nevis
/
adn-agov-iam-admin-inventory
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: nevis:master
Branches Tags
nevis:master
nevis:r-52cf67aa5ec5c56333d2605f507c60bb29159968
nevis:r-28d025621af8913de776f24a3d4921835e1af78e
nevis:r-a067bc8dc88872382ee82b06c8c85326557df02e
nevis:r-f1a1d7e9c3345612747d207988ade2a9715621a0
nevis:r-153c4f15e7495a3864d7ae40ed58b6b28b543733
nevis:r-ffccb0ac6d5831789f198ab73f0ecfff9ea38df7
nevis:r-23c975b083c8e6671010e54a8d0fcd4f1c22d35a
nevis:r-bf1e1a83227b7bc159e972c2afd30c158021bcea
nevis:r-df95918aa8e4142dc04a89451ddf5014895f0608
nevis:r-e4c2d82c111d2c9830b4a1e105f7abfc5531eb93
nevis:r-535a1c58f3e972bdefb25ae1db1c6e392665da01
nevis:r-7e9f2304b72a07725abab4c27833af5cdd73ab53
nevis:r-fe4ed6caa67aae0ca63ef1780ad8a913f2e58bc2
nevis:r-209bf374662c383a97fa9f48eab356e6e7ded80a
nevis:r-d06bd972269492f0db33bc07396b5fe3c91cdaaf
nevis:r-3944ffd65b942f8ce7cea4316e8f0ebdd3fd083a
nevis:r-44f6d8070d99d99b821f79434f87f59ce312485e
nevis:r-6d1a097973d3087fdf480117f962998d13f67747
nevis:r-5e1807ca120976e947d4e5b6aa05c8d06296676d
nevis:r-66ba62a5c91f8d0f8df82035e9592fdd8ba3b59e
nevis:r-c6ca6cb3e4f3a8aff1fd182b536a414f9fb8b852
nevis:r-b0f560c0b10f2e97aa1b7ae3be9701a248682aa7
nevis:r-211acafb447f5001c77c83fee80bc5a7815336be
nevis:r-fc7a118257337a208e316ee6a4462321aa742800
nevis:r-7c2f10f995449629ef8fa89163e2b957f298d9ee
nevis:r-04a20634256fe44dcc9c9a6a13c5a3204bb4ba39
nevis:r-27f67f37e3b414468e93a53184b53efab9764b77
nevis:r-030a0c32f7aa373371615e3c88c1e7e33eccfd82
nevis:r-d8899f360bd8076bfa2efcae7b1a2e22f1d86262
nevis:r-26364fed1751c3f2fa25a6fe1de353169db0e5c8
nevis:r-de679db35a5049f78feb4eca1e828eb6997985b5
nevis:r-ff97a3d3e210d49d02eaf6d67d9ba9c3a8eb10e7
nevis:r-311476c16ad3755ebe445f3c8cca76499321c50d
nevis:r-1d84e2f08b7756851dbf2858b12f4f4ff1a1c0d1
nevis:r-0a48de426971dd230619dc6e818d80cdec4fd7d3
nevis:r-bc25f5ce8b5f95963ebf28cf4402570435720696
nevis:r-95bb4b95a4a367e8c9143d72e7c1b127aff89c21
nevis:r-9ac964c1571c0894312e7a8aac3be8b00d7d995a
nevis:r-15a69d979d424991cd9228f9c53d791bb368555c
nevis:r-b674d74c7f0ca9297d32d0956ea52006e353411b
nevis:r-b6eaa7f9026321e4d7f57bdaa6a43d474d91683a
nevis:r-012b3edc35a12cc7deab7ef71a4e2da21b6d5d0a
nevis:r-204c3ed3f252b12ca8d250caad2ff4905e491e6c
nevis:r-d644426f4fbf25fc88801447f895124d95984146
nevis:r-c2c433791be54208e55664fbdee168be7abd768f
nevis:r-b339a2da27694a78cdbeb55b3f4110d11425556d
nevis:r-d3c49d23038672858aa046871cbab2663bfcaf3c
nevis:r-d78f01fd730effefbe799d39eb80b99883011177
nevis:r-dbf48dcf25b8493a86353bec25f882a800ce190e
nevis:r-cf63f13a99c537e7132c544cde2b238ac9f94461
nevis:r-0d4f317ecee462cf51ce783f04b4590ea6d580fb
nevis:r-1389008c7767421128d0ba0b23857bd65a867694
nevis:r-ea50f2ef1ae49b730adae6a5cd141c33b1be1c9a
nevis:r-c8cb0e7eb258b12129e589ce1eed92015ac9b28c
nevis:r-f2e1ef5119a5006e38b4019e4a2c8648783bc86c
nevis:r-6cf60cd5531f9aed26896314800fd102f3af114f
nevis:r-47502e417486789dcc0d887ec040d4cac6e4865d
nevis:r-cd771331fc5533d563e060e912962ba97444b86b
nevis:r-868174843070c36c5da54e3a43d558da046b6ce7
nevis:r-d6689c49db9000249e5cdb88008dd4a767ab0b79
nevis:r-85921ce48ff2018a206d8d347bce4588d9d5e8a1
nevis:r-fecbb1c81c76efe2f8749f3394b2849573c0a539
nevis:r-29c1b415348a6c1b8b32c65f6f40449f8c7765b0
nevis:r-acb2605a2e5fd8b79208066d5ba79edea6f59efb
nevis:r-697ee00ae42fb4f06de995bcb14ad4fba0fa9ef3
nevis:r-f7d5f97ee0feefcae245dd0d18143b4d911b6bd8
nevis:r-3341a3df2b54ab6368125d7df7c223019a1fb969
nevis:r-58fcf0ca3e3e5b189ec00c971320c3f2a1b493b0
nevis:r-112ce1a4645e73488798bccf06fcc474f184f247
nevis:r-64e7c8657e319dd2784c3d579040cfd79cd13611
nevis:r-51ca9db578a2820945a06c2b1f6661c4ee51d76a
nevis:r-7bd8f34aeeebe1debccb6e4932b092cf2b2c4c88
nevis:r-62cde4d69ffb364927e8f40db105fc6d83470228
nevis:r-a5b664b2c1f534aab19c8301f3618a8c5096d222
nevis:r-23274ff50cbcc5dc1409914b80d55bad4f51e4a5
nevis:r-1dde0e16e9fb87be7ccf0c5b36d54e0fa6b61937
nevis:r-559fc1c9e95f51132e6ad328d8310c6ce3073856
nevis:r-e55486a997fb8f6cdab5eac835e6374e73b3824f
nevis:r-e2a46b528dd6805a4a82f38e4801e5e8def1da72
nevis:r-b1d5f212045e9db8b0dc09b8179b66fe96237bb8
nevis:r-c5f277934f26924a111adad9c48735aacd29c46c
nevis:r-88cbcc0bd30dd42f21dbd77bd6bf79b7af95968f
nevis:r-f2438b6b6292fed0d857109f9ec88c915eff860a
nevis:r-937b0c071785a44df35dbbfe5a32b4cd60dc6198
nevis:r-c8a2ac2ea6277d4f605767f8eb567015feac6dec
nevis:r-ef84c92db2c36d8972896cca1f1a957d76eaeaaa
nevis:r-b4b00aec49777df531f73518bd77ad5d0edfffc8
nevis:r-d993f6431d14e03addce733ef3998f4de3e2783f
nevis:r-93fd93206a5317722d27146060f3665e3c3f0152
nevis:r-18b961902a78e25bb25b70d89e03cb069936f68f
nevis:r-81d25bcb96e8fec96eb0ffa1f8d50d658a3580b1
nevis:r-3f309b6b6a367adff58fb1eda8c77ff3ee6fde3e
nevis:r-3a6679edcaeb399052f179681ffef58f8a201c33
nevis:r-5a3774a160a01eaecca4da7268f88ad3f46239d1
nevis:r-e196a9ccae79d75ce062ac365a87ac47c1bd50d6
nevis:r-3ee0c55e56d8560bdaba24fb449512ae22bd6314
nevis:r-4d123b0425d87a62aa5d15f8d00ed90285a333b8
nevis:r-e37ce269839e23116b4525d0367ed9aa9f9d0e77
nevis:r-fe81bcbd1e9f1958f2464914f53ad4eff93e2702
nevis:r-42b819b6bfeb3fa5796acc0dc5e9d2083aeead93
nevis:r-a4d6eb484d027fc16ac743f19125d917effbf13f
nevis:r-064423a6b9b17ac1cc93f3d2e79b812784af29cc
nevis:r-35b4e2e751fe66d08450741c14b1f7edcfd86112
nevis:r-076a9f52a5d15e375fffc95fe1da6f4a3da0c98e
..
compare: nevis:r-28d025621af8913de776f24a3d4921835e1af78e
Branches Tags
nevis:master
nevis:r-52cf67aa5ec5c56333d2605f507c60bb29159968
nevis:r-28d025621af8913de776f24a3d4921835e1af78e
nevis:r-a067bc8dc88872382ee82b06c8c85326557df02e
nevis:r-f1a1d7e9c3345612747d207988ade2a9715621a0
nevis:r-153c4f15e7495a3864d7ae40ed58b6b28b543733
nevis:r-ffccb0ac6d5831789f198ab73f0ecfff9ea38df7
nevis:r-23c975b083c8e6671010e54a8d0fcd4f1c22d35a
nevis:r-bf1e1a83227b7bc159e972c2afd30c158021bcea
nevis:r-df95918aa8e4142dc04a89451ddf5014895f0608
nevis:r-e4c2d82c111d2c9830b4a1e105f7abfc5531eb93
nevis:r-535a1c58f3e972bdefb25ae1db1c6e392665da01
nevis:r-7e9f2304b72a07725abab4c27833af5cdd73ab53
nevis:r-fe4ed6caa67aae0ca63ef1780ad8a913f2e58bc2
nevis:r-209bf374662c383a97fa9f48eab356e6e7ded80a
nevis:r-d06bd972269492f0db33bc07396b5fe3c91cdaaf
nevis:r-3944ffd65b942f8ce7cea4316e8f0ebdd3fd083a
nevis:r-44f6d8070d99d99b821f79434f87f59ce312485e
nevis:r-6d1a097973d3087fdf480117f962998d13f67747
nevis:r-5e1807ca120976e947d4e5b6aa05c8d06296676d
nevis:r-66ba62a5c91f8d0f8df82035e9592fdd8ba3b59e
nevis:r-c6ca6cb3e4f3a8aff1fd182b536a414f9fb8b852
nevis:r-b0f560c0b10f2e97aa1b7ae3be9701a248682aa7
nevis:r-211acafb447f5001c77c83fee80bc5a7815336be
nevis:r-fc7a118257337a208e316ee6a4462321aa742800
nevis:r-7c2f10f995449629ef8fa89163e2b957f298d9ee
nevis:r-04a20634256fe44dcc9c9a6a13c5a3204bb4ba39
nevis:r-27f67f37e3b414468e93a53184b53efab9764b77
nevis:r-030a0c32f7aa373371615e3c88c1e7e33eccfd82
nevis:r-d8899f360bd8076bfa2efcae7b1a2e22f1d86262
nevis:r-26364fed1751c3f2fa25a6fe1de353169db0e5c8
nevis:r-de679db35a5049f78feb4eca1e828eb6997985b5
nevis:r-ff97a3d3e210d49d02eaf6d67d9ba9c3a8eb10e7
nevis:r-311476c16ad3755ebe445f3c8cca76499321c50d
nevis:r-1d84e2f08b7756851dbf2858b12f4f4ff1a1c0d1
nevis:r-0a48de426971dd230619dc6e818d80cdec4fd7d3
nevis:r-bc25f5ce8b5f95963ebf28cf4402570435720696
nevis:r-95bb4b95a4a367e8c9143d72e7c1b127aff89c21
nevis:r-9ac964c1571c0894312e7a8aac3be8b00d7d995a
nevis:r-15a69d979d424991cd9228f9c53d791bb368555c
nevis:r-b674d74c7f0ca9297d32d0956ea52006e353411b
nevis:r-b6eaa7f9026321e4d7f57bdaa6a43d474d91683a
nevis:r-012b3edc35a12cc7deab7ef71a4e2da21b6d5d0a
nevis:r-204c3ed3f252b12ca8d250caad2ff4905e491e6c
nevis:r-d644426f4fbf25fc88801447f895124d95984146
nevis:r-c2c433791be54208e55664fbdee168be7abd768f
nevis:r-b339a2da27694a78cdbeb55b3f4110d11425556d
nevis:r-d3c49d23038672858aa046871cbab2663bfcaf3c
nevis:r-d78f01fd730effefbe799d39eb80b99883011177
nevis:r-dbf48dcf25b8493a86353bec25f882a800ce190e
nevis:r-cf63f13a99c537e7132c544cde2b238ac9f94461
nevis:r-0d4f317ecee462cf51ce783f04b4590ea6d580fb
nevis:r-1389008c7767421128d0ba0b23857bd65a867694
nevis:r-ea50f2ef1ae49b730adae6a5cd141c33b1be1c9a
nevis:r-c8cb0e7eb258b12129e589ce1eed92015ac9b28c
nevis:r-f2e1ef5119a5006e38b4019e4a2c8648783bc86c
nevis:r-6cf60cd5531f9aed26896314800fd102f3af114f
nevis:r-47502e417486789dcc0d887ec040d4cac6e4865d
nevis:r-cd771331fc5533d563e060e912962ba97444b86b
nevis:r-868174843070c36c5da54e3a43d558da046b6ce7
nevis:r-d6689c49db9000249e5cdb88008dd4a767ab0b79
nevis:r-85921ce48ff2018a206d8d347bce4588d9d5e8a1
nevis:r-fecbb1c81c76efe2f8749f3394b2849573c0a539
nevis:r-29c1b415348a6c1b8b32c65f6f40449f8c7765b0
nevis:r-acb2605a2e5fd8b79208066d5ba79edea6f59efb
nevis:r-697ee00ae42fb4f06de995bcb14ad4fba0fa9ef3
nevis:r-f7d5f97ee0feefcae245dd0d18143b4d911b6bd8
nevis:r-3341a3df2b54ab6368125d7df7c223019a1fb969
nevis:r-58fcf0ca3e3e5b189ec00c971320c3f2a1b493b0
nevis:r-112ce1a4645e73488798bccf06fcc474f184f247
nevis:r-64e7c8657e319dd2784c3d579040cfd79cd13611
nevis:r-51ca9db578a2820945a06c2b1f6661c4ee51d76a
nevis:r-7bd8f34aeeebe1debccb6e4932b092cf2b2c4c88
nevis:r-62cde4d69ffb364927e8f40db105fc6d83470228
nevis:r-a5b664b2c1f534aab19c8301f3618a8c5096d222
nevis:r-23274ff50cbcc5dc1409914b80d55bad4f51e4a5
nevis:r-1dde0e16e9fb87be7ccf0c5b36d54e0fa6b61937
nevis:r-559fc1c9e95f51132e6ad328d8310c6ce3073856
nevis:r-e55486a997fb8f6cdab5eac835e6374e73b3824f
nevis:r-e2a46b528dd6805a4a82f38e4801e5e8def1da72
nevis:r-b1d5f212045e9db8b0dc09b8179b66fe96237bb8
nevis:r-c5f277934f26924a111adad9c48735aacd29c46c
nevis:r-88cbcc0bd30dd42f21dbd77bd6bf79b7af95968f
nevis:r-f2438b6b6292fed0d857109f9ec88c915eff860a
nevis:r-937b0c071785a44df35dbbfe5a32b4cd60dc6198
nevis:r-c8a2ac2ea6277d4f605767f8eb567015feac6dec
nevis:r-ef84c92db2c36d8972896cca1f1a957d76eaeaaa
nevis:r-b4b00aec49777df531f73518bd77ad5d0edfffc8
nevis:r-d993f6431d14e03addce733ef3998f4de3e2783f
nevis:r-93fd93206a5317722d27146060f3665e3c3f0152
nevis:r-18b961902a78e25bb25b70d89e03cb069936f68f
nevis:r-81d25bcb96e8fec96eb0ffa1f8d50d658a3580b1
nevis:r-3f309b6b6a367adff58fb1eda8c77ff3ee6fde3e
nevis:r-3a6679edcaeb399052f179681ffef58f8a201c33
nevis:r-5a3774a160a01eaecca4da7268f88ad3f46239d1
nevis:r-e196a9ccae79d75ce062ac365a87ac47c1bd50d6
nevis:r-3ee0c55e56d8560bdaba24fb449512ae22bd6314
nevis:r-4d123b0425d87a62aa5d15f8d00ed90285a333b8
nevis:r-e37ce269839e23116b4525d0367ed9aa9f9d0e77
nevis:r-fe81bcbd1e9f1958f2464914f53ad4eff93e2702
nevis:r-42b819b6bfeb3fa5796acc0dc5e9d2083aeead93
nevis:r-a4d6eb484d027fc16ac743f19125d917effbf13f
nevis:r-064423a6b9b17ac1cc93f3d2e79b812784af29cc
nevis:r-35b4e2e751fe66d08450741c14b1f7edcfd86112
nevis:r-076a9f52a5d15e375fffc95fe1da6f4a3da0c98e

No commits in common. "master" and "r-28d025621af8913de776f24a3d4921835e1af78e" have entirely different histories.
master ... r-28d02562

5 changed files with 20 additions and 448 deletions
Show Stats Expand all files Collapse all files

2
DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/etc/nevis/k8s-nevisauth-ac27dd7daad0ca2b7229bfaf.yaml
View File

@ -46,7 +46,7 @@ spec:
podDisruptionBudget:
maxUnavailable: "50%"
git:
tag: "r-52cf67aa5ec5c56333d2605f507c60bb29159968"
tag: "r-28d025621af8913de776f24a3d4921835e1af78e"
dir: "DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth"
credentials: "git-credentials"
keystores:

19
DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/EncodeAndDisplayToken.groovy
View File

@ -1,19 +0,0 @@
import ch.nevis.esauth.auth.engine.AuthResponse
import ch.nevis.esauth.util.httpclient.api.HttpClient
if (outargs['out.JWTToken']) {
// we have a token
def header = "Bearer ${outargs['out.JWTToken']}"
response.setNote('agov.test.token', header)
notes.setProperty('agov.test.token', header)
response.removeOutArg('out.JWTToken')
}
// if (!response.getNote('agov.test.token')) {
// response.setResult('newToken')
// return
//}
// show the GUI
response.setResult('display')

314
DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml
View File

@ -105,7 +105,7 @@
</SessionCoordinator>
<!-- source: pattern://ac27dd7daad0ca2b7229bfaf -->
<LocalOutOfContextDataStore reaperPeriod="60"/>
<!-- source: pattern://2787b678d9cce5310a335419, pattern://fd3912c7af7a88b6342a4c78, pattern://12c979b6af0f15f1328656a4, pattern://24cbc652d3166c8374eda3cd, pattern://56955e7b6b92c254d7d1aae1, pattern://ac27dd7daad0ca2b7229bfaf, pattern://6df66943ca713eed2a25d935, pattern://6f9c9f982dcc7ef59a34f1f7, pattern://7518c6cc61e47eec6322ae17, pattern://ac27dd7daad0ca2b7229bfaf, pattern://6df66943ca713eed2a25d935, pattern://ac27dd7daad0ca2b7229bfaf, pattern://ac27dd7daad0ca2b7229bfaf -->
<!-- source: pattern://2787b678d9cce5310a335419, pattern://fd3912c7af7a88b6342a4c78, pattern://12c979b6af0f15f1328656a4, pattern://ac27dd7daad0ca2b7229bfaf, pattern://6df66943ca713eed2a25d935, pattern://6f9c9f982dcc7ef59a34f1f7, pattern://7518c6cc61e47eec6322ae17, pattern://ac27dd7daad0ca2b7229bfaf, pattern://6df66943ca713eed2a25d935, pattern://ac27dd7daad0ca2b7229bfaf, pattern://ac27dd7daad0ca2b7229bfaf -->
<AuthEngine useLiteralDictionary="true" literalDictionaryLanguages="en,de,fr,it" inputLanguageCookie="LANG" compatLevel="none" addAutheLevelToSecRoles="true" classPath="/opt/nevisidmcl/nevisauth/lib:/opt/nevisauth/plugin" propagateSession="false">
<!-- source: pattern://3fd09bb6cfbd34874595c263 -->
<Domain name="IDENT-AuthenticationRealm" default="false" inactiveInterval="60" reauthInterval="0" resetAuthenticationCondition="${inargs:cancel}">
@ -131,14 +131,11 @@
</Domain>
<!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<Domain name="SAML_SP_nevisidm_operations_Realm" default="false" inactiveInterval="1800" reauthInterval="0" resetAuthenticationCondition="${inargs:cancel}">
<Entry method="authenticate" state="SAML_SP_nevisidm_operations_Realm_CheckIsTokenGeneration"/>
<Entry method="authenticate" state="SAML_SP_nevisidm_operations_Realm_Extract_Issuer" selector="${request:currentResource:^http[s]?\u003A//[^/]+/SAML2/ACS/.*$:true}"/>
<Entry method="logout" state="SAML_SP_nevisidm_operations_Realm_CheckIsTokenGeneration"/>
<Entry method="stepup" state="SAML_SP_nevisidm_operations_Realm_CheckIsTokenGeneration"/>
<Entry method="stepup" state="SAML_SP_nevisidm_operations_Realm_Extract_Issuer" selector="${request:currentResource:^http[s]?\u003A//[^/]+/SAML2/ACS/.*$:true}"/>
<Entry method="stepup" state="SAML_SP_nevisidm_operations_Realm_Extract_Issuer" selector="${request:currentResource:^http[s]?\u003A//[^/]+/SAML2/stepup/.*$:true}"/>
<Entry method="authenticate" state="SAML_SP_nevisidm_operations_Realm_Extract_Issuer"/>
<Entry method="logout" state="SAML_SP_nevisidm_operations_Realm_Extract_Issuer"/>
<Entry method="stepup" state="SAML_SP_nevisidm_operations_Realm_Extract_Issuer"/>
<Entry method="stepup" state="SAML_SP_nevisidm_operations_Realm_NEVIS_SecToken" selector="${request:requiredRoles:^token.NEVIS_SecToken$:true}"/>
<Entry method="unlock" state="SAML_SP_nevisidm_operations_Realm_CheckIsTokenGeneration"/>
<Entry method="unlock" state="SAML_SP_nevisidm_operations_Realm_Extract_Issuer"/>
</Domain>
<AuthState name="IDENT-AuthenticationRealm_IDENT-Process-and-Dispatch" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
<!-- source: pattern://0f6977caedca600b17221f0a -->
@ -365,7 +362,7 @@
</AuthState>
<AuthState name="SAML_SP_nevisidm_operations_Realm_Restore_Level" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
<!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<ResultCond name="ok" next="SAML_SP_nevisidm_operations_Realm_set_userExtId_Groovy_Script_Step"/>
<ResultCond name="ok" next="SAML_SP_nevisidm_operations_Realm_Prepare_Done"/>
<!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<Response value="AUTH_ERROR">
<!-- source: pattern://7518c6cc61e47eec6322ae17 -->
@ -381,222 +378,21 @@
<Gui name="ContinueResponse"/>
</Response>
</AuthState>
<AuthState name="SAML_SP_nevisidm_operations_Realm_set_userExtId_Groovy_Script_Step" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
<!-- source: pattern://488949a743edb1f46f73f232 -->
<ResultCond name="error" next="SAML_SP_nevisidm_operations_Realm_Authentication_Failed"/>
<!-- source: pattern://488949a743edb1f46f73f232 -->
<ResultCond name="ok" next="SAML_SP_nevisidm_operations_Realm_fetch_User_Authentication_Step"/>
<!-- source: pattern://488949a743edb1f46f73f232 -->
<Response value="AUTH_ERROR">
<!-- source: pattern://488949a743edb1f46f73f232 -->
<Arg name="ch.nevis.isiweb4.response.status" value="403"/>
</Response>
<!-- source: pattern://488949a743edb1f46f73f232 -->
<property name="script" value="file:///var/opt/nevisauth/default/conf/set_userextid_groovy_script_step.groovy"/>
</AuthState>
<AuthState name="SAML_SP_nevisidm_operations_Realm_Authentication_Failed" class="ch.nevis.esauth.auth.states.standard.AuthError" final="false">
<!-- source: pattern://700ec185425d8645fea2caf5 -->
<Response value="AUTH_ERROR">
<!-- source: pattern://700ec185425d8645fea2caf5 -->
<Gui name="Error">
<!-- source: pattern://700ec185425d8645fea2caf5 -->
<GuiElem name="info" type="error" label="error_99"/>
<!-- source: pattern://700ec185425d8645fea2caf5 -->
<GuiElem name="submit" type="button" label="continue.button.label"/>
</Gui>
<!-- source: pattern://700ec185425d8645fea2caf5 -->
<Arg name="ch.nevis.isiweb4.response.status" value="403"/>
</Response>
</AuthState>
<AuthState name="SAML_SP_nevisidm_operations_Realm_fetch_User_Authentication_Step" class="ch.nevis.idm.authstate.IdmUserVerifyState" final="false" resumeState="true">
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<ResultCond name="clientNotFound" next="SAML_SP_nevisidm_operations_Realm_Authentication_Failed"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<ResultCond name="failed" next="SAML_SP_nevisidm_operations_Realm_Authentication_Failed"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<ResultCond name="prospect" next="SAML_SP_nevisidm_operations_Realm_fetch_User_Authentication_Step_selectProfile"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<Response value="AUTH_ERROR">
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<Gui name="AuthFailDialog"/>
</Response>
<propertyRef name="nevisIDM_Connector"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<property name="user.loginid" value="unknown"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<property name="userExtId" value="${sess:operationsExtId}"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<property name="client.name" value="OPERATIONS"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<property name="detaillevel.user" value="HIGH"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<property name="detaillevel.profile" value="HIGH"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<property name="detaillevel.role" value="HIGH"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<property name="detaillevel.authorization" value="HIGH"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<property name="detaillevel.dataroom" value="HIGH"/>
</AuthState>
<AuthState name="SAML_SP_nevisidm_operations_Realm_fetch_User_Authentication_Step_selectProfile" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<ResultCond name="error" next="SAML_SP_nevisidm_operations_Realm_Authentication_Failed"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<ResultCond name="ok" next="SAML_SP_nevisidm_operations_Realm_fetch_User_Authentication_Step_IdmGetPropertiesState"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<Response value="AUTH_CONTINUE">
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<Gui name="op_idmlogin_select_profile">
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<GuiElem name="lasterror" type="error" label="${notes:lasterrorinfo}" value="${notes:lasterror}" optional="true"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<GuiElem name="submit" type="button" label="submit.button.label" value="go"/>
</Gui>
</Response>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<property name="script" value="file:///var/opt/nevisauth/default/conf/selectIdmProfile.groovy"/>
</AuthState>
<AuthState name="nevisIDM_Connector" class="ch.nevis.esauth.auth.states.standard.AuthGeneric" final="false">
<!-- source: pattern://12c979b6af0f15f1328656a4 -->
<property name="login.service.connection.0" value="https://idm:8989/nevisidm/services/v1/LoginService"/>
<!-- source: pattern://12c979b6af0f15f1328656a4 -->
<property name="admin.service.connection.0" value="https://idm:8989/nevisidm/services/v1/AdminService"/>
</AuthState>
<AuthState name="SAML_SP_nevisidm_operations_Realm_fetch_User_Authentication_Step_IdmGetPropertiesState" class="ch.nevis.idm.authstate.IdmGetPropertiesState" final="false" resumeState="true">
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<ResultCond name="clientNotFound" next="SAML_SP_nevisidm_operations_Realm_Authentication_Failed"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<ResultCond name="default" next="SAML_SP_nevisidm_operations_Realm_Authentication_Failed"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<ResultCond name="ok" next="SAML_SP_nevisidm_operations_Realm_UpdateUserIfNeeded"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<ResultCond name="showGui" next="SAML_SP_nevisidm_operations_Realm_Authentication_Failed"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<Response value="AUTH_ERROR"/>
<propertyRef name="nevisIDM_Connector"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<property name="user.attributes" value="loginId,extId,firstName,name,email,language"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<property name="chooseProfileFromSession" value="operationsProfileExtId"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<property name="userExtId" value="${sess:operationsExtId}"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<property name="client.name" value="OPERATIONS"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<property name="detaillevel.user" value="HIGH"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<property name="detaillevel.profile" value="HIGH"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<property name="detaillevel.role" value="HIGH"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<property name="detaillevel.authorization" value="HIGH"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<property name="detaillevel.dataroom" value="HIGH"/>
</AuthState>
<AuthState name="SAML_SP_nevisidm_operations_Realm_UpdateUserIfNeeded" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false" resumeState="false">
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<ResultCond name="default" next="SAML_SP_nevisidm_operations_Realm_UpdateUserIfNeeded_Update"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<ResultCond name="emailaddressDidntChange,givennameDidntChange,surnameDidntChange,languageDidntChange" next="SAML_SP_nevisidm_operations_Realm_Prepare_Done"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<Response value="AUTH_ERROR"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<property name="condition:emailaddressDidntChange" value="#{ !sess.containsKey('idp.email') or sess.get('idp.email').equals(sess.get('ch.nevis.idm.User.email')) }"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<property name="condition:givennameDidntChange" value="#{ !sess.containsKey('idp.firstName') or sess.get('idp.firstName').equals(sess.get('ch.nevis.idm.User.firstName')) }"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<property name="condition:surnameDidntChange" value="#{ !sess.containsKey('idp.lastName') or sess.get('idp.lastName').equals(sess.get('ch.nevis.idm.User.lastName')) }"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<property name="condition:languageDidntChange" value="#{ !sess.containsKey('idp.language') or sess.get('idp.language').equals(sess.get('ch.nevis.idm.User.language')) }"/>
</AuthState>
<AuthState name="SAML_SP_nevisidm_operations_Realm_UpdateUserIfNeeded_Update" class="ch.nevis.idm.authstate.IdmSetPropertiesState" final="false" resumeState="false">
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<ResultCond name="emailExists" next="SAML_SP_nevisidm_operations_Realm_UpdateUserIfNeeded_AuditError"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<ResultCond name="inputInvalid" next="SAML_SP_nevisidm_operations_Realm_UpdateUserIfNeeded_AuditError"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<ResultCond name="inputMissing" next="SAML_SP_nevisidm_operations_Realm_UpdateUserIfNeeded_AuditError"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<ResultCond name="loginIdExists" next="SAML_SP_nevisidm_operations_Realm_UpdateUserIfNeeded_AuditError"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<ResultCond name="ok" next="SAML_SP_nevisidm_operations_Realm_UpdateUserIfNeeded_AuditUpdate"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<ResultCond name="userIdExists" next="SAML_SP_nevisidm_operations_Realm_UpdateUserIfNeeded_AuditError"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<Response value="AUTH_ERROR">
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<Arg name="ch.nevis.isiweb4.response.status" value="403"/>
</Response>
<propertyRef name="nevisIDM_Connector"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<property name="user.loginid" value="${sess:ch.adnovum.nevisidm.user.loginId}"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<property name="client.name" value="${sess:ch.adnovum.nevisidm.clientName}"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<property name="user.attributes.optional" value="email,firstName,name,language"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<property name="user.attributes.mandatory" value="remarks"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<property name="user.attribute.email" value="${notes|saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress}"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<property name="user.attribute.firstName" value="${notes|saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname}"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<property name="user.attribute.name" value="${notes|saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname}"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<property name="user.attribute.language" value="${notes|saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/languageOfCorrespondance}"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<property name="user.attribute.remarks" value="Updated based on assertion '${sess:ch.nevis.auth.saml.assertion.id}' (Request-ID: ${inctx:connection.HttpHeader.X-Request-ID})"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<property name="user.attributes.overwrite" value="email,firstName,name,language,remarks"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<property name="allowInvalidUserEmails" value="true"/>
</AuthState>
<AuthState name="SAML_SP_nevisidm_operations_Realm_Prepare_Done" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
<!-- source: pattern://7518c6cc61e47eec6322ae17, pattern://271d024334021208b71ac80a -->
<ResultCond name="default" next="SAML_SP_nevisidm_operations_Realm_Redirect_RelayState"/>
<!-- source: pattern://7518c6cc61e47eec6322ae17, pattern://271d024334021208b71ac80a -->
<!-- source: pattern://271d024334021208b71ac80a -->
<ResultCond name="default" next="SAML_SP_nevisidm_operations_Realm_Auth_Done"/>
<!-- source: pattern://271d024334021208b71ac80a -->
<Response value="AUTH_DONE">
<!-- source: pattern://7518c6cc61e47eec6322ae17, pattern://271d024334021208b71ac80a -->
<!-- source: pattern://271d024334021208b71ac80a -->
<Gui name="ContinueResponse"/>
</Response>
<!-- source: pattern://7518c6cc61e47eec6322ae17, pattern://271d024334021208b71ac80a -->
<!-- source: pattern://271d024334021208b71ac80a -->
<property name="script" value="file:///var/opt/nevisauth/default/conf/prepare_done.groovy"/>
</AuthState>
<AuthState name="SAML_SP_nevisidm_operations_Realm_UpdateUserIfNeeded_AuditError" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="false">
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<Response value="AUTH_ERROR">
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<Arg name="ch.nevis.isiweb4.response.status" value="403"/>
</Response>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<property name="scriptTraceGroup" value="AGOVOP-ACCT"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<property name="script" value=" def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'; def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'; def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'; LOG.error(&quot;Event='USERUPDATE', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}', error='failed to update user in IDM', lasterrorinfo='${lasterrorinfo}'&quot;); response.setStatus(ch.nevis.esauth.auth.engine.AuthResponse.AUTH_ERROR); "/>
</AuthState>
<AuthState name="SAML_SP_nevisidm_operations_Realm_UpdateUserIfNeeded_AuditUpdate" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="false">
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<ResultCond name="default" next="SAML_SP_nevisidm_operations_Realm_Prepare_Done"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<Response value="AUTH_CONTINUE"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<property name="scriptTraceGroup" value="AGOVOP-ACCT"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<property name="script" value=" def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'; def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'; def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'; LOG.info(&quot;Event='USERUPDATE', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}'&quot;); "/>
</AuthState>
<AuthState name="SAML_SP_nevisidm_operations_Realm_Redirect_RelayState" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
<ResultCond name="default" next="SAML_SP_nevisidm_operations_Realm_Auth_Done"/>
<!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<Response value="AUTH_DONE">
<!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<Gui name="ContinueResponse"/>
</Response>
<!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<property name="script" value="file:///var/opt/nevisauth/default/conf/redirect_relay_state.groovy"/>
</AuthState>
<AuthState name="SAML_SP_nevisidm_operations_Realm_Auth_Done" class="ch.nevis.esauth.auth.states.standard.AuthDone" final="false">
<!-- source: pattern://7518c6cc61e47eec6322ae17, pattern://271d024334021208b71ac80a -->
<!-- source: pattern://271d024334021208b71ac80a -->
<Response value="AUTH_DONE">
<!-- source: pattern://7518c6cc61e47eec6322ae17, pattern://271d024334021208b71ac80a -->
<!-- source: pattern://271d024334021208b71ac80a -->
<Gui name="ContinueResponse"/>
</Response>
</AuthState>
@ -802,6 +598,12 @@
<!-- source: pattern://2787b678d9cce5310a335419 -->
<property name="user.cred.saml_federation3.subjectNameId" value="true"/>
</AuthState>
<AuthState name="nevisIDM_Connector" class="ch.nevis.esauth.auth.states.standard.AuthGeneric" final="false">
<!-- source: pattern://12c979b6af0f15f1328656a4 -->
<property name="login.service.connection.0" value="https://idm:8989/nevisidm/services/v1/LoginService"/>
<!-- source: pattern://12c979b6af0f15f1328656a4 -->
<property name="admin.service.connection.0" value="https://idm:8989/nevisidm/services/v1/AdminService"/>
</AuthState>
<AuthState name="OP-ONBRDNG-AuthenticationRealm_OP-ONBRDNG-PostProcessing_SamlFedCredential" class="ch.nevis.idm.authstate.IdmCreateCredentialState" final="false" resumeState="false">
<!-- source: pattern://fd3912c7af7a88b6342a4c78 -->
<ResultCond name="credentialExists" next="OP-ONBRDNG-AuthenticationRealm_OP-ONBRDNG-PostProcessing_SamlFedCredential_Failed"/>
@ -1282,74 +1084,6 @@
<!-- source: pattern://271d024334021208b71ac80a -->
<property name="generateNow" value="true"/>
</AuthState>
<AuthState name="SAML_SP_nevisidm_operations_Realm_CheckIsTokenGeneration" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false">
<!-- source: pattern://65330385b309bfe32943c8ad -->
<ResultCond name="generateToken" next="SAML_SP_nevisidm_operations_Realm_DoTokenGeneration"/>
<!-- source: pattern://65330385b309bfe32943c8ad -->
<ResultCond name="nomatch" next="SAML_SP_nevisidm_operations_Realm_PreProcess_Done"/>
<!-- source: pattern://65330385b309bfe32943c8ad -->
<Response value="AUTH_ERROR">
<!-- source: pattern://65330385b309bfe32943c8ad -->
<Arg name="ch.nevis.isiweb4.response.status" value="403"/>
</Response>
<!-- source: pattern://65330385b309bfe32943c8ad -->
<property name="condition:generateToken" value="${request:requiredRoles:generateToken}"/>
</AuthState>
<AuthState name="SAML_SP_nevisidm_operations_Realm_DoTokenGeneration" class="ch.nevis.esauth.auth.states.jwt.JWTToken" final="false" resumeState="true">
<!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
<ResultCond name="ok" next="SAML_SP_nevisidm_operations_Realm_DoTokenGeneration_Prepare"/>
<!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
<Response value="AUTH_ERROR"/>
<!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
<property name="out.audience" value="https://op.agov-w.azure.adnovum.net/SAML2/ACS/"/>
<!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
<property name="out.issuer" value="https://op.agov-w.azure.adnovum.net/SAML2/ACS/"/>
<!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
<property name="token.header.includeType" value="true"/>
<!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
<property name="token.algorithm" value="RS512"/>
<!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
<property name="keystoreref" value="DefaultKeyStore"/>
<!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
<property name="keyobjectref" value="DefaultSigner"/>
<!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
<property name="out.subject" value="${request:userId}"/>
<!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
<property name="out.include.jwtId" value="true"/>
<!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
<property name="out.time_to_live" value="14400"/>
</AuthState>
<AuthState name="SAML_SP_nevisidm_operations_Realm_PreProcess_Done" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false">
<!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<ResultCond name="authenticate" next="SAML_SP_nevisidm_operations_Realm_Extract_Issuer"/>
<!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<ResultCond name="logout" next="SAML_SP_nevisidm_operations_Realm_Extract_Issuer"/>
<!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<ResultCond name="stepup" next="SAML_SP_nevisidm_operations_Realm_Extract_Issuer"/>
<!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<ResultCond name="unlock" next="SAML_SP_nevisidm_operations_Realm_Extract_Issuer"/>
<!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<Response value="AUTH_ERROR">
<!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<Arg name="ch.nevis.isiweb4.response.status" value="403"/>
</Response>
<!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<property name="condition:authenticate" value="${request:method:^authenticate$:true}"/>
<!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<property name="condition:stepup" value="${request:method:^stepup$:true}"/>
<!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<property name="condition:unlock" value="${request:method:^unlock$:true}"/>
<!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<property name="condition:logout" value="${request:method:^logout$:true}"/>
</AuthState>
<AuthState name="SAML_SP_nevisidm_operations_Realm_DoTokenGeneration_Prepare" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
<!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
<ResultCond name="display" next="SAML_SP_nevisidm_operations_Realm_DoTokenGeneration_DisplayMe"/>
<!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
<ResultCond name="newToken" next="SAML_SP_nevisidm_operations_Realm_DoTokenGeneration"/>
<!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
<property name="script" value="file:///var/opt/nevisauth/default/conf/EncodeAndDisplayToken.groovy"/>
</AuthState>
<AuthState name="SAML_SP_nevisidm_operations_Realm_Extract_Issuer" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
<!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<ResultCond name="ok" next="SAML_SP_nevisidm_operations_Realm_IDP_Selection"/>
@ -1361,16 +1095,6 @@
<!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<property name="script" value="file:///var/opt/nevisauth/default/conf/saml_sp_nevisidm_operations_realm_extract_issuer.groovy"/>
</AuthState>
<AuthState name="SAML_SP_nevisidm_operations_Realm_DoTokenGeneration_DisplayMe" class="ch.nevis.esauth.auth.states.standard.AuthGeneric" final="true" resumeState="false">
<!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
<Response value="AUTH_CONTINUE">
<!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
<Gui name="TestTokenDisplayDialog" label="test.token.title">
<!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
<GuiElem name="info" type="text" label="test.token.label" value="#{ notes.getProperty('agov.test.token', 'missing') }" optional="true"/>
</Gui>
</Response>
</AuthState>
<AuthState name="SAML_SP_nevisidm_operations_Realm_IDP_Selection" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false">
<!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<ResultCond name="authenticate:https\u003A//trustbroker.agov-d.azure.adnovum.net_continuation" next="SAML_SP_nevisidm_operations_Realm_SAML_IDP_op_Connector_Connector"/>

74
DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/selectIdmProfile.groovy
View File

@ -1,74 +0,0 @@
import groovy.xml.XmlSlurper
def idmSeverityRoleMap = [
"EnterpriseRoleAdmin": [11, "op-idmlogin.role.accs-mgmt-idm"],
"ClientRoot": [12, "op-idmlogin.role.support-priv"],
"AppAdmin": [20, "op-idmlogin.role.idmcfg-mgmt"],
"AppOwner": [5, "op-idmlogin.role.accs-mgmt-nonidm"],
"UserAndUnitAdmin": [7, "op-idmlogin.role.usr-unit-mgmt"],
"UserAdmin": [6, "op-idmlogin.role.usr-mgmt"],
"TemplateAdmin": [10, "op-idmlogin.role.support-basic"],
"Helpdesk": [1, "op-idmlogin.role.readonly-access" ]
]
try {
def dtoString = session['ch.adnovum.nevisidm.userDto']
def idmDto = new XmlSlurper().parseText(dtoString)
def idmPrfMap = idmDto.'**'.findAll
{ prf -> prf.name() == 'profiles'
&& prf.'**'.find
{ role -> role.name() == 'roles'
&& role.applicationName.text() == 'nevisIdm'
}
}.collectEntries { prf -> [ prf.extId.text(),
prf.'**'.findAll
{ role -> role.name() == 'roles'
&& role.applicationName.text() == 'nevisIdm'
}.collect{ rolePrioEntry -> idmSeverityRoleMap[rolePrioEntry.name.text()] ?: [1000, "DO-NOT-USE(${rolePrioEntry.name.text()})"]
}.sort { a, b -> a[0] <=> b[0] // sort by severity
}.last()[1] // take label of the ighest one
] }
if ((inargs.getProperty('submit', '') == 'go') && idmPrfMap.containsKey(inargs.getProperty('profile_selection', 'missing'))) {
// user selected a profile which exists, we take it
def operationsProfileExtId = inargs.getProperty('profile_selection', 'missing')
LOG.info("User selected profile: ${operationsProfileExtId} '${idmPrfMap.get(operationsProfileExtId)}'")
response.setSessionAttribute('operationsProfileExtId', '' + operationsProfileExtId)
response.setResult('ok')
return
} else if (idmPrfMap.size() == 1) {
// we take the only profile, with an IDM role
def operationsProfileExtId = idmPrfMap.keySet().first()
LOG.info("taking the only profile with an idm role: ${operationsProfileExtId} '${idmPrfMap.get(operationsProfileExtId)}'")
response.setSessionAttribute('operationsProfileExtId', '' + operationsProfileExtId)
response.setResult('ok')
return
} else if (idmPrfMap.isEmpty()) {
// no profile with an IDM role, do nothing
response.setResult('ok')
return
} else {
// user should select a profile
response.setGuiName('op_idmlogin_select_profile')
idmPrfMap.each {
response.addRadioGuiField('profile_selection', it.value, it.key)
}
response.addButtonGuiField('submit', 'general.continue', 'go')
response.setStatus(ch.nevis.esauth.auth.engine.AuthResponse.AUTH_CONTINUE)
return
}
} catch (Exception e) {
def errorMsg = "Failed to process profile selection: ${e.getMessage()}"
LOG.error(errorMsg, e)
response.setError(9901, errorMsg)
response.setResult('error')
}

59
DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/set_userextid_groovy_script_step.groovy
View File

@ -1,59 +0,0 @@
try {
def s = request.getAuthSession(true)
LOG.debug("operationsExtId: ${notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId']}")
LOG.debug("operationsUserProfileExtIdList: ${notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId']}")
// set operation's account extId and profile extid
if (notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId'] == null || notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId'] == null) {
LOG.error("[OPACCESS] User ${notes['saml.assertion.subject']} tried to access without operations account or profile")
response.setResult('error');
return
}
response.setSessionAttribute('operationsExtId', notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId'])
// extract additional attributes from assertion in session
if (notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname']) {
response.setSessionAttribute('idp.firstName', notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname'])
}
if (notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname']) {
response.setSessionAttribute('idp.lastName', notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'])
}
if (notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']) {
response.setSessionAttribute('idp.email', notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'])
}
if (notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/languageOfCorrespondance']) {
response.setSessionAttribute('idp.language', notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/languageOfCorrespondance'])
}
// we take the first one, if there is no profile in the operations unit
def unitAndProfileExtidPar = notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId']
.split(',').find{pairstr -> pairstr.split("\\\\")[1] == "130274ee-7e24-4050-9b94-d5717ef52ade" }
?: notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId'].split(',')[0]
if (! unitAndProfileExtidPar.contains('130274ee-7e24-4050-9b94-d5717ef52ade') )
{
LOG.info("[OPACCESS] User ${notes['saml.assertion.subject']} with opaccount ${notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId']} has no operations profile, we use the first one")
}
response.setSessionAttribute('operationsProfileExtId', unitAndProfileExtidPar.split("\\\\")[0])
// ad role based on agov aq level
def acrToRoleMap = [ 'urn:qa.agov.ch:names:tc:ac:classes:100':'AGOV-Loi.level100',
'urn:qa.agov.ch:names:tc:ac:classes:200':'AGOV-Loi.level200',
'urn:qa.agov.ch:names:tc:ac:classes:300':'AGOV-Loi.level300',
'urn:qa.agov.ch:names:tc:ac:classes:400':'AGOV-Loi.level400',
'urn:qa.agov.ch:names:tc:ac:classes:500':'AGOV-Loi.level500'
]
if (acrToRoleMap[session['ch.nevis.auth.saml.assertion.authnContextClassRef']?='none']) {
response.addActualRole(acrToRoleMap[session['ch.nevis.auth.saml.assertion.authnContextClassRef']])
}
response.setResult('ok');
} catch(Exception ex) {
LOG.warn("Exception in selectProfile groovy script: " + ex)
response.setResult('error');
}