Hi All, tl;dr: The way you login to hub has changed. You'll get sent to "Keycloak" and will need to do a "Forgot password" and then reset your password via the emailed link. You shouldn't notice any difference after that other than the login screen is different. If you go to log in to hub you will find that you get sent to a system called "Keycloak" instead of the former 57N ID. The old ID application served us well for many years, but had a dependency on a very unsupported and early version of node.js. Updating that code was going to require someone that knew not only modern node.js but also historic node.js to ensure the update was correct and complete. Keycloak is a modern single-sign on system that implements protocols like OAuth2 and OIDC which means that we can integrate this with many of the existing space applications, like Home Assistant and the wiki. I have also configured it using an LDAP backend for user account and password information so we could use this for applications that only support LDAP authentication. We are lucky that someone has also provided a CAS plugin, as that's what Hub uses, and so no changes were needed to Hub at all other than re-pointing where it was looking for the CAS server. I will be publishing the Ansible playbook used to deploy the system shortly under the BSD 2-clause licence. I'm also using it for my company and for one of my company's clients that runs digital security helpdesks. At some point it will probably get audited professionally. The stack is built on a rootless podman setup, using quadlets to define the services. Network isolation is employed to prevent interncontainer connections between applications that do not need to communicate. The full stack includes: • Nginx • Certbot • Keycloak • 389ds (LDAP server) • PostgreSQL (Relational database used by Keycloak) Right now this is running on a Vultr VM while we continue to work towards retiring finzean. I believe the last service there is Hub which I think we can containerize and add to the podman setup. At that point we can migrate the whole stack to a replacement finzean. The podman features we require only exist in Debian testing, and finzean currently runs Debian jessie, so we cannot do this upgrade in place. You *can* enable 2FA to secure your Keycloak account but this is *not* required. We may later choose to require this for some or all of our applications but as this is something that needs documentation I don't think we should do it until we have that documentation. If you have any questions then you can ask them and I might answer them. Thanks, Iain. -- *Iain Learmonth* MSci MBCS AICB PM.Dip (he/him) This email is sent in a personal capacity. The views expressed in this email do not necessarily reflect the views of SR2 Group Limited, its subsidaries, or any other organisation in which I am a member, officer, employee, or volunteer.