85 files added and 1 file updated

bundles.yml

@@ -1,13 +1,12 @@
 schemaVersion: "1.0"
 bundles:
-- "nevisadmin-plugin-nevisproxy:7.2402.1.3"
-- "nevisadmin-plugin-base-generation:7.2402.1.3"
-- "nevisadmin-plugin-nevisdetect:7.2402.1.3"
-- "nevisadmin-plugin-marketplace:7.2402.1.3"
-- "nevisadmin-plugin-mobile-auth:7.2402.1.3"
-- "nevisadmin-plugin-authcloud:7.2402.1.3"
-- "nevisadmin-plugin-nevisdp:7.2402.1.3"
-- "nevisadmin-plugin-fido2:7.2402.1.3"
-- "nevisadmin-plugin-nevisidm:7.2402.1.3"
-- "nevisadmin-plugin-oauth:7.2402.1.3"
-- "nevisadmin-plugin-nevisauth:7.2402.1.3"
+- "nevisadmin-plugin-oauth:8.2405.2.0"
+- "nevisadmin-plugin-authcloud:8.2405.2.0"
+- "nevisadmin-plugin-nevisidm:8.2405.2.0"
+- "nevisadmin-plugin-mobile-auth:8.2405.2.0"
+- "nevisadmin-plugin-fido2:8.2405.2.0"
+- "nevisadmin-plugin-nevisdp:8.2405.2.0"
+- "nevisadmin-plugin-nevisauth:8.2405.2.0"
+- "nevisadmin-plugin-nevisproxy:8.2405.2.0"
+- "nevisadmin-plugin-nevisdetect:8.2405.2.0"
+- "nevisadmin-plugin-base-generation:8.2405.2.0"

patterns/24cbc652d3166c8374eda3cd_authStatesFile/UpdateUserIfNeeded.xml

@@ -0,0 +1,60 @@
+<AuthState name="${state.entry}" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false" resumeState="false">
+	<ResultCond name="emailaddressDidntChange,givennameDidntChange,surnameDidntChange,languageDidntChange" next="${state.done}"/>
+	<ResultCond name="default" next="${state.entry}_Update"/>
+	<Response value="AUTH_ERROR"/>
+	<property name="condition:emailaddressDidntChange" value="#{ notes.getProperty('saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress', 'missing').equals(sess.get('ch.nevis.idm.User.email')) }"/>
+	<property name="condition:givennameDidntChange" value="#{ notes.getProperty('saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname', 'missing').equals(sess.get('ch.nevis.idm.User.firstName')) }"/>
+	<property name="condition:surnameDidntChange" value="#{ notes.getProperty('saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname', 'missing').equals(sess.get('ch.nevis.idm.User.lastName')) }"/>
+	<property name="condition:languageDidntChange" value="#{ notes.getProperty('saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/languageOfCorrespondance', 'missing').equals(sess.get('ch.nevis.idm.User.language')) }"/>
+</AuthState>
+<AuthState name="${state.entry}_Update" class="ch.nevis.idm.authstate.IdmSetPropertiesState" final="false" resumeState="false">
+	<ResultCond name="emailExists" next="${state.entry}_AuditError"/>
+	<ResultCond name="inputInvalid" next="${state.entry}_AuditError"/>
+	<ResultCond name="inputMissing" next="${state.entry}_AuditError"/>
+	<ResultCond name="loginIdExists" next="${state.entry}_AuditError"/>
+	<ResultCond name="userIdExists" next="${state.entry}_AuditError"/>
+	<ResultCond name="ok" next="${state.entry}_AuditUpdate"/>
+	<Response value="AUTH_ERROR">
+		<Arg name="ch.nevis.isiweb4.response.status" value="403"/>
+	</Response>
+	<propertyRef name="nevisIDM_Connector"/>
+	<property name="user.loginid" value="${sess:ch.adnovum.nevisidm.user.loginId}"/>
+	<property name="client.name" value="${sess:ch.adnovum.nevisidm.clientName}"/>
+	<property name="user.attributes.optional" value="email,firstName,name,language"/>
+	<property name="user.attributes.mandatory" value="remarks"/>
+	<property name="user.attribute.email" value="${notes|saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress}"/>
+	<property name="user.attribute.firstName" value="${notes|saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname}"/>
+	<property name="user.attribute.name" value="${notes|saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname}"/>
+	<property name="user.attribute.language" value="${notes|saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/languageOfCorrespondance}"/>
+	<property name="user.attribute.remarks" value="Updated based on assertion '${sess:ch.nevis.auth.saml.assertion.id}' (Request-ID: ${inctx:connection.HttpHeader.X-Request-ID})"/>
+	<property name="user.attributes.overwrite" value="email,firstName,name,language,remarks"/>
+	<property name="allowInvalidUserEmails" value="true"/>
+</AuthState>
+<AuthState name="${state.entry}_AuditUpdate" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="false">
+	<ResultCond name="default" next="${state.done}"/>
+	<Response value="AUTH_CONTINUE"/>
+	<property name="scriptTraceGroup" value="AGOVOP-ACCT"/>
+	<property name="script" value="
+
+def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown';
+def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown';
+def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown';
+LOG.info(&quot;Event='USERUPDATE', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}'&quot;);
+
+	"/>
+</AuthState>
+<AuthState name="${state.entry}_AuditError" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="false">
+	<Response value="AUTH_ERROR">
+		<Arg name="ch.nevis.isiweb4.response.status" value="403"/>
+	</Response>
+	<property name="scriptTraceGroup" value="AGOVOP-ACCT"/>
+	<property name="script" value="
+
+def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown';
+def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown';
+def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown';
+LOG.error(&quot;Event='USERUPDATE', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}', error='failed to update user in IDM', lasterrorinfo='${lasterrorinfo}'&quot;);
+response.setStatus(ch.nevis.esauth.auth.engine.AuthResponse.AUTH_ERROR);
+
+	"/>
+</AuthState>

patterns/2787b678d9cce5310a335419_authStatesFile/OpOnbrdng-PreProcessing.xml

@@ -0,0 +1,66 @@
+<AuthState name="${state.entry}" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
+	<ResultCond name="verifyTicket" next="${state.entry}_VerifyURLTicket"/>
+	<ResultCond name="sendAuthnRequest" next="${state.exit.1}"/>
+	<ResultCond name="processResponse" next="${state.exit.2}"/>
+	<Response value="AUTH_CONTINUE">
+		<Gui name="op_onbrdng_intro" label="op-onboarding.intro.title">
+			<GuiElem name="lasterror" type="error" label="${notes:lasterrorinfo}" value="${notes:lasterror}"/>
+			<GuiElem name="submit" type="button" label="continue.button.label" value="go" />
+		</Gui>
+	</Response>
+	<property name="scriptTraceGroup" value="AGOVOP-ACCT"/>
+	<property name="script" value="file:///var/opt/nevisauth/default/conf/OpOnbrdng-PreProcessing.groovy"/>
+</AuthState>
+<AuthState name="${state.entry}_VerifyURLTicket" class="ch.nevis.idm.authstate.IdmURLTicketVerifyState" final="false" resumeState="false">
+	<ResultCond name="ok" next="${state.entry}_IdmPostProcessing" authLevel="auth.weak"/>
+	<ResultCond name="tmpLocked" next="${state.entry}_VerifyURLTicket_Failed"/>
+	<ResultCond name="lockWarn" next="${state.entry}_VerifyURLTicket_Failed"/>
+	<ResultCond name="nowLocked" next="${state.entry}_VerifyURLTicket_Failed"/>
+	<ResultCond name="locked" next="${state.entry}_VerifyURLTicket_Failed"/>
+	<ResultCond name="failed" next="${state.entry}_VerifyURLTicket_Failed"/>
+	<Response value="AUTH_CONTINUE">
+		<Gui name="NoGui"/>
+	</Response>
+	<propertyRef name="nevisIDM_Connector"/>
+	<property name="client.name" value="OPERATIONS"/>
+	<property name="user.ticket" value="${sess:agov.op.onboarding.code}"/>
+	<property name="user.loginid" value="${sess:agov.op.onboarding.code}"/>
+</AuthState>
+<AuthState name="${state.entry}_VerifyURLTicket_Failed"  class="ch.nevis.esauth.auth.states.standard.TransformAttributes" final="false" resumeState="false">
+	<ResultCond name="default" next="${state.entry}"/>
+	<Response value="AUTH_CONTINUE">
+		<Gui name="NoGui"/>
+	</Response>
+	<property name="notes:lasterror" value="9904"/>
+	<property name="notes:lasterrorinfo" value="Problem with URL-ticket (${notes:lasttransition}): ${notes:lasterrorinfo}"/>
+</AuthState>
+<AuthState name="${state.entry}_IdmPostProcessing" class="ch.nevis.idm.authstate.IdmGetPropertiesState" final="false" resumeState="false">
+	<ResultCond name="ok" next="${state.entry}" authLevel="auth.normal"/>
+	<ResultCond name="default" next="${state.entry}_IdmPostProcessing_Failed"/>
+	<ResultCond name="clientNotFound" next="${state.entry}_IdmPostProcessing_Failed"/>
+	<Response value="AUTH_CONTINUE">
+		<Gui name="NoGui"/>
+	</Response>
+	<propertyRef name="nevisIDM_Connector"/>
+	<property name="detaillevel.default" value="MEDIUM"/>
+	<property name="detaillevel.user" value="MEDIUM"/>
+	<property name="detaillevel.profile" value="MEDIUM"/>
+	<property name="detaillevel.credential" value="MEDIUM"/>
+	<property name="detaillevel.saml_federation" value="MEDIUM"/>
+	<property name="chooseDefaultProfile" value="true"/>
+	<property name="user.attributes" value="firstName,name,email,language"/>
+	<property name="user.cred.saml_federation1.issuerNameId" value=" true"/>
+	<property name="user.cred.saml_federation1.subjectNameId" value="true"/>
+	<property name="user.cred.saml_federation2.issuerNameId" value="true"/>
+	<property name="user.cred.saml_federation2.subjectNameId" value="true"/>
+	<property name="user.cred.saml_federation3.issuerNameId" value="true"/>
+	<property name="user.cred.saml_federation3.subjectNameId" value="true"/>
+</AuthState>
+<AuthState name="${state.entry}_IdmPostProcessing_Failed"  class="ch.nevis.esauth.auth.states.standard.TransformAttributes" final="false" resumeState="false">
+	<ResultCond name="default" next="${state.entry}"/>
+	<Response value="AUTH_CONTINUE">
+		<Gui name="NoGui"/>
+	</Response>
+	<property name="notes:lasterror" value="9905"/>
+	<property name="notes:lasterrorinfo" value="Problem with operations account (${sess:ch.adnovum.nevisidm.user.extId}): ${notes:lasterrorinfo}"/>
+</AuthState>

patterns/2787b678d9cce5310a335419_resources/OpOnbrdng-PreProcessing.groovy

@@ -0,0 +1,128 @@
+import ch.nevis.esauth.auth.engine.AuthResponse
+import groovy.xml.XmlSlurper
+
+
+// AGOVaq conversion
+def minLoiRoleToCtxClssConvertorMap = [
+    "level100": "urn:qa.agov.ch:names:tc:ac:classes:100",
+    "level200": "urn:qa.agov.ch:names:tc:ac:classes:200",
+    "level300": "urn:qa.agov.ch:names:tc:ac:classes:300",
+    "level400": "urn:qa.agov.ch:names:tc:ac:classes:400",
+    "level500": "urn:qa.agov.ch:names:tc:ac:classes:500"
+]
+
+def cleanSession() {
+  def s = request.getAuthSession(true)
+
+  s.removeAttribute('agov.op.onboarding.ctxClass')
+  s.removeAttribute('agov.op.onboarding.minLoi')
+  s.removeAttribute('agov.op.onboarding.homeName')
+  s.removeAttribute('agov.op.onboarding.subject')
+  s.removeAttribute('agov.op.onboarding.process.state')
+  s.removeAttribute('ch.adnovum.nevisidm.userDto')
+  s.removeAttribute('saml.response.statusCode')
+  if (response.getActualRoles().length > 0) {
+    def actualRoles = Arrays.copyOf(response.getActualRoles(), response.getActualRoles().length)
+    actualRoles.each{ role -> response.removeActualRole(role) }
+  }
+}
+
+// for autditing
+def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
+def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
+def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
+def minLoi = 'unknown'
+
+// 1) makes sure, that we are or were invoked with a correct URL ticket, set error code, if not
+if (inargs['cd'] == null && session['agov.op.onboarding.code'] == null) {
+  response.setNote('lasterror', '9901')
+  response.setNote('lasterrorinfo', 'valid on-boarding link required')
+}
+
+// 2a) if code as query param, store it to the session, and redirect
+if (inargs['cd'] != null) {
+  // make sure, we are clean to be able to start over
+  cleanSession()
+
+  response.setSessionAttribute('agov.op.onboarding.code', inargs['cd'])
+  response.setStatus(AuthResponse.AUTH_CONTINUE)
+  response.setTransferDestination('/AUTH/ONBOARDING/')
+  response.setIsRedirectTransfer(true)
+  return
+}
+
+
+// 2b) clean the url, if necessary
+if (request.currentResource.replaceAll('^https:\\/\\/[^\\/]+\\/AUTH\\/ONBOARDING\\/', '').length() > 0) {
+
+  response.setStatus(AuthResponse.AUTH_CONTINUE)
+  response.setTransferDestination('/AUTH/ONBOARDING/')
+  response.setIsRedirectTransfer(true)
+  return
+}
+
+
+// 3) if SAMLResponse available, process it
+if (inargs['SAMLResponse'] != null) {
+  // we don't use a RelayState, make sure he is ignored
+  request.getInArgs().remove("RelayState")
+  response.setResult('processResponse')
+  return
+}
+
+
+// 4) check if we could already validate the ticket, and load the user
+if (session['ch.adnovum.nevisidm.userDto'] != null && notes['lasterror'] == null) {
+  try {
+    def userDto = new XmlSlurper().parseText(session['ch.adnovum.nevisidm.userDto'])
+    def userState = userDto.state
+ 
+    if (userState == 'ACTIVE') {
+      def minLoiList =   userDto.'**'.findAll { node -> node.name() == 'roles' && node.applicationName.text() == 'OP-MinLoi' }.collect({ node -> node.name.text() }).sort()
+      minLoi = minLoiList.isEmpty() ? null : minLoiList.first()
+ 
+      if (minLoi != null) {
+        response.setSessionAttribute('agov.op.onboarding.minLoi', minLoi)
+        if (minLoiRoleToCtxClssConvertorMap.containsKey(minLoi)) {
+          response.setSessionAttribute('agov.op.onboarding.ctxClass', minLoiRoleToCtxClssConvertorMap[minLoi])
+        } else {
+          LOG.warn("OP-ONBOARDING: Failed to convert '${minLoi}' to AGOVaq, taking 'urn:qa.agov.ch:names:tc:ac:classes:100'")
+          response.setSessionAttribute('agov.op.onboarding.ctxClass', "urn:qa.agov.ch:names:tc:ac:classes:100")
+        }
+      } else {
+        LOG.debug("OP-ONBOARDING: no 'OP-MinLoi'-role assigned to user ${user}, using AGOVaq100")
+        minLoi = "level100"
+        response.setSessionAttribute('agov.op.onboarding.minLoi', "level100")
+        response.setSessionAttribute('agov.op.onboarding.ctxClass', "urn:qa.agov.ch:names:tc:ac:classes:100")
+      }
+      LOG.info("Event='OP-AUTHNREQ', RequestedAq='${minLoi}', User=${user}, SourceIp=${sourceIp}, UserAgent=${userAgent}")
+      response.setResult('sendAuthnRequest')
+    } else {
+      // state != ACTIVE and no lasterror should not happen
+      LOG.error("On boarding ticket processing failed: state='${userState}' but not lasterror set")
+      response.setNote('lasterror', '9909')
+      response.setNote('lasterrorinfo', 'internal error')
+    }
+  } catch (Exception e) {
+    LOG.error("On boarding ticket processing failed: Exception " + e)
+    response.setNote('lasterror', '9909')
+    response.setNote('lasterrorinfo', 'internal error')
+  }
+}
+
+// 5) validate URL Ticket?
+if (inargs['submit'] != null && notes['verifyTicket'] == null) {
+  response.setNote('verifyTicket', 'go')
+  response.setResult('verifyTicket')
+  return
+}
+
+
+// 6) if we reach that point, display the GUI
+if (response.getNote('lasterror') != null) {
+  minLoi = session['agov.op.onboarding.minLoi'] ?: 'unknown'
+  LOG.info("Event='OP-FAILED', RequestedAq='${minLoi}', User=${user}, SourceIp=${sourceIp}, UserAgent=${userAgent}, lasterror=${response.getNote('lasterror')}, lasterrorinfo='${response.getNote('lasterrorinfo')}'")
+  cleanSession()
+}
+
+response.setStatus(AuthResponse.AUTH_CONTINUE)

patterns/488949a743edb1f46f73f232_scriptFile/setUserExtIdFromAssertion.groovy

@@ -0,0 +1,37 @@
+try {
+  def s = request.getAuthSession(true)
+
+  LOG.info("operationsExtId: ${notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId']}")
+  LOG.info("operationsUserProfileExtIdList: ${notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId']}")
+
+
+  if (notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId'] == null || notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId'] == null) {
+    LOG.error("[OPACCESS] User ${notes['saml.assertion.subject']} tried to access without operations account or profile")
+    response.setResult('error');
+    return
+  }
+
+  response.setSessionAttribute('operationsExtId', notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId'])
+
+  if (! notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId'].contains('${var.operations-unitExtId}') )
+  {
+    LOG.warn("[OPACCESS] User ${notes['saml.assertion.subject']} with opaccount ${notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId']} has not operations profile")
+    response.setResult('error');
+    return
+  }
+
+
+  notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId'].split(',').eachWithIndex { pairstr, i ->
+    pair = pairstr.split("\\\\")
+    if (pair[1] == "${var.operations-unitExtId}") {
+        response.setSessionAttribute('operationsProfileExtId', pair[0])
+        LOG.warn(pair[0] + " userprofileExtid has the wanted unitExtId " + pair[1])
+    }
+  }
+
+  response.setResult('ok');  
+
+} catch(Exception ex) {
+   LOG.warn("Exception in selectProfile groovy script: " + ex)
+   response.setResult('error');
+}

patterns/50d6c91ace65f52fa56d7113_roleAssignmentFile/rolesAssignment.properties

@@ -0,0 +1,30 @@
+# -- Semantics: in order to assign the 'key' role, you need one of the 'value' roles,
+# --            an empty value means 'no role is authorized'.
+# ------------------------------------------------------------------------------------
+
+# -- bootstrapping
+nevisIdm.Root=nevisIdm.Root
+
+# -- assigned by root only
+nevisIdm.SoapTechAccess=nevisIdm.Root
+nevisIdm.SoapTechAccessReadOnly=nevisIdm.Root
+nevisIdm.Impersonator=nevisIdm.Root
+
+# -- assigned by root or itself
+nevisIdm.ClientRoot=nevisIdm.Root,nevisIdm.ClientRoot
+nevisIdm.EnterpriseRoleAdmin=nevisIdm.Root,nevisIdm.EnterpriseRoleAdmin
+
+# -- assigned by EnterpriseRoleAdmin
+nevisIdm.AppAdmin=nevisIdm.Root,nevisIdm.EnterpriseRoleAdmin
+nevisIdm.UserAndUnitAdmin=nevisIdm.Root,nevisIdm.EnterpriseRoleAdmin
+nevisIdm.Helpdesk=nevisIdm.Root,nevisIdm.EnterpriseRoleAdmin
+nevisIdm.UserAdmin=nevisIdm.Root,nevisIdm.EnterpriseRoleAdmin
+nevisIdm.AppOwner=nevisIdm.Root,nevisIdm.EnterpriseRoleAdmin
+nevisIdm.TemplateAdmin=nevisIdm.Root,nevisIdm.EnterpriseRoleAdmin
+
+
+# -- not used (we leave it accessible by root)
+nevisIdm.EnterpriseRoleOwner=nevisIdm.Root
+nevisIdm.SelfAdmin=nevisIdm.Root
+nevisIdm.MainAppOwner=nevisIdm.Root
+nevisIdm.TechUser=nevisIdm.Root

patterns/50d6c91ace65f52fa56d7113_roleManagementFile/authorizationConfig.properties

@@ -0,0 +1,30 @@
+# -- defines which role is allowed to modify or delete which other role
+# ---------------------------------------------------------------------
+
+# -- not used
+nevisIdm.SelfAdmin=
+nevisIdm.Impersonator=
+nevisIdm.TechUser=
+nevisIdm.BatchJobAdmin=
+nevisIdm.SoapTechAccessReadOnly=
+nevisIdm.EnterpriseRoleOwner=
+nevisIdm.MainAppOwner=
+
+# -- low priviledge, not accessing users or not modifiying them
+nevisIdm.Helpdesk=nevisIdm.SelfAdmin
+nevisIdm.TemplateAdmin=nevisIdm.SelfAdmin
+nevisIdm.UserAndUnitAdmin=nevisIdm.SelfAdmin
+nevisIdm.AppAdmin=nevisIdm.SelfAdmin
+
+
+# -- medium priviledge admin tasks
+nevisIdm.UserAdmin=nevisIdm.UserAdmin,nevisIdm.SelfAdmin,nevisIdm.Helpdesk,nevisIdm.TemplateAdmin,nevisIdm.UserAndUnitAdmin,nevisIdm.AppAdmin,nevisIdm.AppOwner
+nevisIdm.AppOwner=nevisIdm.AppOwner,nevisIdm.UserAdmin,nevisIdm.SelfAdmin,nevisIdm.Helpdesk,nevisIdm.TemplateAdmin,nevisIdm.UserAndUnitAdmin,nevisIdm.AppAdmin
+nevisIdm.EnterpriseRoleAdmin=nevisIdm.EnterpriseRoleAdmin,nevisIdm.UserAdmin,nevisIdm.SelfAdmin,nevisIdm.Helpdesk,nevisIdm.TemplateAdmin,nevisIdm.UserAndUnitAdmin,nevisIdm.AppAdmin,nevisIdm.AppOwner
+nevisIdm.ClientRoot=nevisIdm.ClientRoot,nevisIdm.UserAdmin,nevisIdm.SelfAdmin,nevisIdm.Helpdesk,nevisIdm.TemplateAdmin,nevisIdm.UserAndUnitAdmin,nevisIdm.AppAdmin,nevisIdm.AppOwner
+
+# -- tech user access
+nevisIdm.SoapTechAccess=nevisIdm.SelfAdmin,nevisIdm.UserAdmin,nevisIdm.UserAndUnitAdmin,nevisIdm.MainAppOwner,nevisIdm.AppOwner,nevisIdm.Helpdesk,nevisIdm.TechUser,nevisIdm.AppAdmin,nevisIdm.SoapTechAccess,nevisIdm.SoapTechAccessReadOnly,nevisIdm.TemplateAdmin,nevisIdm.EnterpriseRoleOwner
+
+# -- priviledged account, high priviledge admin tasks, only exceptional usage
+nevisIdm.Root=nevisIdm.SelfAdmin,nevisIdm.UserAdmin,nevisIdm.UserAndUnitAdmin,nevisIdm.MainAppOwner,nevisIdm.AppOwner,nevisIdm.Helpdesk,nevisIdm.TechUser,nevisIdm.AppAdmin,nevisIdm.SoapTechAccess,nevisIdm.SoapTechAccessReadOnly,nevisIdm.Root,nevisIdm.TemplateAdmin,nevisIdm.ClientRoot,nevisIdm.Impersonator,nevisIdm.EnterpriseRoleAdmin,nevisIdm.EnterpriseRoleOwner

patterns/50d6c91ace65f52fa56d7113_rolePermissionsFile/agov-rolesMapping.properties

@@ -0,0 +1,50 @@
+# -- base admin roles (AGOV specific role definition)
+# ------------------------------------------------------
+
+## user administrator (reduced rightd; CLIENT, UNIT)
+nevisIdm.UserAdmin=ApplicationView,AuthorizationSearch,AuthorizationApplView,AuthorizationClientView,AuthorizationUnitView,AuthorizationView,ClientSearch,ClientView,CredentialChangeState,CredentialCreate,CredentialSearch,CredentialView,EntityAttributeAccessOverride,ProfileCreate,ProfileModify,ProfileSearch,ProfileView,PropertyAllowedValueSearch,PropertyAllowedValueView,PropertySearch,PropertyValueCreate,PropertyValueDelete,PropertyValueModify,PropertyValueSearch,PropertyValueView,PropertyView,RoleSearch,RoleView,UnitSearch,UnitView,UserCreate,UserModify,UserSearch,UserView,PropertyAttributeAccessOverride,CollectionView,GenerateReport,SearchResultsExport,EnterpriseAuthorizationSearch,EnterpriseAuthorizationView,EnterpriseRoleMemberSearch,EnterpriseRoleView,AuthorizationEnterpriseRoleSearch,AuthorizationEnterpriseRoleView
+
+## user and unit administrator (same as above + unit mgmt; CLIENT, UNIT)
+nevisIdm.UserAndUnitAdmin=ApplicationView,AuthorizationSearch,AuthorizationApplView,AuthorizationClientView,AuthorizationUnitView,AuthorizationView,ClientSearch,ClientView,CredentialChangeState,CredentialCreate,CredentialSearch,CredentialView,EntityAttributeAccessOverride,ProfileCreate,ProfileModify,ProfileSearch,ProfileView,PropertyAllowedValueSearch,PropertyAllowedValueView,PropertySearch,PropertyValueCreate,PropertyValueDelete,PropertyValueModify,PropertyValueSearch,PropertyValueView,PropertyView,RoleSearch,RoleView,UnitCreate,UnitDelete,UnitModify,UnitSearch,UnitView,UserCreate,UserModify,UserSearch,UserView,PropertyAttributeAccessOverride,CollectionView,GenerateReport,SearchResultsExport,EnterpriseAuthorizationSearch,EnterpriseAuthorizationView,EnterpriseRoleMemberSearch,EnterpriseRoleView,AuthorizationEnterpriseRoleSearch,AuthorizationEnterpriseRoleView
+
+
+## General read-only access (CLIENT,UNIT,APPL)
+nevisIdm.Helpdesk=UserSearch,UserView,ProfileSearch,ProfileView,CredentialSearch,CredentialView,UnitSearch,UnitView,ApplicationSearch,ApplicationView,RoleSearch,RoleView,AuthorizationSearch,AuthorizationView,AuthorizationApplView,AuthorizationApplSearch,AuthorizationUnitSearch,AuthorizationUnitView,PropertySearch,PropertyAllowedValueSearch,PropertyValueSearch,ClientSearch,ClientView,SearchResultsExport,ClientApplView,EnterpriseAuthorizationSearch,EnterpriseAuthorizationView,EnterpriseRoleMemberSearch,EnterpriseRoleView,AuthorizationEnterpriseRoleSearch,AuthorizationEnterpriseRoleView,HistoryView
+
+## Basic L2 Task (Modify User; CLIENT,UNIT)
+nevisIdm.TemplateAdmin=ApplicationSearch,ApplicationView,AuthorizationApplSearch,AuthorizationApplView,AuthorizationClientView,AuthorizationSearch,AuthorizationUnitSearch,AuthorizationUnitView,AuthorizationView,ClientApplView,ClientSearch,ClientView,CollectionView,CredentialSearch,CredentialView,EntityAttributeAccessOverride,GenerateReport,ProfileSearch,ProfileView,PropertyAllowedValueSearch,PropertyAllowedValueView,PropertyAttributeAccessOverride,PropertySearch,PropertyValueModify,PropertyValueSearch,PropertyValueView,PropertyView,RoleSearch,RoleView,SearchResultsExport,UnitSearch,UnitView,UserModify,UserSearch,UserView,EnterpriseAuthorizationSearch,EnterpriseAuthorizationView,EnterpriseRoleMemberSearch,EnterpriseRoleView,AuthorizationEnterpriseRoleSearch,AuthorizationEnterpriseRoleView,HistoryView
+
+## Management of Application Access (CLIENT, UNIT, APPL)
+nevisIdm.AppOwner=ApplicationSearch,ApplicationView,AuthorizationCreate,AuthorizationDelete,AuthorizationModify,AuthorizationSearch,AuthorizationView,ClientApplView,ClientSearch,ClientView,ProfileSearch,ProfileView,PropertyAllowedValueSearch,PropertyAllowedValueView,PropertySearch,PropertyValueCreate,PropertyValueDelete,PropertyValueModify,PropertyValueSearch,PropertyValueView,PropertyView,RoleSearch,RoleView,UnitSearch,UnitView,UserSearch,UserView,EnterpriseAuthorizationSearch,EnterpriseAuthorizationView,EnterpriseRoleMemberSearch,EnterpriseRoleView,AuthorizationEnterpriseRoleSearch,AuthorizationEnterpriseRoleView
+
+## Management of base-date changes in nevisIdm (non user related; CLIENT)
+nevisIdm.AppAdmin=ApplicationCreate,ApplicationModify,ApplicationSearch,ApplicationView,BatchJobExecute,BatchJobView,ClientCreate,ClientModify,ClientApplAssign,ClientApplView,ClientSearch,ClientView,EntityAttributeAccessOverride,PersistentQueueRetry,PersistentQueueDelete,PersistentQueueView,PolicyConfigurationCreate,PolicyConfigurationModify,PolicyConfigurationSearch,PolicyConfigurationView,PropertyAllowedValueCreate,PropertyAllowedValueDelete,PropertyAllowedValueModify,PropertyAllowedValueSearch,PropertyAllowedValueView,PropertyCreate,PropertyDelete,PropertyModify,PropertySearch,PropertyValueSearch,PropertyValueView,PropertyView,RoleCreate,RoleDelete,RoleModify,RoleSearch,RoleView,UnitCreate,UnitCreateTopUnit,UnitDelete,UnitModify,UnitSearch,UnitView,PropertyAttributeAccessOverride,HistoryView,TemplateStore,CollectionView,CollectionCreate,CollectionModify,CollectionDelete,TemplateView,TemplateCreate,TemplateModify,TemplateDelete,TemplateTextView,TemplateTextCreate,TemplateTextModify,TemplateTextDelete,UnitCredPolicyView,UnitCredPolicyCreate,UnitCredPolicyDelete
+
+# -- Priviledged admin roles (AGOV specific role definition)
+# ------------------------------------------------------
+
+## Assign IDM User and Account management roles (CLIENT)
+nevisIdm.EnterpriseRoleAdmin=ApplicationSearch,ApplicationView,AuthorizationApplSearch,AuthorizationClientCreate,AuthorizationClientDelete,AuthorizationClientSearch,AuthorizationClientView,AuthorizationCreate,AuthorizationDelete,AuthorizationModify,AuthorizationSearch,AuthorizationUnitCreate,AuthorizationUnitDelete,AuthorizationUnitSearch,AuthorizationUnitView,AuthorizationApplCreate,AuthorizationApplDelete,AuthorizationApplSearch,AuthorizationApplView,AuthorizationView,ClientApplView,ClientSearch,ClientView,ProfileSearch,ProfileView,PropertyAllowedValueSearch,PropertyAllowedValueView,PropertySearch,PropertyValueCreate,PropertyValueDelete,PropertyValueModify,PropertyValueSearch,PropertyValueView,PropertyView,RoleSearch,RoleView,UnitCredPolicyView,UnitSearch,UnitView,UserSearch,UserView,EnterpriseAuthorizationSearch,EnterpriseAuthorizationView,EnterpriseRoleMemberSearch,EnterpriseRoleView,AuthorizationEnterpriseRoleSearch,AuthorizationEnterpriseRoleView
+
+
+
+## Archive User and Profiles (CLIENT)
+nevisIdm.ClientRoot=ApplicationSearch,ApplicationView,AuthorizationDelete,AuthorizationSearch,AuthorizationApplDelete,AuthorizationApplSearch,AuthorizationApplView,AuthorizationClientDelete,AuthorizationClientSearch,AuthorizationClientView,AuthorizationUnitDelete,AuthorizationUnitSearch,AuthorizationUnitView,AuthorizationView,ClientApplView,ClientSearch,ClientView,CredentialChangeState,CredentialDelete,CredentialSearch,CredentialView,EntityAttributeAccessOverride,ProfileArchive,ProfileDelete,ProfileSearch,ProfileView,PropertyAllowedValueSearch,PropertyAllowedValueView,PropertySearch,PropertyValueDelete,PropertyValueSearch,PropertyValueView,PropertyView,RoleSearch,RoleView,UnitSearch,UnitView,UserArchive,UserModify,UserSearch,UserView,PropertyAttributeAccessOverride,HistoryView,EnterpriseAuthorizationSearch,EnterpriseAuthorizationView,EnterpriseRoleMemberSearch,EnterpriseRoleView,AuthorizationEnterpriseRoleSearch,AuthorizationEnterpriseRoleView,HistoryView
+
+
+# -- Root and tech user roles, in use with AGOV (definition as in product default)
+# ------------------------------------------------------
+## Super-user role over all clients (GLOBAL)
+nevisIdm.Root=ApplicationCreate,ApplicationDelete,ApplicationModify,ApplicationSearch,ApplicationView,AuthorizationCreate,AuthorizationDelete,AuthorizationModify,AuthorizationSearch,AuthorizationApplCreate,AuthorizationApplDelete,AuthorizationApplSearch,AuthorizationApplView,AuthorizationClientCreate,AuthorizationClientDelete,AuthorizationClientSearch,AuthorizationClientView,AuthorizationUnitCreate,AuthorizationUnitDelete,AuthorizationUnitSearch,AuthorizationUnitView,AuthorizationView,BatchJobExecute,BatchJobView,ClientCreate,ClientDelete,ClientModify,ClientApplAssign,ClientApplDelete,ClientApplView,ClientSearch,ClientView,CredentialChangeState,CredentialCreate,CredentialDelete,CredentialModify,CredentialSearch,CredentialView,EntityAttributeAccessOverride,PersistentQueueRetry,PersistentQueueDelete,PersistentQueueView,PolicyConfigurationCreate,PolicyConfigurationDelete,PolicyConfigurationModify,PolicyConfigurationSearch,PolicyConfigurationView,ProfileArchive,ProfileCreate,ProfileDelete,ProfileModify,ProfileSearch,ProfileView,PropertyAllowedValueCreate,PropertyAllowedValueDelete,PropertyAllowedValueModify,PropertyAllowedValueSearch,PropertyAllowedValueView,PropertyCreate,PropertyDelete,PropertyModify,PropertySearch,PropertyValueCreate,PropertyValueDelete,PropertyValueModify,PropertyValueSearch,PropertyValueView,PropertyView,RoleCreate,RoleDelete,RoleModify,RoleSearch,RoleView,SelfAdmin,UnitCreate,UnitCreateTopUnit,UnitDelete,UnitModify,UnitSearch,UnitView,UserArchive,UserCreate,UserDelete,UserModify,UserSearch,UserView,PropertyAttributeAccessOverride,HistoryView,LoginIdOverride,TemplateStore,CollectionView,CollectionCreate,CollectionModify,CollectionDelete,TemplateView,TemplateCreate,TemplateModify,TemplateDelete,TemplateTextView,TemplateTextCreate,TemplateTextModify,TemplateTextDelete,GenerateReport,SearchResultsExport,CredentialViewPlainValue,DeputyCreate,DeputyDelete,UnitCredPolicyView,UnitCredPolicyCreate,UnitCredPolicyDelete,UserCreateTechUser,UserModifyTechUser,UserDeleteTechUser,UserArchiveTechUser,CredentialPdfView,EnterpriseAuthorizationCreate,EnterpriseAuthorizationDelete,EnterpriseAuthorizationModify,EnterpriseAuthorizationSearch,EnterpriseAuthorizationView,AuthorizationEnterpriseRoleCreate,AuthorizationEnterpriseRoleDelete,AuthorizationEnterpriseRoleSearch,AuthorizationEnterpriseRoleView,EnterpriseRoleCreate,EnterpriseRoleModify,EnterpriseRoleDelete,EnterpriseRoleSearch,EnterpriseRoleView,EnterpriseRoleMemberCreate,EnterpriseRoleMemberDelete,EnterpriseRoleMemberSearch,PersonalQuestionSearch,PersonalQuestionView,PersonalQuestionCreate,PersonalQuestionModify,PersonalQuestionDelete,LoginIdModify,TermsView,TermsCreate,TermsModify,TermsDelete,ConsentCreate,ConsentView
+## technical web service users (CLIENT,UNIT,APPL)
+nevisIdm.SoapTechAccess=ApplicationCreate,ApplicationDelete,ApplicationModify,ApplicationSearch,ApplicationView,AuthorizationCreate,AuthorizationDelete,AuthorizationModify,AuthorizationSearch,AuthorizationApplCreate,AuthorizationApplDelete,AuthorizationApplSearch,AuthorizationApplView,AuthorizationUnitCreate,AuthorizationUnitDelete,AuthorizationUnitSearch,AuthorizationUnitView,AuthorizationView,BatchJobExecute,BatchJobView,ClientCreate,ClientDelete,ClientModify,ClientApplAssign,ClientApplDelete,ClientApplView,ClientSearch,ClientView,CredentialChangeState,CredentialCreate,CredentialDelete,CredentialModify,CredentialSearch,CredentialView,PersistentQueueRetry,PersistentQueueDelete,PersistentQueueView,PolicyConfigurationCreate,PolicyConfigurationDelete,PolicyConfigurationModify,PolicyConfigurationSearch,PolicyConfigurationView,ProfileArchive,ProfileCreate,ProfileDelete,ProfileModify,ProfileSearch,ProfileView,PropertyAllowedValueCreate,PropertyAllowedValueDelete,PropertyAllowedValueModify,PropertyAllowedValueSearch,PropertyAllowedValueView,PropertyCreate,PropertyDelete,PropertyModify,PropertySearch,PropertyValueCreate,PropertyValueDelete,PropertyValueModify,PropertyValueSearch,PropertyValueView,PropertyView,RoleCreate,RoleDelete,RoleModify,RoleSearch,RoleView,SelfAdmin,UnitCreate,UnitCreateTopUnit,UnitDelete,UnitModify,UnitSearch,UnitView,UserArchive,UserCreate,UserDelete,UserModify,UserSearch,UserView,TemplateStore,CollectionView,CollectionCreate,CollectionModify,CollectionDelete,TemplateView,TemplateCreate,TemplateModify,TemplateDelete,TemplateTextView,TemplateTextCreate,TemplateTextModify,TemplateTextDelete,AuthorizationClientCreate,AuthorizationClientDelete,AuthorizationClientSearch,AuthorizationClientView,CredentialViewPlainValue,UnitCredPolicyView,UnitCredPolicyCreate,UnitCredPolicyDelete,EnterpriseAuthorizationCreate,EnterpriseAuthorizationDelete,EnterpriseAuthorizationModify,EnterpriseAuthorizationSearch,EnterpriseAuthorizationView,AuthorizationEnterpriseRoleCreate,AuthorizationEnterpriseRoleDelete,AuthorizationEnterpriseRoleSearch,AuthorizationEnterpriseRoleView,EnterpriseRoleCreate,EnterpriseRoleModify,EnterpriseRoleDelete,EnterpriseRoleSearch,EnterpriseRoleView,EnterpriseRoleMemberCreate,EnterpriseRoleMemberDelete,EnterpriseRoleMemberSearch,HistoryView,PersonalQuestionSearch,PersonalQuestionView,PersonalQuestionCreate,PersonalQuestionModify,PersonalQuestionDelete,LoginIdModify,ConsentCreate,ConsentView
+## technical web service user with ReadOnly access  (CLIENT,UNIT,APPL)
+nevisIdm.SoapTechAccessReadOnly=ApplicationSearch,ApplicationView,AuthorizationSearch,AuthorizationApplSearch,AuthorizationApplView,AuthorizationUnitSearch,AuthorizationUnitView,AuthorizationView,ClientApplView,ClientSearch,ClientView,CredentialSearch,CredentialView,ProfileSearch,ProfileView,PropertyAllowedValueSearch,PropertyAllowedValueView,PropertySearch,PropertyValueSearch,PropertyValueView,PropertyView,RoleSearch,RoleView,SelfAdmin,UnitSearch,UnitView,UserSearch,UserView,TemplateStore,CollectionView,TemplateView,TemplateTextView,PersistentQueueView,PolicyConfigurationSearch,PolicyConfigurationView,AuthorizationClientSearch,AuthorizationClientView,EnterpriseAuthorizationSearch,EnterpriseAuthorizationView,AuthorizationEnterpriseRoleSearch,AuthorizationEnterpriseRoleView,EnterpriseRoleSearch,EnterpriseRoleView,EnterpriseRoleMemberSearch,HistoryView,PersonalQuestionSearch,PersonalQuestionView
+
+# -- not used by AGOV (definition as in product default)
+# ------------------------------------------------------
+nevisIdm.EnterpriseRoleOwner=EnterpriseRoleSearch,EnterpriseRoleView,EnterpriseRoleMemberSearch,EnterpriseAuthorizationCreate,EnterpriseAuthorizationDelete,EnterpriseAuthorizationModify,EnterpriseAuthorizationSearch,EnterpriseAuthorizationView,AuthorizationEnterpriseRoleSearch,AuthorizationEnterpriseRoleView,AuthorizationSearch,AuthorizationView,ClientSearch,ClientView,UserSearch,UserView,ProfileSearch,ProfileView,UnitSearch,ApplicationSearch,ApplicationView,RoleSearch,RoleView,CollectionView,PropertySearch,PropertyView,PropertyAllowedValueSearch,PropertyAllowedValueView,PropertyValueSearch,PropertyValueView,SearchResultsExport,PersonalQuestionSearch,PersonalQuestionView
+nevisIdm.Impersonator=
+nevisIdm.MainAppOwner=ApplicationSearch,ApplicationView,PropertyAllowedValueSearch,PropertyAllowedValueView,PropertySearch,PropertyValueSearch,PropertyValueView,PropertyView,RoleSearch,UnitSearch,AuthorizationUnitSearch,AuthorizationApplCreate,AuthorizationApplDelete,AuthorizationApplSearch,AuthorizationApplView,AuthorizationCreate,AuthorizationDelete,AuthorizationModify,AuthorizationSearch,AuthorizationView,ProfileSearch,ProfileView,UserSearch,UserView,RoleView,AuthorizationUnitCreate,AuthorizationUnitDelete,AuthorizationUnitSearch,AuthorizationUnitView,CollectionView,ClientSearch,ClientView,SearchResultsExport,AuthorizationClientCreate,AuthorizationClientDelete,AuthorizationClientSearch,AuthorizationClientView,ClientApplView,EnterpriseAuthorizationSearch,EnterpriseAuthorizationView,AuthorizationEnterpriseRoleSearch,AuthorizationEnterpriseRoleView,EnterpriseRoleSearch,PersonalQuestionSearch,PersonalQuestionView,TermsView,TermsCreate,TermsModify,TermsDelete
+nevisIdm.SelfAdmin=SelfAdmin,LoginIdModify
+nevisIdm.TechUser=

patterns/56955e7b6b92c254d7d1aae1_authStatesFile/fetchUser.xml

@@ -0,0 +1,48 @@
+<AuthState name="${state.entry}" class="ch.nevis.idm.authstate.IdmUserVerifyState" final="false" resumeState="true">
+	<ResultCond name="prospect" next="${state.entry}_selectProfile"/>
+	<ResultCond name="clientNotFound" next="${state.failed}"/>
+	<ResultCond name="failed" next="${state.failed}"/>
+	<Response value="AUTH_ERROR">
+		<Gui name="AuthFailDialog"/>
+	</Response>
+	<propertyRef name="nevisIDM_Connector"/>
+	<property name="user.loginid" value="unknown"/>
+	<property name="userExtId" value="${sess:operationsExtId}"/>
+	<property name="client.name" value="${param.client.name}"/>
+	<property name="detaillevel.user" value="HIGH"/>
+	<property name="detaillevel.profile" value="HIGH"/>
+	<property name="detaillevel.role" value="HIGH"/>
+	<property name="detaillevel.authorization" value="HIGH"/>
+	<property name="detaillevel.dataroom" value="HIGH"/>
+</AuthState>
+
+<AuthState name="${state.entry}_selectProfile" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
+	<ResultCond name="ok" next="${state.entry}_IdmGetPropertiesState"/>
+	<ResultCond name="error" next="${state.failed}"/>
+	<Response value="AUTH_CONTINUE">
+		<Gui name="op_idmlogin_select_profile">
+			<GuiElem name="lasterror" type="error" label="${notes:lasterrorinfo}" value="${notes:lasterror}" optional="true"/>
+			<GuiElem name="submit" type="button" label="submit.button.label" value="go"/>
+		</Gui>
+	</Response>
+	<property name="script" value="file:///var/opt/nevisauth/default/conf/selectIdmProfile.groovy"/>
+</AuthState>
+
+<AuthState name="${state.entry}_IdmGetPropertiesState" final="false" class="ch.nevis.idm.authstate.IdmGetPropertiesState" resumeState="true">
+	<ResultCond name="ok" next="${state.done}"/>
+	<ResultCond name="default" next="${state.failed}"/>
+	<ResultCond name="clientNotFound" next="${state.failed}"/>
+	<ResultCond name="showGui" next="${state.failed}"/>
+	<Response value="AUTH_ERROR" />
+	<propertyRef name="nevisIDM_Connector"/>
+	<!-- Returned Attributes in SecToken -->
+	<property name="user.attributes" value="${param.attributes}"/>
+	<property name="chooseProfileFromSession" value="operationsProfileExtId"/>
+	<property name="userExtId" value="${sess:operationsExtId}"/>
+	<property name="client.name" value="${param.client.name}"/>
+	<property name="detaillevel.user" value="HIGH"/>
+	<property name="detaillevel.profile" value="HIGH"/>
+	<property name="detaillevel.role" value="HIGH"/>
+	<property name="detaillevel.authorization" value="HIGH"/>
+	<property name="detaillevel.dataroom" value="HIGH"/>
+</AuthState>

patterns/56955e7b6b92c254d7d1aae1_resources/selectIdmProfile.groovy

@@ -0,0 +1,74 @@
+import groovy.xml.XmlSlurper
+
+def idmSeverityRoleMap = [
+    "EnterpriseRoleAdmin": [11, "op-idmlogin.role.accs-mgmt-idm"],
+    "ClientRoot": [12, "op-idmlogin.role.support-priv"], 
+    "AppAdmin": [20, "op-idmlogin.role.idmcfg-mgmt"],
+    "AppOwner": [5, "op-idmlogin.role.accs-mgmt-nonidm"],
+    "UserAndUnitAdmin": [7, "op-idmlogin.role.usr-unit-mgmt"],
+    "UserAdmin": [6, "op-idmlogin.role.usr-mgmt"],
+    "TemplateAdmin": [10, "op-idmlogin.role.support-basic"],
+    "Helpdesk": [1, "op-idmlogin.role.readonly-access" ]
+]
+
+try {
+  def dtoString = session['ch.adnovum.nevisidm.userDto']
+
+  def idmDto = new XmlSlurper().parseText(dtoString)
+  def idmPrfMap = idmDto.'**'.findAll 
+    { prf -> prf.name() == 'profiles' 
+      && prf.'**'.find 
+        { role -> role.name() == 'roles' 
+          && role.applicationName.text() == 'nevisIdm'
+        }
+    }.collectEntries { prf -> [ prf.extId.text(), 
+            prf.'**'.findAll 
+            { role -> role.name() == 'roles' 
+              && role.applicationName.text() == 'nevisIdm'
+            }.collect{ rolePrioEntry -> idmSeverityRoleMap[rolePrioEntry.name.text()] ?: [1000, "DO-NOT-USE(${rolePrioEntry.name.text()})"] 
+            }.sort { a, b -> a[0] <=> b[0] // sort by severity
+            }.last()[1] // take label of the ighest one
+    ] }
+
+  if ((inargs.getProperty('submit', '') == 'go') && idmPrfMap.containsKey(inargs.getProperty('profile_selection', 'missing'))) {
+
+    // user selected a profile which exists, we take it
+    def operationsProfileExtId = inargs.getProperty('profile_selection', 'missing')
+    LOG.info("User selected profile: ${operationsProfileExtId} '${idmPrfMap.get(operationsProfileExtId)}'")
+    response.setSessionAttribute('operationsProfileExtId', '' + operationsProfileExtId)
+    response.setResult('ok')
+    return
+
+  } else if (idmPrfMap.size() == 1) {
+
+    // we take the only profile, with an IDM role
+    def operationsProfileExtId = idmPrfMap.keySet().first()
+    LOG.info("taking the only profile with an idm role: ${operationsProfileExtId} '${idmPrfMap.get(operationsProfileExtId)}'")
+    response.setSessionAttribute('operationsProfileExtId', '' + operationsProfileExtId)
+    response.setResult('ok')
+    return
+
+  } else if (idmPrfMap.isEmpty()) {
+
+    // no profile with an IDM role, do nothing
+    response.setResult('ok')
+    return
+
+  } else {
+
+    // user should select a profile
+    response.setGuiName('op_idmlogin_select_profile')
+    idmPrfMap.each {
+      response.addRadioGuiField('profile_selection', it.value, it.key)
+    }
+    response.addButtonGuiField('submit', 'general.continue', 'go')
+
+    response.setStatus(ch.nevis.esauth.auth.engine.AuthResponse.AUTH_CONTINUE)
+    return
+  }
+} catch (Exception e) {
+  def errorMsg = "Failed to process profile selection: ${e.getMessage()}"
+  LOG.error(errorMsg, e)
+  response.setError(9901, errorMsg)
+  response.setResult('error')
+}

patterns/9be76d365909bb2ec294569c_authStatesFile/OpOnbrdng-SamlServiceProvider-ProecessResponse.xml

@@ -0,0 +1,25 @@
+<AuthState name="${state.entry}" class="ch.nevis.esauth.auth.states.saml.ServiceProviderState" final="false" resumeState="false">
+	<ResultCond name="ok" next="${state.done}" authLevel="auth.strong"/>
+	<ResultCond name="status-Responder"  next="${state.failed}"/>
+	<ResultCond name="status-Requester"  next="${state.failed}"/>
+	<Response value="AUTH_ERROR">
+		<Gui name="NoGui"/>
+	</Response>
+	<!-- used for the key material -->
+	<propertyRef name="SAML_SP_nevisidm_operations_Realm_SAML_IDP_op_Connector_Connector"/>
+
+	<property name="idpURL" value="${param.op.atb.ssoUrl}"/>
+	<property name="consumerURL" value="${param.op.onboarding.consumerURL}"/>
+	<property name="relayState" value=""/>
+
+	<property name="out.binding" value="none"/>
+
+	<property name="in.binding" value="auto"/>
+        <property name="in.relayState" value=""/>
+	<property name="in.audienceRegex" value="${param.op.onboarding.issuer}"/>
+	<property name="in.audience.checkrequired" value="true"/>
+        <property name="in.map_issuer_certificate" value="false"/>
+	<property name="in.verify" value="Response Assertion"/>
+	<!-- property name="in.keystoreref" value=""/>
+	<property name="in.keyobjectref" value=""/ -->
+</AuthState>

patterns/AGOV_nevisIDM_Authorizations_50d6c91ace65f52fa56d7113.yml

@@ -0,0 +1,9 @@
+schemaVersion: "1.0"
+pattern:
+  id: "50d6c91ace65f52fa56d7113"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.NevisIDMAuthorizationsAddon"
+  name: "AGOV nevisIDM Authorizations"
+  properties:
+    roleManagementFile: "res://50d6c91ace65f52fa56d7113#roleManagementFile"
+    roleAssignmentFile: "res://50d6c91ace65f52fa56d7113#roleAssignmentFile"
+    rolePermissionsFile: "res://50d6c91ace65f52fa56d7113#rolePermissionsFile"

patterns/AdditionalMimeTypes_d9c194064d834ad41843ff4e.yml

@@ -0,0 +1,8 @@
+schemaVersion: "1.0"
+pattern:
+  id: "d9c194064d834ad41843ff4e"
+  className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.GenericHostContextSettings"
+  name: "AdditionalMimeTypes"
+  properties:
+    mimeMappings: "<mime-mapping>\n    <extension>ipa</extension>\n    <mime-type>application/octet-stream</mime-type>\n\
+      </mime-mapping>"

patterns/ArtAccessPolicy_ae3127e7a6869fea8b850ad9.yml

@@ -0,0 +1,7 @@
+schemaVersion: "1.0"
+pattern:
+  id: "ae3127e7a6869fea8b850ad9"
+  className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.AuthorizationPolicy"
+  name: "ArtAccessPolicy"
+  properties:
+    requiredRoles: "AGOV-Art.Access"

patterns/ArtReporting_4da72abf93d79d0698250e39.yml

@@ -0,0 +1,19 @@
+schemaVersion: "1.0"
+pattern:
+  id: "4da72abf93d79d0698250e39"
+  className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.WebApplicationAccess"
+  name: "ArtReporting"
+  properties:
+    host:
+    - "pattern://39ecde9a0d101628fed3e3be"
+    path: "/art/"
+    realm:
+    - "pattern://7518c6cc61e47eec6322ae17"
+    addons:
+    - "pattern://ae3127e7a6869fea8b850ad9"
+    backends: "var://artreporting-backend-addresses"
+    hostnameCheck: "disabled"
+    hostHeader: "backend"
+    responseRewrite: "header"
+    csrf: "off"
+    requestValidation: "var://op-admin-mod-security-mode-artreporting"

patterns/Authentication_Done_978626d19e57143eac5daa45.yml

@@ -0,0 +1,7 @@
+schemaVersion: "1.0"
+pattern:
+  id: "978626d19e57143eac5daa45"
+  className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.AuthenticationDone"
+  name: "Authentication Done"
+  label: "Common"
+  properties: {}

patterns/Authentication_Failed_700ec185425d8645fea2caf5.yml

@@ -0,0 +1,8 @@
+schemaVersion: "1.0"
+pattern:
+  id: "700ec185425d8645fea2caf5"
+  className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.AuthenticationFailed"
+  name: "Authentication Failed"
+  label: "Common"
+  properties:
+    code: "403"

patterns/DefaulErrorPages_58ece0328f5bf4d78e1a82d2.yml

@@ -0,0 +1,21 @@
+schemaVersion: "1.0"
+pattern:
+  id: "58ece0328f5bf4d78e1a82d2"
+  className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.GenericHostContextSettings"
+  name: "DefaulErrorPages"
+  label: "UTILS"
+  properties:
+    filters: "<filter>\n     <filter-name>DefaultErrorFilter</filter-name>\n     <filter-class>ch::nevis::isiweb4::filter::error::ErrorFilter</filter-class>\n\
+      \     <init-param>\n         <param-name>StatusCode</param-name>\n         <param-value>\n\
+      \            400:file:/resources/errorPages/404.html:reset-header:reset-status-code\n\
+      \            403:file:/resources/errorPages/403.html:reset-header:reset-status-code\n\
+      \t        404:file:/resources/errorPages/404.html:reset-header:reset-status-code\n\
+      \            500:file:/resources/errorPages/500.html:reset-header:reset-status-code\n\
+      \            502:file:/resources/errorPages/502.html:reset-header:reset-status-code\n\
+      \         </param-value>\n     </init-param>\n     <init-param>\n         <param-name>CheckAcceptHeader</param-name>\n\
+      \         <param-value>true</param-value>\n     </init-param>\n     <init-param>\n\
+      \         <param-name>PlaceHolders</param-name>\n         <param-value>\n  \
+      \           TransferIdHolder:TRANSFER_ID\n             TimestampHolder:TIMESTAMP\n\
+      \         </param-value>\n     </init-param>\n</filter>"
+    filterMappings: "automatic"
+    phase: "START"

patterns/GreenMail_f010ec68088ebd56349c7135.yml

@@ -0,0 +1,17 @@
+schemaVersion: "1.0"
+pattern:
+  id: "f010ec68088ebd56349c7135"
+  className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.WebApplicationAccess"
+  name: "GreenMail"
+  properties:
+    host:
+    - "pattern://39ecde9a0d101628fed3e3be"
+    path: "/mail/"
+    realm:
+    - "pattern://7518c6cc61e47eec6322ae17"
+    backends: "var://greenmail-backend-addresses"
+    hostnameCheck: "disabled"
+    hostHeader: "backend"
+    responseRewrite: "header"
+    csrf: "off"
+    requestValidation: "var://op-admin-mod-security-mode-greenmail"

patterns/IDM_DB_TLS_TrustStore_d356ddfbaf34aa51ae1e20e7.yml

@@ -0,0 +1,8 @@
+schemaVersion: "1.0"
+pattern:
+  id: "d356ddfbaf34aa51ae1e20e7"
+  className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.PemTrustStoreProvider"
+  name: "IDM_DB_TLS_TrustStore"
+  label: "IDM"
+  properties:
+    truststoreFile: "var://idm_db_tls_truststore-trusted-certificates"

patterns/IDM_DB_ca0629d86201d4c4ac857d60.yml

@@ -0,0 +1,25 @@
+schemaVersion: "1.0"
+pattern:
+  id: "ca0629d86201d4c4ac857d60"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.NevisIDMDatabase"
+  name: "IDM_DB"
+  label: "IDM"
+  properties:
+    type: "var://idm_db-database-type"
+    hosts: "var://idm_db-database-host"
+    database: "var://idm_db-database-name"
+    rootCredential: "var://idm_db-root-credential"
+    rootCredentialNamespace: "var://idm_db-root-credential-namespace"
+    user: "var://idm_db-database-user"
+    password: "var://idm_db-database-password"
+    encryption: "var://idm_db-tls-encryption"
+    trustStore:
+    - "pattern://d356ddfbaf34aa51ae1e20e7"
+    jdbcDriver: "var://idm_db-database-jdbc-driver"
+    oracleVolumeClaimName: "var://idm_db-database-volume-claim"
+    oracleIndexTablespaceName: "var://idm_db-index-tablespace"
+    oracleDataTablespaceName: "var://idm_db-data-tablespace"
+    oracleApplicationRoleName: "var://idm_db-application-role"
+    oracleOwnerRoleName: "var://idm_db-owner-role"
+    databaseManagement: "var://agov_admin_idm-db-management"
+    connectionUrl: "var://idm_db-database-connection-url"

patterns/IDM_Prune_History_Job_0957497767812057fbf138cf.yml

@@ -0,0 +1,7 @@
+schemaVersion: "1.0"
+pattern:
+  id: "0957497767812057fbf138cf"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.NevisIDMPruneHistoryJob"
+  name: "IDM Prune History Job"
+  label: "Batch"
+  properties: {}

patterns/IDM_Prune_Shadow_Accounts_Job_3600b7d00b6427226e451f8d.yml

@@ -0,0 +1,28 @@
+schemaVersion: "1.0"
+pattern:
+  id: "3600b7d00b6427226e451f8d"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.NevisIDMGenericBatchJob"
+  name: "IDM Prune Shadow Accounts Job"
+  label: "Batch"
+  properties:
+    job: "<bean id=\"pruneShadowAccountsJob\"  class=\"org.springframework.scheduling.quartz.JobDetailFactoryBean\"\
+      >\n    <property name=\"description\" value=\"Archive and delete obsolete shadow\
+      \ accounts\"/>\n    <property name=\"jobClass\" value=\"ch.nevis.idm.batch.jobs.UpdateUserStateJob\"\
+      />\n    <property name=\"durability\" value=\"true\"/>\n    <property name=\"\
+      jobDataMap\">\n        <bean class=\"org.quartz.JobDataMap\">\n            <constructor-arg>\n\
+      \                <map>\n                    <entry key=\"daysNoActivity\" value=\"\
+      -1\"/>\n                    <entry key=\"considerUsersNeverLoggedIn\" value=\"\
+      true\"/>\n                    <entry key=\"sendWarning\" value=\"false\"/>\n\
+      \                    <entry key=\"daysGracePeriod\" value=\"1\"/>\n        \
+      \            <entry key=\"daysStatusDisabled\" value=\"15\"/>\n            \
+      \        <entry key=\"daysStatusArchived\" value=\"85\"/>\n                \
+      \    <entry key=\"disableOutdatedUsers\" value=\"true\"/>\n                \
+      \    <entry key=\"disableNotYetActiveUsers\" value=\"true\"/>\n            \
+      \        <entry key=\"excludeTechnicalUsers\" value=\"true\"/>\n           \
+      \         <entry key=\"restrictToClients\" value=\"9f30aa08-4c53-458c-b144-90c16dc5ed6e\"\
+      />\n                </map>\n            </constructor-arg>\n        </bean>\n\
+      \    </property>\n</bean>\n"
+    trigger: "<bean id=\"pruneShadowAccountsJobTrigger\" class=\"org.springframework.scheduling.quartz.CronTriggerFactoryBean\"\
+      >\n    <property name=\"description\" value=\"Archive and delete obsolete shadow\
+      \ accounts\"/>\n    <property name=\"jobDetail\" ref=\"pruneShadowAccountsJob\"\
+      />\n    <property name=\"cronExpression\" value=\"30 0 0 * * ?\"/>\n</bean>"

patterns/IDM_admin_Settings_fe4a248ac7b092a6a80624f1.yml

@@ -0,0 +1,9 @@
+schemaVersion: "1.0"
+pattern:
+  id: "fe4a248ac7b092a6a80624f1"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.NevisIDMAdvancedSettings"
+  name: "IDM_admin_Settings"
+  label: "IDM"
+  notes: "https://aww.sso.adnovum.com/confluence/pages/viewpage.action?pageId=263860693#NevisIDMdatastructure/configuration-IDMinstanceconcept"
+  properties:
+    properties: "var://idm-admin-settings"

patterns/IDM_batch_DB_0d4bbba28a4a76094d41df81.yml

@@ -0,0 +1,21 @@
+schemaVersion: "1.0"
+pattern:
+  id: "0d4bbba28a4a76094d41df81"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.NevisIDMDatabase"
+  name: "IDM_batch_DB"
+  label: "IDM"
+  properties:
+    type: "var://idm_db-database-type"
+    hosts: "var://idm_db-database-host"
+    database: "var://idm_db-database-name"
+    rootCredential: "var://idm_db-root-credential"
+    rootCredentialNamespace: "var://idm_db-root-credential-namespace"
+    user: "var://idm_db-database-user"
+    password: "var://idm_db-database-password"
+    encryption: "var://idm_db-tls-encryption"
+    trustStore:
+    - "pattern://d356ddfbaf34aa51ae1e20e7"
+    jdbcDriver: "var://idm_db-database-jdbc-driver"
+    oracleVolumeClaimName: "var://idm_db-database-volume-claim"
+    databaseManagement: "disabled"
+    connectionUrl: "var://idm_db-database-connection-url"

patterns/IDM_batch_Settings_0116b3002d0e713e23e6be72.yml

@@ -0,0 +1,9 @@
+schemaVersion: "1.0"
+pattern:
+  id: "0116b3002d0e713e23e6be72"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.NevisIDMAdvancedSettings"
+  name: "IDM_batch_Settings"
+  label: "IDM"
+  notes: "https://aww.sso.adnovum.com/confluence/pages/viewpage.action?pageId=263860693#NevisIDMdatastructure/configuration-IDMinstanceconcept"
+  properties:
+    properties: "var://idm-batch-settings"

patterns/Log_Login_User_a7b62b3dea12ecfc81ecc855.yml

@@ -0,0 +1,8 @@
+schemaVersion: "1.0"
+pattern:
+  id: "a7b62b3dea12ecfc81ecc855"
+  className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.GroovyScriptStep"
+  name: "Log_Login_User"
+  properties:
+    scriptFile: "res://a7b62b3dea12ecfc81ecc855#scriptFile"
+    scriptTraceGroup: "AGOVOP-ACCT"

patterns/NEVIS_SecToken_271d024334021208b71ac80a.yml

@@ -0,0 +1,9 @@
+schemaVersion: "1.0"
+pattern:
+  id: "271d024334021208b71ac80a"
+  className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.SecToken"
+  name: "NEVIS SecToken"
+  label: "Admin"
+  properties:
+    keystore:
+    - "pattern://02cc34b35d83a306f48abe47"

patterns/OP-ONBRDNG-AuthenticationRealm_6df66943ca713eed2a25d935.yml

@@ -0,0 +1,24 @@
+schemaVersion: "1.0"
+pattern:
+  id: "6df66943ca713eed2a25d935"
+  className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.NevisAuthRealm"
+  name: "OP-ONBRDNG-AuthenticationRealm"
+  properties:
+    authenticate:
+    - "pattern://2787b678d9cce5310a335419"
+    auth:
+    - "pattern://ac27dd7daad0ca2b7229bfaf"
+    signerTrustStore:
+    - "pattern://c4f291a121b2d19157049cdc"
+    logrend:
+    - "pattern://8401da6318c6915d689cdfc9"
+    template: "res://6df66943ca713eed2a25d935#template"
+    labels: "res://6df66943ca713eed2a25d935#labels"
+    labelsMode: "combined"
+    defaultLabels: "enabled"
+    sessionTracking: "COOKIE"
+    cookieName: "OP-ONBRDNG"
+    cookieSameSite: "Lax"
+    initialSessionTimeout: "20m"
+    sessionTimeout: "20m"
+    langCookieDomain: "var://admin-language-cookie-domain"

patterns/OP-ONBRDNG-Entry-Point_9415bf61610843e0f5c77e39.yml

@@ -0,0 +1,15 @@
+schemaVersion: "1.0"
+pattern:
+  id: "9415bf61610843e0f5c77e39"
+  className: "ch.nevis.admin.v4.plugin.nevisauth.patterns.AuthenticationFlow"
+  name: "OP-ONBRDNG-Entry-Point"
+  properties:
+    host:
+    - "pattern://39ecde9a0d101628fed3e3be"
+    path: "/AUTH/ONBOARDING/"
+    realm:
+    - "pattern://6df66943ca713eed2a25d935"
+    flow:
+    - "pattern://2787b678d9cce5310a335419"
+    addons:
+    - "pattern://f02bc0de60aad829670e4c5b"

patterns/OP-ONBRDNG-ModSecuritySettings_f02bc0de60aad829670e4c5b.yml

@@ -0,0 +1,9 @@
+schemaVersion: "1.0"
+pattern:
+  id: "f02bc0de60aad829670e4c5b"
+  className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.RequestValidationSettings"
+  name: "OP-ONBRDNG-ModSecuritySettings"
+  properties:
+    scope: "all"
+    logOnlyMode: "var://op-admin-mod-security-op-onboarding-log-only-mode"
+    level: "var://op-admin-mod-security-op-onboarding-paranoia-level"

patterns/OP-ONBRDNG-PostProcessing_fd3912c7af7a88b6342a4c78.yml

@@ -0,0 +1,12 @@
+schemaVersion: "1.0"
+pattern:
+  id: "fd3912c7af7a88b6342a4c78"
+  className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.GenericAuthenticationStep"
+  name: "OP-ONBRDNG-PostProcessing"
+  properties:
+    authStatesFile: "res://fd3912c7af7a88b6342a4c78#authStatesFile"
+    onSuccess:
+    - "pattern://50ca1ad35a73847a81e2ece8"
+    onFailure:
+    - "pattern://2787b678d9cce5310a335419"
+    resources: "res://fd3912c7af7a88b6342a4c78#resources"

patterns/OP-ONBRDNG-PreProcessing_2787b678d9cce5310a335419.yml

@@ -0,0 +1,11 @@
+schemaVersion: "1.0"
+pattern:
+  id: "2787b678d9cce5310a335419"
+  className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.GenericAuthenticationStep"
+  name: "OP-ONBRDNG-PreProcessing"
+  properties:
+    authStatesFile: "res://2787b678d9cce5310a335419#authStatesFile"
+    nextSteps:
+    - "pattern://d56823f55065139ba437dc5c"
+    - "pattern://9be76d365909bb2ec294569c"
+    resources: "res://2787b678d9cce5310a335419#resources"

patterns/OP-ONBRDNG-SamlServiceProvider-AuthnRequest_d56823f55065139ba437dc5c.yml

@@ -0,0 +1,12 @@
+schemaVersion: "1.0"
+pattern:
+  id: "d56823f55065139ba437dc5c"
+  className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.GenericAuthenticationStep"
+  name: "OP-ONBRDNG-SamlServiceProvider-AuthnRequest"
+  properties:
+    authStatesFile: "res://d56823f55065139ba437dc5c#authStatesFile"
+    parameters: "var://op-samlserviceprovider-parameters"
+    onSuccess:
+    - "pattern://fd3912c7af7a88b6342a4c78"
+    onFailure:
+    - "pattern://2787b678d9cce5310a335419"

patterns/OP-ONBRDNG-SamlServiceProvider-ProcessResponse_9be76d365909bb2ec294569c.yml

@@ -0,0 +1,12 @@
+schemaVersion: "1.0"
+pattern:
+  id: "9be76d365909bb2ec294569c"
+  className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.GenericAuthenticationStep"
+  name: "OP-ONBRDNG-SamlServiceProvider-ProcessResponse"
+  properties:
+    authStatesFile: "res://9be76d365909bb2ec294569c#authStatesFile"
+    parameters: "var://op-samlserviceprovider-parameters"
+    onSuccess:
+    - "pattern://fd3912c7af7a88b6342a4c78"
+    onFailure:
+    - "pattern://fd3912c7af7a88b6342a4c78"

patterns/ObservabilitySettings_f4e909fcaf0ae3f6effb28ae.yml

@@ -0,0 +1,15 @@
+schemaVersion: "1.0"
+pattern:
+  id: "f4e909fcaf0ae3f6effb28ae"
+  className: "ch.nevis.admin.v4.plugin.base.generation.patterns.JavaObservability"
+  name: "ObservabilitySettings"
+  properties:
+    type: "OpenTelemetry"
+    configuration: "otel.service.name = ${service.name}\notel.resource.attributes\
+      \ = service.version=${version}\notel.exporter.otlp.protocol = http/protobuf\n\
+      otel.exporter.otlp.traces.protocol = http/protobuf\notel.exporter.otlp.traces.endpoint\
+      \ = ${tracesEndpoint}\notel.exporter.otlp.metrics.protocol = http/protobuf\n\
+      otel.exporter.otlp.metrics.endpoint = ${metricsEndpoint}\notel.exporter.otlp.metrics.temporality.preference\
+      \ = cumulative\notel.exporter.otlp.logs.protocol = http/protobuf\notel.exporter.otlp.logs.endpoint\
+      \ = ${logsEndpoint}"
+    parameters: "var://observabilitysettings"

patterns/Operations_admin_signer_PEM_Key_Store_5bb4298ac076c30a3504da0a.yml

@@ -0,0 +1,9 @@
+schemaVersion: "1.0"
+pattern:
+  id: "5bb4298ac076c30a3504da0a"
+  className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.PemKeyStoreProvider"
+  name: "Operations admin signer PEM Key Store"
+  label: "Operations"
+  properties:
+    keystoreFiles: "var://agov_operations_pem_signer-key-store-content"
+    keyPass: "var://operations-admin-signer-pem-key-store-private-key-passphrase"

patterns/ProxyObservabilitySettings_31ae68f6cc8ade7258adce8d.yml

@@ -0,0 +1,8 @@
+schemaVersion: "1.0"
+pattern:
+  id: "31ae68f6cc8ade7258adce8d"
+  className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.NevisProxyObservabilitySettings"
+  name: "ProxyObservabilitySettings"
+  properties:
+    traceExporterAddress: "var://proxyobservabilitysettings-tracesEndpoint"
+    metricsExporterAddress: "var://proxyobservabilitysettings-metricsEndpoint"

patterns/SAML_IDP_admin_Connector_7e94f2eb346f07f78440e884.yml

@@ -0,0 +1,14 @@
+schemaVersion: "1.0"
+pattern:
+  id: "7e94f2eb346f07f78440e884"
+  className: "ch.nevis.admin.v4.plugin.nevisauth.patterns.SamlIdpConnector"
+  name: "SAML IDP admin Connector"
+  label: "Operations"
+  properties:
+    issuer: "var://saml-idp-admin-connector-idp-issuer"
+    url: "var://saml-idp-admin-connector-idp-url"
+    signatureValidation:
+    - "recommended"
+    signerTrust:
+    - "pattern://2d301dab7ec7c6673f1fb58a"
+    properties: "var://saml-idp-admin-connector-properties"

patterns/SAML_IDP_admin_Connector_Trust_Store_2d301dab7ec7c6673f1fb58a.yml

@@ -0,0 +1,7 @@
+schemaVersion: "1.0"
+pattern:
+  id: "2d301dab7ec7c6673f1fb58a"
+  className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.AutomaticTrustStoreProvider"
+  name: "SAML IDP admin Connector Trust_Store"
+  properties:
+    truststoreFile: "var://saml-idp-admin-connector-trusted-signer"

patterns/SAML_IDP_op_Connector_36af90d50b0d6ba66136dbde.yml

@@ -0,0 +1,13 @@
+schemaVersion: "1.0"
+pattern:
+  id: "36af90d50b0d6ba66136dbde"
+  className: "ch.nevis.admin.v4.plugin.nevisauth.patterns.SamlIdpConnector"
+  name: "SAML IDP op Connector"
+  properties:
+    issuer: "var://saml-idp-op-connector-idp-issuer"
+    url: "var://saml-idp-op-connector-idp-url"
+    signatureValidation:
+    - "recommended"
+    signerTrust:
+    - "pattern://ff4a6eb193eee1e38a5c8e85"
+    properties: "var://saml-idp-op-connector-properties"

patterns/SAML_IDP_op_Connector_Trust_Store_ff4a6eb193eee1e38a5c8e85.yml

@@ -0,0 +1,8 @@
+schemaVersion: "1.0"
+pattern:
+  id: "ff4a6eb193eee1e38a5c8e85"
+  className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.AutomaticTrustStoreProvider"
+  name: "SAML IDP op Connector Trust_Store"
+  label: "Operations"
+  properties:
+    truststoreFile: "var://saml-idp-op-connector-trusted-signer"

patterns/SAML_SP_nevisidm_admin_Realm_6f9c9f982dcc7ef59a34f1f7.yml

@@ -0,0 +1,31 @@
+schemaVersion: "1.0"
+pattern:
+  id: "6f9c9f982dcc7ef59a34f1f7"
+  className: "ch.nevis.admin.v4.plugin.nevisauth.patterns.SamlSpRealm"
+  name: "SAML SP nevisidm admin Realm"
+  properties:
+    issuer: "var://saml-sp-nevisidm-admin-realm-saml-issuer"
+    idp:
+    - "pattern://7e94f2eb346f07f78440e884"
+    samlSigner:
+    - "pattern://5bb4298ac076c30a3504da0a"
+    tokens:
+    - "pattern://271d024334021208b71ac80a"
+    auth:
+    - "pattern://ac27dd7daad0ca2b7229bfaf"
+    signerTrustStore:
+    - "pattern://c4f291a121b2d19157049cdc"
+    logrend:
+    - "pattern://8401da6318c6915d689cdfc9"
+    template: "res://6f9c9f982dcc7ef59a34f1f7#template"
+    labels: "res://6f9c9f982dcc7ef59a34f1f7#labels"
+    labelsMode: "combined"
+    defaultProperties: "var://nevislogrend-configuration-logrendproperties"
+    cookieName: "OP-ADMIN"
+    cookieSameSite: "Strict"
+    initialSessionTimeout: "3m"
+    sessionTimeout: "30m"
+    maxSessionLifetime: "4h"
+    spLogoutTarget: "/loggedout"
+    postProcess:
+    - "pattern://fbf7b18179dda28d420420fd"

patterns/SAML_SP_nevisidm_operations_Realm_7518c6cc61e47eec6322ae17.yml

@@ -0,0 +1,30 @@
+schemaVersion: "1.0"
+pattern:
+  id: "7518c6cc61e47eec6322ae17"
+  className: "ch.nevis.admin.v4.plugin.nevisauth.patterns.SamlSpRealm"
+  name: "SAML SP nevisidm operations Realm"
+  label: "Operations"
+  properties:
+    issuer: "var://saml-sp-nevisidm-operations-realm-saml-issuer"
+    idp:
+    - "pattern://36af90d50b0d6ba66136dbde"
+    samlSigner:
+    - "pattern://5bb4298ac076c30a3504da0a"
+    tokens:
+    - "pattern://271d024334021208b71ac80a"
+    auth:
+    - "pattern://ac27dd7daad0ca2b7229bfaf"
+    signerTrustStore:
+    - "pattern://c4f291a121b2d19157049cdc"
+    logrend:
+    - "pattern://8401da6318c6915d689cdfc9"
+    template: "res://7518c6cc61e47eec6322ae17#template"
+    labels: "res://7518c6cc61e47eec6322ae17#labels"
+    defaultProperties: "var://nevislogrend-configuration-logrendproperties"
+    cookieName: "OP-OPADMIN"
+    initialSessionTimeout: "3m"
+    sessionTimeout: "30m"
+    maxSessionLifetime: "4h"
+    spLogoutTarget: "/loggedout"
+    postProcess:
+    - "pattern://488949a743edb1f46f73f232"

patterns/UpdateUserIfNeeded_24cbc652d3166c8374eda3cd.yml

@@ -0,0 +1,9 @@
+schemaVersion: "1.0"
+pattern:
+  id: "24cbc652d3166c8374eda3cd"
+  className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.GenericAuthenticationStep"
+  name: "UpdateUserIfNeeded"
+  properties:
+    authStatesFile: "res://24cbc652d3166c8374eda3cd#authStatesFile"
+    onSuccess:
+    - "pattern://978626d19e57143eac5daa45"

patterns/Virtual_Host_idmAdmin_1200a58c76686d520c21edb0.yml

@@ -0,0 +1,15 @@
+schemaVersion: "1.0"
+pattern:
+  id: "1200a58c76686d520c21edb0"
+  className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.HostContext"
+  name: "Virtual_Host_idmAdmin"
+  label: "Admin"
+  properties:
+    proxy:
+    - "pattern://3bc06037962ad13be0a3a95d"
+    addresses: "var://virtual_host_idmadmin-frontend-addresses"
+    defaultEntry: "/nevisidm/admin/"
+    resources: "res://1200a58c76686d520c21edb0#resources"
+    addons:
+    - "pattern://58ece0328f5bf4d78e1a82d2"
+    - "pattern://076ce5c5440843a23150b386"

patterns/Virtual_Host_idmOperations-Loggedout_076ce5c5440843a23150b386.yml

@@ -0,0 +1,9 @@
+schemaVersion: "1.0"
+pattern:
+  id: "076ce5c5440843a23150b386"
+  className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.URLHandler"
+  name: "Virtual_Host_idmOperations-Loggedout"
+  properties:
+    forwards:
+    - /loggedout.*: "/resources/errorPages/Loggedout.html"
+    - /favicon.ico: "/resources/favicon.ico"

patterns/Virtual_Host_idmOperations_39ecde9a0d101628fed3e3be.yml

@@ -0,0 +1,17 @@
+schemaVersion: "1.0"
+pattern:
+  id: "39ecde9a0d101628fed3e3be"
+  className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.HostContext"
+  name: "Virtual_Host_idmOperations"
+  label: "Operations"
+  properties:
+    proxy:
+    - "pattern://bd83dfbd467e8211ffe71d28"
+    addresses: "var://virtual_host_idmoperations-frontend-addresses"
+    defaultEntry: "/nevisidm/admin/"
+    resources: "res://39ecde9a0d101628fed3e3be#resources"
+    requireClientCert: "disabled"
+    addons:
+    - "pattern://58ece0328f5bf4d78e1a82d2"
+    - "pattern://076ce5c5440843a23150b386"
+    - "pattern://d9c194064d834ad41843ff4e"

patterns/Web_Application_canaryPage_backend_21d48876e12f7599c87ebd64.yml

@@ -0,0 +1,13 @@
+schemaVersion: "1.0"
+pattern:
+  id: "21d48876e12f7599c87ebd64"
+  className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.WebApplicationAccess"
+  name: "Web Application canaryPage backend"
+  properties:
+    host:
+    - "pattern://39ecde9a0d101628fed3e3be"
+    path: "/canary/api/"
+    realm:
+    - "pattern://7518c6cc61e47eec6322ae17"
+    backends: "var://web-application-canarypage-backend-backend-addresses"
+    requestValidation: "var://op-admin-mod-security-mode-canary-api"

patterns/Web_Application_canaryPage_frontend_2a09bff81af3e18af3e13d3f.yml

@@ -0,0 +1,13 @@
+schemaVersion: "1.0"
+pattern:
+  id: "2a09bff81af3e18af3e13d3f"
+  className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.WebApplicationAccess"
+  name: "Web Application canaryPage frontend"
+  properties:
+    host:
+    - "pattern://39ecde9a0d101628fed3e3be"
+    path: "/canary/"
+    realm:
+    - "pattern://7518c6cc61e47eec6322ae17"
+    backends: "var://web-application-canarypage-backend-frontend-addresses"
+    requestValidation: "var://op-admin-mod-security-mode-canary-app"

patterns/a7b62b3dea12ecfc81ecc855_scriptFile/logLoginUser.gy

@@ -0,0 +1,15 @@
+try {
+  def session = request.getAuthSession(true)
+
+  def emailFromAssertion = session.getAttribute('emailFromAssertion') ?: 'unknown'
+  def subjectFromAssertion = session.getAttribute('ch.nevis.auth.saml.assertion.subject') ?: 'unknown'
+  def loginId = inargs.getProperty('isiwebuserid') ?: 'unknown'
+  def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
+  def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
+
+  LOG.warn("Event='IDM-ADMIN-LOGIN', subject from assertion=${subjectFromAssertion}, email from assertion='${emailFromAssertion}', loginId=${loginId}, SourceIp=${sourceIp}, UserAgent='${userAgent}')")
+  response.setResult('ok');
+} catch(Exception ex) {
+   LOG.error("Exception in logLoginUser groovy script: " + ex)
+   response.setResult('error');
+}

patterns/admin_nevisIDM_Password_Login_12c979b6af0f15f1328656a4.yml

@@ -0,0 +1,11 @@
+schemaVersion: "1.0"
+pattern:
+  id: "12c979b6af0f15f1328656a4"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns2.NevisIDMPasswordLogin"
+  name: "admin nevisIDM Password Login"
+  label: "Admin"
+  properties:
+    nevisIDM:
+    - "pattern://ba7c7a3b091df0c4b8ba0bb2"
+    onSuccess:
+    - "pattern://a7b62b3dea12ecfc81ecc855"

patterns/d356ddfbaf34aa51ae1e20e7_truststoreFile/BaltimoreCyberTrustRoot.crt.pem

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
+RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
+VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX
+DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y
+ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy
+VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr
+mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr
+IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK
+mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu
+XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy
+dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye
+jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1
+BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
+DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92
+9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx
+jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0
+Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz
+ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
+R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp
+-----END CERTIFICATE-----
+

patterns/d356ddfbaf34aa51ae1e20e7_truststoreFile/DigiCertGlobalRootG2.crt.pem

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH
+MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT
+MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
+b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI
+2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx
+1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ
+q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz
+tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ
+vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP
+BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV
+5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY
+1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4
+NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG
+Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91
+8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe
+pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl
+MrY=
+-----END CERTIFICATE-----

patterns/d56823f55065139ba437dc5c_authStatesFile/OpOnbrdng-SamlServiceProvider-AuthnRequest.xml

@@ -0,0 +1,22 @@
+<AuthState name="${state.entry}" class="ch.nevis.esauth.auth.states.saml.AssertionRequestState" final="false" resumeState="false">
+	<ResultCond name="ok" next="${state.done}" authLevel="auth.strong"/>
+	<ResultCond name="default"  next="${state.failed}"/>
+	<Response value="AUTH_ERROR">
+		<Gui name="NoGui"/>
+	</Response>
+	<!-- used for the key material -->
+	<propertyRef name="SAML_SP_nevisidm_operations_Realm_SAML_IDP_op_Connector_Connector"/>
+
+	<property name="idpURL" value="${param.op.atb.ssoUrl}"/>
+	<property name="consumerURL" value="${param.op.onboarding.consumerURL}"/>
+
+	<property name="out.binding" value="http-post"/>
+        <property name="out.requestType" value="AuthnRequest"/>
+	<property name="out.sign" value="AuthnRequest"/>
+	<property name="out.signatureKeyInfo" value="Certificate"/>
+	<property name="out.issuer" value="${param.op.onboarding.issuer}"/>
+	<property name="request.RequestedAuthnContext.AuthnContextClassRef" value="${sess:agov.op.onboarding.ctxClass}"/>
+	<property name="request.RequestedAuthnContext.Comparison" value="minimum"/>
+        <property name="request.ttl" value="60"/>
+        <property name="relayState" value=""/>
+</AuthState>

patterns/fbf7b18179dda28d420420fd_scriptFile/saveEmailFromAssertionToSession.gy

@@ -0,0 +1,7 @@
+try {
+  response.setSessionAttribute('emailFromAssertion', notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'])
+  response.setResult('ok');
+} catch(Exception ex) {
+   LOG.error("Exception in saveEmailFromAssertionToSession groovy script: " + ex)
+   response.setResult('error');
+}

patterns/fd3912c7af7a88b6342a4c78_authStatesFile/OpOnbrdng-PostProcessing.xml

@@ -0,0 +1,41 @@
+<AuthState name="${state.entry}" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
+	<ResultCond name="done" next="${state.done}"/>
+	<ResultCond name="createSamlFedCredential" next="${state.entry}_SamlFedCredential"/>
+	<ResultCond name="failure" next="${state.failed}"/>
+	<Response value="AUTH_ERROR">
+		<Gui name="op_onbrdng_error" label="op-onboarding.process.title">
+			<GuiElem name="info" type="info" label="op-onboarding.process.message"/>
+			<GuiElem name="lasterror" type="error" label="${notes:lasterrorinfo}" value="${notes:lasterror}"/>
+		</Gui>
+	</Response>
+	<property name="scriptTraceGroup" value="AGOVOP-ACCT"/>
+	<property name="script" value="file:///var/opt/nevisauth/default/conf/OpOnbrdng-PostProcessing.groovy"/>
+</AuthState>
+
+<AuthState name="${state.entry}_SamlFedCredential" class="ch.nevis.idm.authstate.IdmCreateCredentialState" final="false" resumeState="false">
+	<ResultCond name="ok" next="${state.entry}"/>
+	<ResultCond name="failed" next="${state.entry}_SamlFedCredential_Failed"/>
+	<ResultCond name="credentialExists" next="${state.entry}_SamlFedCredential_Failed"/>
+	<ResultCond name="default" next="${state.entry}_SamlFedCredential_Failed"/>
+	<Response value="AUTH_CONTINUE">
+		<Gui name="NoGui"/>
+	</Response>
+	<propertyRef name="nevisIDM_Connector"/>
+	<property name="user.loginId" value="${sess:ch.adnovum.nevisidm.user.loginId}"/>
+	<property name="client.name" value="${sess:ch.adnovum.nevisidm.user.clientName}"/>
+	<property name="cred.type" value="saml_federation"/>
+	<property name="cred.modificationComment" value="Automatically on-boarded based on assertionId: '${sess:ch.nevis.auth.saml.assertion.id}'"/>
+	<property name="cred.state" value="ACTIVE"/>
+	<property name="cred.issuerNameId" value="${sess:agov.op.onboarding.homeName}"/>
+	<property name="cred.subjectNameId" value="${sess:agov.op.onboarding.subject}"/>
+	<property name="operationIfExists" value="ADD"/>
+</AuthState>
+
+<AuthState name="${state.entry}_SamlFedCredential_Failed"  class="ch.nevis.esauth.auth.states.standard.TransformAttributes" final="false" resumeState="false">
+	<ResultCond name="default" next="${state.failed}"/>
+	<Response value="AUTH_CONTINUE">
+		<Gui name="NoGui"/>
+	</Response>
+	<property name="notes:lasterror" value="9905"/>
+	<property name="notes:lasterrorinfo" value="Problem with creation of SamlFed credential: ${notes:lasttransition} - ${notes:lasterrorinfo}"/>
+</AuthState>

patterns/fd3912c7af7a88b6342a4c78_resources/OpOnbrdng-PostProcessing.groovy

@@ -0,0 +1,79 @@
+import ch.nevis.esauth.auth.engine.AuthResponse
+
+// for autditing
+def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
+def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
+def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
+
+def minLoi = session['agov.op.onboarding.minLoi'] ?: 'unknown'
+
+if (session['agov.op.onboarding.process.state'] == null) {
+  // 0) remove SAMLResponse, to avoid multiple processing
+  request.getInArgs().remove("SAMLResponse")
+
+  // check status
+  if (notes['saml.response.statusCode'] == 'urn:oasis:names:tc:SAML:2.0:status:Success') {
+
+    // we have to do the checks.
+    // 1) compare email
+    if (!notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'].equalsIgnoreCase(session['ch.nevis.idm.User.email'])) {
+  
+      def lasterrorinfo = "email don't match: idm=${session['ch.nevis.idm.User.email']} idp=${notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']}"
+      response.setNote('lasterror', '9902')
+      response.setNote('lasterrorinfo', lasterrorinfo)
+  
+      LOG.info("Event='OP-FAILED', RequestedAq='${minLoi}', User=${user}, SourceIp=${sourceIp}, UserAgent=${userAgent}, lasterror=${response.getNote('lasterror')}, lasterrorinfo='${lasterrorinfo}'")
+  
+      response.setStatus(AuthResponse.AUTH_ERROR)
+      return
+    }
+  
+    def homeName = notes['saml.attributes.http://schemas.eiam.admin.ch/ws/2013/12/identity/claims/fp/homeName'] ?: 'unknown'
+    def subject = session['ch.nevis.auth.saml.assertion.subject'] ?: 'unknown'
+    if (homeName == 'unknown' || subject == 'unknown') {
+      def lasterrorinfo = "invalid info from IdP: subject=${subject} homeName=${homeName}"
+      response.setNote('lasterror', '9903')
+      response.setNote('lasterrorinfo', lasterrorinfo)
+  
+      LOG.info("Event='OP-FAILED', RequestedAq='${minLoi}', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}', lasterror=${response.getNote('lasterror')}, lasterrorinfo='${lasterrorinfo}'")
+  
+      response.setStatus(AuthResponse.AUTH_ERROR)
+      return
+    }
+
+    // ok - create the credential
+    response.setSessionAttribute('agov.op.onboarding.process.state', 'createCredential')
+    response.setSessionAttribute('agov.op.onboarding.homeName', homeName)
+    response.setSessionAttribute('agov.op.onboarding.subject', subject)
+
+    response.setSessionAttribute('agov.op.onboarding.subject', session['ch.nevis.auth.saml.assertion.subject'] ?: 'unknown')
+    response.setResult('createSamlFedCredential')
+    return
+
+  } else {
+
+      def lasterrorinfo = "authentication by IdP failed: ${notes['saml.response.statusCode']}"
+      response.setNote('lasterror', '9903')
+      response.setNote('lasterrorinfo', lasterrorinfo)
+  
+      LOG.info("Event='OP-FAILED', RequestedAq='${minLoi}', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}', lasterror=${response.getNote('lasterror')}, lasterrorinfo='${lasterrorinfo}'")
+  
+      response.setStatus(AuthResponse.AUTH_ERROR)
+      return
+  }
+} else if (session['agov.op.onboarding.process.state'] == 'createCredential') {
+  // 2 Credential created, we or done
+  def responseId = session['ch.nevis.auth.saml.response.id']
+  def homeName = session['agov.op.onboarding.homeName'] ?: 'unknown'
+  def subject = session['agov.op.onboarding.subject'] ?: 'unknown'
+
+  LOG.info("Event='OP-SUCCESS', RequestedAq='${minLoi}', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}', ResponseID='${responseId}', subject='${subject}', homeName='${homeName}'")
+  response.setResult('done')
+  return
+
+} else {
+  LOG.error("invalid state: ${session['agov.op.onboarding.process.state']}")
+  response.setNote('lasterror', '9909')
+  response.setNote('lasterrorinfo', 'internal error')
+  response.setResult('failure')
+}

patterns/fetch_User_Authentication_Step_56955e7b6b92c254d7d1aae1.yml

@@ -0,0 +1,14 @@
+schemaVersion: "1.0"
+pattern:
+  id: "56955e7b6b92c254d7d1aae1"
+  className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.GenericAuthenticationStep"
+  name: "fetch User Authentication Step"
+  label: "Operations"
+  properties:
+    authStatesFile: "res://56955e7b6b92c254d7d1aae1#authStatesFile"
+    parameters: "client.name: OPERATIONS\nattributes: loginId,extId,firstName,name,email,language"
+    onSuccess:
+    - "pattern://24cbc652d3166c8374eda3cd"
+    onFailure:
+    - "pattern://700ec185425d8645fea2caf5"
+    resources: "res://56955e7b6b92c254d7d1aae1#resources"

patterns/nevisAuth_Log_Settings_0eaddca6ad424c5d15e5312e.yml

@@ -0,0 +1,8 @@
+schemaVersion: "1.0"
+pattern:
+  id: "0eaddca6ad424c5d15e5312e"
+  className: "ch.nevis.admin.v4.plugin.nevisauth.patterns.CustomAuthLogFile"
+  name: "nevisAuth Log Settings"
+  label: "Common"
+  properties:
+    levels: "var://nevisauth-log-settings-log-levels"

patterns/nevisAuth_ac27dd7daad0ca2b7229bfaf.yml

@@ -0,0 +1,14 @@
+schemaVersion: "1.0"
+pattern:
+  id: "ac27dd7daad0ca2b7229bfaf"
+  className: "ch.nevis.admin.v4.plugin.nevisauth.patterns.NevisAuthDeployable"
+  name: "nevisAuth"
+  deploymentHosts: "auth"
+  label: "Common"
+  properties:
+    logging:
+    - "pattern://0eaddca6ad424c5d15e5312e"
+    signerKeyStore:
+    - "pattern://02cc34b35d83a306f48abe47"
+    addons:
+    - "pattern://f4e909fcaf0ae3f6effb28ae"

patterns/nevisIDM_Administration_GUI_4095d4e66ef51810f07a6ed3.yml

@@ -0,0 +1,18 @@
+schemaVersion: "1.0"
+pattern:
+  id: "4095d4e66ef51810f07a6ed3"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.NevisIDMWebApplicationAccess"
+  name: "nevisIDM Administration GUI"
+  label: "Admin"
+  properties:
+    host:
+    - "pattern://1200a58c76686d520c21edb0"
+    nevisIDM:
+    - "pattern://ba7c7a3b091df0c4b8ba0bb2"
+    realm:
+    - "pattern://6f9c9f982dcc7ef59a34f1f7"
+    token:
+    - "pattern://271d024334021208b71ac80a"
+    requestValidation: "var://op-admin-mod-security-mode-nevisidmgui"
+    selfAdmin: "disabled"
+    apiAccess: "disabled"

patterns/nevisIDM_Batch_Log_Settings_dcf3ce4f7d266c6da1e5beb2.yml

@@ -0,0 +1,9 @@
+schemaVersion: "1.0"
+pattern:
+  id: "dcf3ce4f7d266c6da1e5beb2"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.CustomNevisIDMLogFile"
+  name: "nevisIDM Batch Log Settings"
+  label: "IDM"
+  properties:
+    logLevel: "var://nevisidm-batch-log-settings-default-log-level"
+    levels: "var://nevisidm-batch-log-settings-log-levels"

patterns/nevisIDM_Custom_Property_agovId_54a502fe8e6d6280467df375.yml

@@ -0,0 +1,11 @@
+schemaVersion: "1.0"
+pattern:
+  id: "54a502fe8e6d6280467df375"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.NevisIDMProperty"
+  name: "nevisIDM Custom Property agovId"
+  properties:
+    propertyName: "agovId"
+    clientExtId: "var://nevisidm-custom-property-svnr-client-external-id-agovs"
+    maxLength: "36"
+    accessModify: "READ_ONLY"
+    accessCreate: "READ_WRITE"

patterns/nevisIDM_Custom_Property_counter_additionalAddress_449fd0f0de8d30fdcafe5dc5.yml

@@ -0,0 +1,13 @@
+schemaVersion: "1.0"
+pattern:
+  id: "449fd0f0de8d30fdcafe5dc5"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.NevisIDMProperty"
+  name: "nevisIDM Custom Property counter additionalAddress"
+  properties:
+    propertyName: "additionalAddress"
+    propertyScope: "UNIT_GLOBAL"
+    clientExtId: "var://nevisidm-custom-property-client-external-id-counter"
+    maxLength: "100"
+    description: "additional address line"
+    accessModify: "READ_WRITE"
+    accessCreate: "READ_WRITE"

patterns/nevisIDM_Custom_Property_counter_counterExtId_1960dfb9b110a6d07bcd04b9.yml

@@ -0,0 +1,13 @@
+schemaVersion: "1.0"
+pattern:
+  id: "1960dfb9b110a6d07bcd04b9"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.NevisIDMProperty"
+  name: "nevisIDM Custom Property counter counterExtId"
+  properties:
+    propertyName: "counterExtId"
+    propertyScope: "USER_GLOBAL"
+    clientExtId: "var://nevisidm-custom-property-svnr-client-external-id-agovs"
+    description: "the unitExtId of the counter, that the user selected intially, and\
+      \ visited (might be different)"
+    accessModify: "READ_WRITE"
+    accessCreate: "READ_WRITE"

patterns/nevisIDM_Custom_Property_counter_openingFri_56797f553b7c2d5c7ae82726.yml

@@ -0,0 +1,13 @@
+schemaVersion: "1.0"
+pattern:
+  id: "56797f553b7c2d5c7ae82726"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.NevisIDMProperty"
+  name: "nevisIDM Custom Property counter openingFri"
+  properties:
+    propertyName: "openingFri"
+    propertyScope: "UNIT_GLOBAL"
+    clientExtId: "var://nevisidm-custom-property-client-external-id-counter"
+    maxLength: "50"
+    description: "Opening hours for Fridays"
+    accessModify: "READ_WRITE"
+    accessCreate: "READ_WRITE"

patterns/nevisIDM_Custom_Property_counter_openingHol_83084230d0b4e443d7132203.yml

@@ -0,0 +1,13 @@
+schemaVersion: "1.0"
+pattern:
+  id: "83084230d0b4e443d7132203"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.NevisIDMProperty"
+  name: "nevisIDM Custom Property counter openingHol"
+  properties:
+    propertyName: "openingHol"
+    propertyScope: "UNIT_GLOBAL"
+    clientExtId: "var://nevisidm-custom-property-client-external-id-counter"
+    maxLength: "50"
+    description: "Opening hours for Sundays and Holidays"
+    accessModify: "READ_WRITE"
+    accessCreate: "READ_WRITE"

patterns/nevisIDM_Custom_Property_counter_openingMon_5357a714fdc0a0d3eeffa72b.yml

@@ -0,0 +1,13 @@
+schemaVersion: "1.0"
+pattern:
+  id: "5357a714fdc0a0d3eeffa72b"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.NevisIDMProperty"
+  name: "nevisIDM Custom Property counter openingMon"
+  properties:
+    propertyName: "openingMon"
+    propertyScope: "UNIT_GLOBAL"
+    clientExtId: "var://nevisidm-custom-property-client-external-id-counter"
+    maxLength: "50"
+    description: "Opening hours for Mondays"
+    accessModify: "READ_WRITE"
+    accessCreate: "READ_WRITE"

patterns/nevisIDM_Custom_Property_counter_openingRemarksDe_18e8a301eac0d94260f4a4c4.yml

@@ -0,0 +1,12 @@
+schemaVersion: "1.0"
+pattern:
+  id: "18e8a301eac0d94260f4a4c4"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.NevisIDMProperty"
+  name: "nevisIDM Custom Property counter openingRemarksDe"
+  properties:
+    propertyName: "openingRemarksDe"
+    propertyScope: "UNIT_GLOBAL"
+    clientExtId: "var://nevisidm-custom-property-client-external-id-counter"
+    description: "remarks for the opening hours (DE)"
+    accessModify: "READ_WRITE"
+    accessCreate: "READ_WRITE"

patterns/nevisIDM_Custom_Property_counter_openingRemarksEn_9ee7718965f72521184370cf.yml

@@ -0,0 +1,12 @@
+schemaVersion: "1.0"
+pattern:
+  id: "9ee7718965f72521184370cf"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.NevisIDMProperty"
+  name: "nevisIDM Custom Property counter openingRemarksEn"
+  properties:
+    propertyName: "openingRemarksEn"
+    propertyScope: "UNIT_GLOBAL"
+    clientExtId: "var://nevisidm-custom-property-client-external-id-counter"
+    description: "remarks for the opening hours (EN)"
+    accessModify: "READ_WRITE"
+    accessCreate: "READ_WRITE"

patterns/nevisIDM_Custom_Property_counter_openingRemarksFr_3efe03e435f0e10aa988c017.yml

@@ -0,0 +1,12 @@
+schemaVersion: "1.0"
+pattern:
+  id: "3efe03e435f0e10aa988c017"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.NevisIDMProperty"
+  name: "nevisIDM Custom Property counter openingRemarksFr"
+  properties:
+    propertyName: "openingRemarksFr"
+    propertyScope: "UNIT_GLOBAL"
+    clientExtId: "var://nevisidm-custom-property-client-external-id-counter"
+    description: "remarks for the opening hours (FR)"
+    accessModify: "READ_WRITE"
+    accessCreate: "READ_WRITE"

patterns/nevisIDM_Custom_Property_counter_openingRemarksIt_2a3b9474096a3da71634e557.yml

@@ -0,0 +1,12 @@
+schemaVersion: "1.0"
+pattern:
+  id: "2a3b9474096a3da71634e557"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.NevisIDMProperty"
+  name: "nevisIDM Custom Property counter openingRemarksIt"
+  properties:
+    propertyName: "openingRemarksIt"
+    propertyScope: "UNIT_GLOBAL"
+    clientExtId: "var://nevisidm-custom-property-client-external-id-counter"
+    description: "remarks for the opening hours (IT)"
+    accessModify: "READ_WRITE"
+    accessCreate: "READ_WRITE"

patterns/nevisIDM_Custom_Property_counter_openingSat_442eae5e7116ba47699836b1.yml

@@ -0,0 +1,13 @@
+schemaVersion: "1.0"
+pattern:
+  id: "442eae5e7116ba47699836b1"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.NevisIDMProperty"
+  name: "nevisIDM Custom Property counter openingSat"
+  properties:
+    propertyName: "openingSat"
+    propertyScope: "UNIT_GLOBAL"
+    clientExtId: "var://nevisidm-custom-property-client-external-id-counter"
+    maxLength: "50"
+    description: "Opening hours for Saturdays"
+    accessModify: "READ_WRITE"
+    accessCreate: "READ_WRITE"

patterns/nevisIDM_Custom_Property_counter_openingThu_f69b23de624fd47864013434.yml

@@ -0,0 +1,13 @@
+schemaVersion: "1.0"
+pattern:
+  id: "f69b23de624fd47864013434"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.NevisIDMProperty"
+  name: "nevisIDM Custom Property counter openingThu"
+  properties:
+    propertyName: "openingThu"
+    propertyScope: "UNIT_GLOBAL"
+    clientExtId: "var://nevisidm-custom-property-client-external-id-counter"
+    maxLength: "50"
+    description: "Opening hours for Thursdays"
+    accessModify: "READ_WRITE"
+    accessCreate: "READ_WRITE"

patterns/nevisIDM_Custom_Property_counter_openingTue_85c4a1f04841ebd03043a14e.yml

@@ -0,0 +1,13 @@
+schemaVersion: "1.0"
+pattern:
+  id: "85c4a1f04841ebd03043a14e"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.NevisIDMProperty"
+  name: "nevisIDM Custom Property counter openingTue"
+  properties:
+    propertyName: "openingTue"
+    propertyScope: "UNIT_GLOBAL"
+    clientExtId: "var://nevisidm-custom-property-client-external-id-counter"
+    maxLength: "50"
+    description: "Opening hours for Tuesdays"
+    accessModify: "READ_WRITE"
+    accessCreate: "READ_WRITE"

patterns/nevisIDM_Custom_Property_counter_openingWed_214b0d9557566e008064bf5c.yml

@@ -0,0 +1,13 @@
+schemaVersion: "1.0"
+pattern:
+  id: "214b0d9557566e008064bf5c"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.NevisIDMProperty"
+  name: "nevisIDM Custom Property counter openingWed"
+  properties:
+    propertyName: "openingWed"
+    propertyScope: "UNIT_GLOBAL"
+    clientExtId: "var://nevisidm-custom-property-client-external-id-counter"
+    maxLength: "50"
+    description: "Opening hours for Wednesdays"
+    accessModify: "READ_WRITE"
+    accessCreate: "READ_WRITE"

patterns/nevisIDM_Custom_Property_counter_position_b635ceb319d955203cc5f053.yml

@@ -0,0 +1,14 @@
+schemaVersion: "1.0"
+pattern:
+  id: "b635ceb319d955203cc5f053"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.NevisIDMProperty"
+  name: "nevisIDM Custom Property counter position"
+  properties:
+    propertyName: "position"
+    propertyScope: "UNIT_GLOBAL"
+    clientExtId: "var://nevisidm-custom-property-client-external-id-counter"
+    regex: "^\\-?([1-9][0-9]|[0-9])\\.[0-9][0-9][0-9][0-9][0-9],\\s*\\-?(1[0-8][0-9]|[1-9][0-9]|[0-9])\\\
+      .[0-9][0-9][0-9][0-9][0-9]$"
+    description: "coordinates of the office (WGS84)"
+    accessModify: "READ_WRITE"
+    accessCreate: "READ_WRITE"

patterns/nevisIDM_Custom_Property_counter_street_6d61f581ca9fa3c2ab03004c.yml

@@ -0,0 +1,13 @@
+schemaVersion: "1.0"
+pattern:
+  id: "6d61f581ca9fa3c2ab03004c"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.NevisIDMProperty"
+  name: "nevisIDM Custom Property counter street"
+  properties:
+    propertyName: "street"
+    propertyScope: "UNIT_GLOBAL"
+    clientExtId: "var://nevisidm-custom-property-client-external-id-counter"
+    maxLength: "100"
+    description: "address: street and house number"
+    accessModify: "READ_WRITE"
+    accessCreate: "READ_WRITE"

patterns/nevisIDM_Custom_Property_counter_town_2d5614b389904a87cbe05fb0.yml

@@ -0,0 +1,14 @@
+schemaVersion: "1.0"
+pattern:
+  id: "2d5614b389904a87cbe05fb0"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.NevisIDMProperty"
+  name: "nevisIDM Custom Property counter town"
+  notes: "eCH-0010:townType"
+  properties:
+    propertyName: "town"
+    propertyScope: "UNIT_GLOBAL"
+    clientExtId: "var://nevisidm-custom-property-client-external-id-counter"
+    maxLength: "40"
+    description: "twon, city where the counter is located"
+    accessModify: "READ_WRITE"
+    accessCreate: "READ_WRITE"

patterns/nevisIDM_Custom_Property_eIdNumber_9fc4ba53af217ae05e9a7b55.yml

@@ -0,0 +1,12 @@
+schemaVersion: "1.0"
+pattern:
+  id: "9fc4ba53af217ae05e9a7b55"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.NevisIDMProperty"
+  name: "nevisIDM Custom Property eIdNumber"
+  label: "IDM"
+  properties:
+    propertyName: "eIdNumber"
+    clientExtId: "var://nevisidm-custom-property-svnr-client-external-id-agov"
+    maxLength: "40"
+    accessModify: "READ_WRITE"
+    accessCreate: "READ_WRITE"

patterns/nevisIDM_Custom_Property_eIdNumber_agovs_4a284e141e40719eb58834ce.yml

@@ -0,0 +1,12 @@
+schemaVersion: "1.0"
+pattern:
+  id: "4a284e141e40719eb58834ce"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.NevisIDMProperty"
+  name: "nevisIDM Custom Property eIdNumber agovs"
+  label: "IDM"
+  properties:
+    propertyName: "eIdNumber"
+    clientExtId: "var://nevisidm-custom-property-svnr-client-external-id-agovs"
+    maxLength: "40"
+    accessModify: "READ_WRITE"
+    accessCreate: "READ_WRITE"

patterns/nevisIDM_Custom_Property_nationality_agovs_6c60fe0d77fc5d7a08df5c73.yml

@@ -0,0 +1,12 @@
+schemaVersion: "1.0"
+pattern:
+  id: "6c60fe0d77fc5d7a08df5c73"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.NevisIDMProperty"
+  name: "nevisIDM Custom Property nationality agovs"
+  label: "IDM"
+  properties:
+    propertyName: "nationality"
+    clientExtId: "var://nevisidm-custom-property-svnr-client-external-id-agovs"
+    maxLength: "40"
+    accessModify: "READ_WRITE"
+    accessCreate: "READ_WRITE"

patterns/nevisIDM_Custom_Property_nationality_bb4bc33af8c6389ff104348f.yml

@@ -0,0 +1,12 @@
+schemaVersion: "1.0"
+pattern:
+  id: "bb4bc33af8c6389ff104348f"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.NevisIDMProperty"
+  name: "nevisIDM Custom Property nationality"
+  label: "IDM"
+  properties:
+    propertyName: "nationality"
+    clientExtId: "var://nevisidm-custom-property-svnr-client-external-id-agov"
+    maxLength: "40"
+    accessModify: "READ_WRITE"
+    accessCreate: "READ_WRITE"

patterns/nevisIDM_Custom_Property_placeOfBirth_6f7e23ed7cc8de5bba2b7b61.yml

@@ -0,0 +1,12 @@
+schemaVersion: "1.0"
+pattern:
+  id: "6f7e23ed7cc8de5bba2b7b61"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.NevisIDMProperty"
+  name: "nevisIDM Custom Property placeOfBirth"
+  label: "IDM"
+  properties:
+    propertyName: "placeOfBirth"
+    clientExtId: "var://nevisidm-custom-property-svnr-client-external-id-agov"
+    maxLength: "50"
+    accessModify: "READ_WRITE"
+    accessCreate: "READ_WRITE"

patterns/nevisIDM_Custom_Property_placeOfBirth_agovs_3c812a7f305d7ec5d054c1e9.yml

@@ -0,0 +1,12 @@
+schemaVersion: "1.0"
+pattern:
+  id: "3c812a7f305d7ec5d054c1e9"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.NevisIDMProperty"
+  name: "nevisIDM Custom Property placeOfBirth agovs"
+  label: "IDM"
+  properties:
+    propertyName: "placeOfBirth"
+    clientExtId: "var://nevisidm-custom-property-svnr-client-external-id-agovs"
+    maxLength: "50"
+    accessModify: "READ_WRITE"
+    accessCreate: "READ_WRITE"

patterns/nevisIDM_Custom_Property_svnr_5d3c87e0a35de2bacdfdbc84.yml

@@ -0,0 +1,14 @@
+schemaVersion: "1.0"
+pattern:
+  id: "5d3c87e0a35de2bacdfdbc84"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.NevisIDMProperty"
+  name: "nevisIDM Custom Property svnr"
+  label: "IDM"
+  properties:
+    propertyName: "svnr"
+    clientExtId: "var://nevisidm-custom-property-svnr-client-external-id-agov"
+    maxLength: "13"
+    regex: "^[0-9]{13}$"
+    description: "ahv/avs"
+    accessModify: "READ_WRITE"
+    accessCreate: "READ_WRITE"

patterns/nevisIDM_Custom_Property_svnr_agovs_9a12e3a94959e1c7ae16db9a.yml

@@ -0,0 +1,14 @@
+schemaVersion: "1.0"
+pattern:
+  id: "9a12e3a94959e1c7ae16db9a"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.NevisIDMProperty"
+  name: "nevisIDM Custom Property svnr agovs"
+  label: "IDM"
+  properties:
+    propertyName: "svnr"
+    clientExtId: "var://nevisidm-custom-property-svnr-client-external-id-agovs"
+    maxLength: "13"
+    regex: "^[0-9]{13}$"
+    description: "ahv/avs"
+    accessModify: "READ_WRITE"
+    accessCreate: "READ_WRITE"

patterns/nevisIDM_Custom_Property_verificationStatus_641b47231c6c3ae6760bdf8b.yml

@@ -0,0 +1,11 @@
+schemaVersion: "1.0"
+pattern:
+  id: "641b47231c6c3ae6760bdf8b"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.NevisIDMProperty"
+  name: "nevisIDM Custom Property verificationStatus"
+  properties:
+    propertyName: "verificationStatus"
+    clientExtId: "var://nevisidm-custom-property-svnr-client-external-id-agovs"
+    maxLength: "50"
+    accessModify: "READ_WRITE"
+    accessCreate: "READ_WRITE"

patterns/nevisIDM_Custom_Property_verificationTransactionId_706cabed89317b5e9ebd814f.yml

@@ -0,0 +1,11 @@
+schemaVersion: "1.0"
+pattern:
+  id: "706cabed89317b5e9ebd814f"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.NevisIDMProperty"
+  name: "nevisIDM Custom Property verificationTransactionId"
+  properties:
+    propertyName: "verificationTransactionId"
+    clientExtId: "var://nevisidm-custom-property-svnr-client-external-id-agovs"
+    maxLength: "50"
+    accessModify: "READ_WRITE"
+    accessCreate: "READ_WRITE"

patterns/nevisIDM_Log_Settings_79c526f49d7765ce6ed1a619.yml

@@ -0,0 +1,9 @@
+schemaVersion: "1.0"
+pattern:
+  id: "79c526f49d7765ce6ed1a619"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.CustomNevisIDMLogFile"
+  name: "nevisIDM Log Settings"
+  label: "IDM"
+  properties:
+    logLevel: "var://nevisidm-log-settings-default-log-level"
+    levels: "var://nevisidm-log-settings-log-levels"

patterns/nevisIDM_Operations_Administration_GUI_13ea034de32c190083ba9e35.yml

@@ -0,0 +1,17 @@
+schemaVersion: "1.0"
+pattern:
+  id: "13ea034de32c190083ba9e35"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.NevisIDMWebApplicationAccess"
+  name: "nevisIDM Operations Administration GUI"
+  label: "Operations"
+  properties:
+    host:
+    - "pattern://39ecde9a0d101628fed3e3be"
+    nevisIDM:
+    - "pattern://ba7c7a3b091df0c4b8ba0bb2"
+    realm:
+    - "pattern://7518c6cc61e47eec6322ae17"
+    token:
+    - "pattern://271d024334021208b71ac80a"
+    selfAdmin: "disabled"
+    apiAccess: "disabled"