4AEg?ak`1NGeon3*psJK`| zJ3T->>WEck z$fARhCOTe`!VLQ7do*-}1~pxfB@1OQ<QIf_5dUQf?TKj6+bIXUULxB=yG%-Q`zgPg`f6gr)5V_N=7 zD0i=!F|SnQ&*L@5=<151`|U5fy_}3oTO*BHE0!Pt0F7lK1mpyVc%;y%5)RK+$6qlM>ray3h(LU)Mab1BhM9%~|1cA#B8}25 z1-4;nKZ~{XjS8BZ)x!liNO5N#C%^?XA9VfTye&eJG5b?P4Pt<6CyV0!?5HD;y|{U( zPjVRjZ|njn=4=3vX{&lW0U+jo;1wFUI1^zWJhss40Y<6-8{k6r&%Xl9?dGPXL>B)S zVsm3-aPJe#ZyXtQzyDsF=mDah-QWAn1d8$KG`qC0P<|NW4`<E%~tsz9QE7W!tv!2^-}`BQly%g7~7No zvQ+)0g@~a@h#|Si0Z76HL&Ks}qx2HU5dQ4&$r1vO-3Xv0*}1ry1%rd!fUhLYfY5(H zS0o~X7z_qO6f?rZU4(fEecXF(WkOE?Neae;4tTQ_q(O${VxIm%k-SGHB7b?MCkqE8P zUZ#re7p^x4rV|$By*mQiLM{#Z&0f2))bEKnrRzhzINWwJQ`0tUyByuU+caw_^KJ4NG=1 zyDFB9Q$1ErKE)i$NbC<99*$pntVrq=2^jwfvF7g>lo)IbKQQf-cl>!+pt~5UHU8bK z$GIp|KVn(@aqo=yrhVtns?SkPk(pWYZu!#T(YDl$gVq;aY-2A-Cy3J5$u9`$(}$V3 zXATr?_nKYEqWn`%Yqex$<1+=7ieQ4&hcfnC>_D@#Sv9@;Bx3X*M zK_xTJT~$}iW)C80PGp6`UC2I?jz-V15gf|ZeLnJd=(c-Zz8FPdf#s6QTl&h3?x*DJ zGuzsnuVA0W5&tLEY0+bBy^lC|B0Uu+#n!1F@vC-tr80};IYpUJOTOI?%O*XPPtx+1 ztz4<=+Y$QM8<_i)PLoV9VvN6Mqh8VH>mHe)&)3r_x0{q9#G%ATx4);9C$T*S&+hgD za<1TyIUY@(a2x3?Mfe|u<^ymW?4udx^B+Ga*aHNH1`0Q?7l-A<%yZAFl zs?roSQH=Oor(kxp&y_mKU1;1X4%{-*^*>&Q8`jWGT~O3N?M0gCwMq}3vgo`NjnFU6 ztdGC$;$GmDo9%K6wn&i8vR!BhPub@=3^bFDt0<+9czhFg6m8TQxTn-EwQ06ixfK@6 z$sM6TIp=12F<#dmzseD8g~nC3JpC%?AooRB1^Yj!zY5x869(2dB#$2D1EDw?dfOmT zQ)Rl&b)s3WCx#f(v$a7=))k)9PpPd9Ha53L=bBFGrj)338GC2UrpI=#UC6rGq)QtN z-giYr_IRZz=tpaXS92J=-#ykAaF0FtRJk&-2Apzv)8M!)Efbhb=PCwp=5&~yLnbnQ^TbG#YS&p?F&dm=^gX}?T7W>WA7I0J0>HYROoP8A?r>1ci|nT zw%g~>KQ_k?N*QHk%0La(g37mZS~D{0r&WPzf{ZNJe4mSLEJq3w^Z_yI^^2<$|hw0TQz|MFAKTNy$xat z1Vtq!+)BY_^F$gS9^79W@(S&q**mom0eT0~AdUVKj^8_Ip#33Wa`@9)LxY732`-X{B|N{-#0Ox?(ErjV&`Ytv7~0{{0VLF_Ky_EYGF7g|-tg0s##wX38ZTumyDG;CK7~qyVu3w?pd(nHMuj(yl?gc8V=YTq9 zPkM102W7w9mSbZEc!Umc)e2v+~r>YUB5VG*0we`&+;8x za*)I4*Tqe@T_1@23`-OJep}`IZdH>=M5Kw_=zD4%77ug(pfv<&NDv1!!5!UWyF-CZ zsAWrw9R&HQUxdKlO*=%96`}Lit#=NI%f0vI_E|g78~AAGEV>k@3yv^Y1_T8_xS%Iq zN_Ad&2!0+c0w?LPUlCiI0ch*=A|>Q}&$t}O$;lt|zkD20@n~ySM#FGi<^MvN;}m8a+N$6VPLx82$?$5lpLwFdVN)H1Cvx;LGK7PmH_47vs}^yEXE&Jx~f(pB78+1dUtt>9yhH3 zg_VeI?HoCCt(-uuMJXel;gXNyxJUfPsFeHIV+NCG4hz3cc_C|MXFcBzUJ-y9wVTHx zo19v#{B-2q2k~j<)Z-d)OSILix|xKH+xMQSZCV$=I0r2QiXOHnUp$PGYK?o=V+)Gn zwv(>yMcDV2MMJM1Bwr>M?5!NpHtI-VGNJ?f5kf|B`7CN^Dj_{yJ?zlocV^`eoonh!|Gb^Zb^)~BgisTL^*M%m@ z%1u6MALAo(wR6i#PIo z=C+Czt0pqrTnF$?hC4GA9d9OAa&$lDyfGw{Kg#3vUkl5hh25`EU@#;bI2YSyLTv~jADmjxUSszv+W^SN=8)&t+H$%n_61-{{a%)3u(GLK%lUhq)h5)WHK!9D?4X!by99?+Y#F;(&Va2WIj1SEWl`DxSQIk)V_dh80oqy^OU%dt} zX<2360y~(zubW?k)oTDWTnQ!GA;A||tc9q!xY|Ma{UiihFRV+ zxID=_BVNVbL^tbF_%3r>u0jtEL%Z|q+^ro+)}YpfyXsg;Hubb--~l;>qVl}8f8%}#yLp-BERZNN+Gke>`mkq=gGw`7cBnK=dCEHg_3!TOL|Uvcli^^d$(}Q9&XsgrmI$UJWl8 z3JHw*YQ*hIjGpOJeSUTQyY$9!p!x_v%y)c0udEMI9cJ?O{|Q-iqePRhuE~YpEkC1M zTb5qF#kk8PHM=A2>9xQ8Qbin@w`*Y28MyW^VT!;6u_0Evw-NM}4x2zdONXwZ#pU8T zVJw$#vG?h?$iYjgP=Zq@Z3Ot2hH8Cxz2g;UU;vj4v`<>o2qvUV1%>4j*tR?gwIY0^ zr3H`D7cXJkT@hz6?{o>pAiKC`S@8ljL5JtDVBso5FD#%lYlVu%3&Vd=RMfS|wzXC_&Y?{qi2!R6cl}tC8B#M<0Jt1;#VOv{bR@3#06SXN2Uj7WAH6pMQ^=h`?=@0N z>d;K{jw=i4V*}HRFlKfQOW>_u7~n3THe^N2Bj^Rze2)#KwkF2d{S(^ZIMw_x&MLef z&P;`?f_{rfRVG@5|MA`t60ZZJQ0Ec_0 zMjb_=RdO`)IJeQaX%H{Su#j%5VvPvcEH~$q{G?`_NU+ne>b;$c=IwKpVI&|Aan|_-N7K6vE-o|Hu-y9xeB{frG zF8F|x@)<}JQi=vefbqrDlB$M=hL)R-kT$LDe9yVb>kz!0p7emtAiDH&8fFI_aKmSs zsmuz$Ce~Xyj=X}JSrQjHG7nVYMI&OIofJx(pG=!cu#*2!64FD(2m9$4s!9p5{$lW{YvP5}Jf$5=%LnVn=mD*qd2@Xq@5yHs?)N_VH|fK{V-`rZd^?{q^2R)r5U~nUBywA3x z4accokK?6t0WgLKg{zV)rfee-3KY}gF8&-G!~_=mP^Pu;eKP%dxTESvocky!?EYf8 z@9qO>sVT`ql+|rI2rIz3pv0F+#6>hB%Edv{1RyCy5+7)-eMcQ_7fw07DNeIP4U z*LcgAAw?qf4+CG zKw>Ti(9sSTaD^89jmm*2P(gnCEBiygFfw@25LqYn;ZauG%zX1kj`mua?{+<}%-9Rk zK;QdUcb5BuVn90Igz&>@oDdY^J_z!NxzzDg2>7iTq#LNMMxeuar;2O{hBwimtt z-Xz%ulrlI(r*!|ofc13X;a~=>O((q^RmapcqT$G-h8kl+_IL{q2RK_^NhvR#W( z_Mhl%)D?*8RT>W39=78SV;c_0Dg%xv^2Da^?(HlM+Al+w*8r30xi9p2mzQ39064s= zeR0(&V~Y&w&}f;B(qWSaR7xqM;bi4kq4v`lE-#JmovsvO}o1i*y3IozkbpI9X}DGSbo*bS{sVAqVaCZ;S#TQy(r> zYHguB%@exP_oXIC88!;IrOOXWX70WC4o-@P?sN9`i`**<(71A>;wa@ zB5;Z<$0+CYctJ}V@Rz?M-$>=ZRFLr%a9NAr46W*XCYzZDVK!9Hnf#F~3?H|`<(h*X zU3I6{KWxO{c$Hw|C;#MpEOzYp_lSwNea z%}=&T)f3a^(=4ZPRIdx>LWNK_D1MrQ*NIh=vllx>jibRrS?6hGBW;NKOgB&Ro;@x0 z0WM>3Sy~r*mw3l>dc9#8y0TusTcq)N}CajiG)-wfQtqqHKsKoq|F?7xG-G`kOnC?X z2>@X@xjD~LNkWj1CCjko+5+a zGmt!!PR){>@23hdYVVWdjzU&Z(aJZkUa0}}&N;)D*8(I-jiqeC z$R3nMmh^r|HuI=W9N%VR&wd7@J`xQuxe0&bJt37$zaTZ>IH)AyZk#<=u0R$+T4jJd z|6W@g-Gr_E<@lj^o*3Lqa>FEF;kVI(2IFUZJM+pOmO3w3*11m2WO(L|3YMIhmTFmfbv zUstq{G0#`+*GTA{@6(ozN;%|c$Unje*fp2m;M^3F{Dq*Fl- z!p!0H#yXoS*>$Gpek8H$eLU)UYZ3j=N`?d@lX>Rex6S1FR!OI%k$H}_B%7N0#pT85 zgGI61*(e@)hu)72pEbKxSJ-$kYC*rOm+1K9$|=moc9r)+c3upAQ74lEc+}6h=l=4j z6|!ll*foh@>mg5%q_*A(!KvU;N>O&HV@rF%J(Au;h6&U&ofyR$NdBsD@-17bktvXg zG4VoCP1YAvqaqgJ$=5BFG#o((+&-9ukkZ-874IzxBqnUmxK81I4TVr~vs!*6@l%XX zRt4N|2xI~V{EoSQujbdDj@xl)c_vqlJ11AEGdqa|gG%Y3$u2$3wTlbdYR@{GYiXR? zF>6Y7L&%?8R_0lCFjCU4grC}iO!YHPweB!ABzs9g)_~ZDz#~SVx$6sHz2RE-lNd&` z+HH32Wmr8rC{#;El1*@HapH^i7>Y$bph|`(vhD`c!lR_)WTP#~x`>VEsHdpkeTpY6 zbAC;=k4_r0g!_NqwK56p1&Wd{T4nxc1%OAxTp$l#hKYdPr-@+{xnw(t`@LC;iRRiw za_-8{hG<|8exEW2w3!_gMB%}T#%P3HkGs1XMST*i2^o>H4&(AdiyC;wrEV-n-*lDJ zUT1ds z)E*m`P*oC*4^vhaUq4q}Vpe^!=GK@UyH^r0hh=u*GkM?Q{gatXgtqu6IA_VL$D%2# z`S{g#Xs)^VSkYs6Tz;vOukib{>?+TT*9!dRXejyI86Du-dFoaJ^Oj!2ddy1re23&~ z^9ZV`iQ`ac$+_d>)91;DKQMk85Rq4F%^mjEyc$!K)8pnI?ZlI4j7$vhw6((V4^G_C ze#bSP`#z=c3!A4Jj6_cjt-D?U+Dr;TEKrXJ7jCeCU~u<#=$mb69eSO4kdh*=N~K2DhBgk;<4%Y<~HSTWuo1MGF^QH z{Tv|Rl%F|^d01pxQc%yhwlyWu#Wd#NSUo}3$)~uS2{G<9bkn^NAzh(z4D75i83 z3%u&jAP0$F^?Xf;l-A2jxzb4Ed5H7`q9d-tC<*{ z{;*G-J1?-et7Kog3eSbwPL_-WkpG_8^_jywg3Jlg_||^QesBa;ONkR!n&~1dmvu3z zsk%i)bgdd$9le!#9xOn0@r9qbWz*fN5Ghrvk9)ZKs!MyWN?dUW!!>}>d9!)XH2b!u zd2cY!sz&L1RxKjkWEMAV<`myeBoQZy%{pgrGa zT)b`lGVv)i*}Ig%G}I2jeWl#bk^ZjkzBFqlwMI?9ch`8_ZNS15o0syu($QDQfQ&3d zbo@!U`dGhHK@dvWLSK(8*`0HGn#Gh$!#klc)!;{MRnN3pcc)}RQZ$-Gn@QW$?WY9D zS9&4Yz!P)G{=Q|+vwLhLi4L2QpQ*27dkWn29XCq`4Ve9uOx?A+!_?VZmcFHWsvV&h zPxs#wDh)h2m;b_T0hl-h4}f|}@z_+(^V0K`fA;_BfOF8{qBRgTAZwvgkGa^ifS~Bl zaoxC{_$&zc&jShtU|W2A4WWylpPvxK?*C6J{I| Date: Tue, 10 Dec 2024 15:47:03 +0000 Subject: [PATCH 7/7] dashboard tab to default --- docs/admin/users/idp-sync.md | 80 ++++++++++++++++++------------------ 1 file changed, 40 insertions(+), 40 deletions(-) diff --git a/docs/admin/users/idp-sync.md b/docs/admin/users/idp-sync.md index c089f93e4206e..f9547cb85af6e 100644 --- a/docs/admin/users/idp-sync.md +++ b/docs/admin/users/idp-sync.md @@ -354,6 +354,46 @@ dashboard:
+### Dashboard + +1. Confirm that your OIDC provider is sending claims. Log in with OIDC and visit + the following URL with an `Owner` account: + + ```text + https://[coder.example.com]/api/v2/debug/[your-username]/debug-link + ``` + + You should see a field in either `id_token_claims`, `user_info_claims` or + both followed by a list of the user's OIDC groups in the response. This is + the [claim](https://openid.net/specs/openid-connect-core-1_0.html#Claims) + sent by the OIDC provider. See + [Troubleshooting](#troubleshooting-grouproleorganization-sync) to debug this. + + Depending on the OIDC provider, this claim may be called something else. + Common names include `groups`, `memberOf`, and `roles`. + +1. Fetch the corresponding organization IDs using the following endpoint: + + ```text + https://[coder.example.com]/api/v2/organizations + ``` + +1. As a Coder organization user admin or site-wide user admin, go to + **Settings** > **IdP organization sync**. + +1. In the **Organization sync field** text box, enter the organization claim, + then select **Save**. + + Users are automatically added to the default organization. + + Do not disable **Assign Default Organization**. If you disable the default + organization, the system will remove users who are already assigned to it. + +1. Enter an IdP organization name and Coder organization(s), then select **Add + IdP organization**: + + ![IdP organization sync](../../images/admin/users/organizations/idp-org-sync.png) + ### CLI Use the Coder CLI to show and adjust the settings. @@ -402,46 +442,6 @@ settings, a user's memberships will update when they log out and log back in. | mapping | Mapping takes a claim from the IdP, and associates it with 1 or more organizations by UUID.
No validation is done, so you can put UUID's of orgs that do not exist (a noop). The UI picker will allow selecting orgs from a drop down, and convert it to a UUID for you. | | organization_assign_default | This setting exists for maintaining backwards compatibility with single org deployments, either through their upgrade, or in perpetuity.
If this is set to 'true', all users will always be assigned to the default organization regardless of the mappings and their IdP claims. | -### Dashboard - -1. Confirm that your OIDC provider is sending claims. Log in with OIDC and visit - the following URL with an `Owner` account: - - ```text - https://[coder.example.com]/api/v2/debug/[your-username]/debug-link - ``` - - You should see a field in either `id_token_claims`, `user_info_claims` or - both followed by a list of the user's OIDC groups in the response. This is - the [claim](https://openid.net/specs/openid-connect-core-1_0.html#Claims) - sent by the OIDC provider. See - [Troubleshooting](#troubleshooting-grouproleorganization-sync) to debug this. - - Depending on the OIDC provider, this claim may be called something else. - Common names include `groups`, `memberOf`, and `roles`. - -1. Fetch the corresponding organization IDs using the following endpoint: - - ```text - https://[coder.example.com]/api/v2/organizations - ``` - -1. As a Coder organization user admin or site-wide user admin, go to - **Settings** > **IdP organization sync**. - -1. In the **Organization sync field** text box, enter the organization claim, - then select **Save**. - - Users are automatically added to the default organization. - - Do not disable **Assign Default Organization**. If you disable the default - organization, the system will remove users who are already assigned to it. - -1. Enter an IdP organization name and Coder organization(s), then select **Add - IdP organization**: - - ![IdP organization sync](../../images/admin/users/organizations/idp-org-sync.png) -
## Troubleshooting group/role/organization sync