13 files added, 16 files updated and 1 file deleted

bundles.yml

@@ -1,13 +1,13 @@
 schemaVersion: "1.0"
 bundles:
-- "nevisadmin-plugin-base-generation:8.2411.2.rc2"
+- "nevisadmin-plugin-authcloud:8.2411.2.4"
-- "nevisadmin-plugin-nevisproxy:8.2411.2.rc2"
+- "nevisadmin-plugin-base-generation:8.2411.2.4"
-- "nevisadmin-plugin-nevisauth:8.2411.2.rc2"
+- "nevisadmin-plugin-fido2:8.2411.2.4"
-- "nevisadmin-plugin-nevisidm:8.2411.2.rc2"
+- "nevisadmin-plugin-mobile-auth:8.2411.2.4"
-- "nevisadmin-plugin-mobile-auth:8.2411.2.rc2"
+- "nevisadmin-plugin-nevisadapt:8.2411.2.4"
-- "nevisadmin-plugin-fido2:8.2411.2.rc2"
+- "nevisadmin-plugin-nevisauth:8.2411.2.4"
-- "nevisadmin-plugin-nevisadapt:8.2411.2.rc2"
+- "nevisadmin-plugin-nevisdetect:8.2411.2.4"
-- "nevisadmin-plugin-nevisdetect:8.2411.2.rc2"
+- "nevisadmin-plugin-nevisdp:8.2411.2.4"
-- "nevisadmin-plugin-oauth:8.2411.2.rc2"
+- "nevisadmin-plugin-nevisidm:8.2411.2.4"
-- "nevisadmin-plugin-authcloud:8.2411.2.rc2"
+- "nevisadmin-plugin-nevisproxy:8.2411.2.4"
-- "nevisadmin-plugin-nevisdp:8.2411.2.rc2"
+- "nevisadmin-plugin-oauth:8.2411.2.4"

patterns/0f6977caedca600b17221f0a_authStatesFile/Ident_ProcessAndDispatch.xml

@@ -0,0 +1,12 @@
+<AuthState name="${state.entry}" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
+	<ResultCond name="sendAuthnRequest" next="${state.exit.1}"/>
+	<ResultCond name="processResponse" next="${state.exit.2}"/>
+    <ResultCond name="inavlidurl" next="${state.failed}"/> 
+	<Response value="AUTH_ERROR">
+	</Response>
+	<property name="scriptTraceGroup" value="AGOVOP-IDENT"/>
+	<property name="script" value="file:///var/opt/nevisauth/default/conf/IdentProcessAndDispatch.groovy"/>
+    <property name="parameter.rpcode.list" value='${var.rpcode.list}' />
+
+</AuthState>
+

patterns/0f6977caedca600b17221f0a_resources/IdentProcessAndDispatch.groovy

@@ -0,0 +1,79 @@
+import groovy.json.JsonSlurper
+
+def cleanSession(boolean rpcodeToo) {
+  def s = request.getAuthSession(true)
+
+  if (rpcodeToo) {
+	s.removeAttribute('agov.ident.rpcode.backup')
+	s.removeAttribute('agov.ident.rpcode')
+	s.removeAttribute('agov.ident.entityId')
+  }
+  def sessionKeySet = new HashSet(session.keySet())
+  sessionKeySet.each { key ->
+    if ( key ==~ /ch.nevis.auth.saml..*/ ) {
+	  LOG.debug("Deleted session attribute '${key}'")
+	  s.removeAttribute(key)
+	}
+  }
+}
+
+// for auditing
+def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
+def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
+def referer = request.getLoginContext()['connection.HttpHeader.referer'] ?: request.getLoginContext()['connection.HttpHeader' +
+		'.Referer'] ?: '-'
+def origin = request.getLoginContext()['connection.HttpHeader.origin'] ?: request.getLoginContext()['connection.HttpHeader' +
+		'.Origin'] ?: '-'
+
+// 0) clean up, if we have a SAML Response in session
+if (session['ch.nevis.auth.saml.response.id']) {
+  // keep rpcode in session, if retrying after SAML error
+  def keepRpcode = session['ch.nevis.auth.saml.response.statusCode'] == 'urn:oasis:names:tc:SAML:2.0:status:Responder'
+  cleanSession(!keepRpcode)
+}
+
+// 1) we need to know the code of the RP
+def rpcode = inargs['rpcode'] ?: inargs['RelayState'] ?: session['agov.ident.rpcode']
+def rpcodeBackup = session['agov.ident.rpcode']
+def rpentity = '-'
+
+if (rpcode)
+{
+  if (rpcodeBackup) {
+    response.setSessionAttribute('agov.ident.rpcode.backup', rpcodeBackup)
+  }
+  response.setSessionAttribute('agov.ident.rpcode', rpcode)
+} else {
+  cleanSession(true)
+  LOG.info("Event='IDENT-INVALIDREQ', rpcode='missing', SourceIp=${sourceIp}, UserAgent=${userAgent}, Referer='${referer}', Origin='${origin}'")
+  response.setResult('inavlidurl')
+  return
+}
+
+// 2) load rp settings in session (if needed)
+if (rpcode != rpcodeBackup) {
+  def slurper = new JsonSlurper()
+  def rpMap = slurper.parseText(parameters['rpcode.list'])
+  LOG.debug(">>> rpMaP: ${rpMap}")
+  if (!rpMap[rpcode]) {
+	  cleanSession(true)
+	  LOG.info("Event='IDENT-INVALIDREQ', rpcode='${rpcode}', SourceIp=${sourceIp}, UserAgent=${userAgent}, Referer='${referer}', Origin='${origin}'")
+	  response.setResult('inavlidurl')
+	  return
+  }
+  rpentity=rpMap[rpcode]
+  response.setSessionAttribute('agov.ident.entityId', rpMap[rpcode])
+}
+
+// 3) if we have a response ...
+if (inargs['SAMLResponse']) {
+    response.setResult('processResponse')
+    return
+}
+
+// 4) otherwise
+LOG.info("Event='IDENT-INITREQ', rpcode='${rpcode}', rpentity='${rpentity}', SourceIp=${sourceIp}, UserAgent=${userAgent}, Referer='${referer}', " +
+		"Origin='${origin}'")
+response.setResult('sendAuthnRequest')
+return
+

patterns/AGOV_Ident_Signer_KeyStore_f739deb8632efc4ff0c2a21d.yml

@@ -0,0 +1,9 @@
+schemaVersion: "1.0"
+pattern:
+  id: "f739deb8632efc4ff0c2a21d"
+  className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.PemKeyStoreProvider"
+  name: "AGOV_Ident_Signer_KeyStore"
+  label: "IDENT"
+  properties:
+    keystoreFiles: "var://agov_ident_signer_keystore"
+    keyPass: "var://agov_ident_signer_passphrase"

patterns/GreenMail_f010ec68088ebd56349c7135.yml

@@ -10,10 +10,10 @@ pattern:
     realm:
     - "pattern://7518c6cc61e47eec6322ae17"
     addons:
-    - "pattern://4c0d206244a4e16e9aa49f5c"
+    - "pattern://a6db9f243e2ecabfba832868"
     backends: "var://greenmail-backend-addresses"
     hostnameCheck: "disabled"
     hostHeader: "backend"
-    responseRewrite: "header"
+    responseRewrite: "var://greenmail-response-rewriting"
     csrf: "off"
     requestValidation: "var://op-admin-mod-security-mode-greenmail"

patterns/IDENT-AuthenticationRealm_3fd09bb6cfbd34874595c263.yml

@@ -0,0 +1,16 @@
+schemaVersion: "1.0"
+pattern:
+  id: "3fd09bb6cfbd34874595c263"
+  className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.NevisAuthRealm"
+  name: "IDENT-AuthenticationRealm"
+  label: "IDENT"
+  properties:
+    authenticate:
+    - "pattern://0f6977caedca600b17221f0a"
+    auth:
+    - "pattern://ac27dd7daad0ca2b7229bfaf"
+    logrend:
+    - "pattern://8401da6318c6915d689cdfc9"
+    template: "res://3fd09bb6cfbd34874595c263#template"
+    labels: "res://3fd09bb6cfbd34874595c263#labels"
+    defaultProperties: "var://nevislogrend-configuration-logrendproperties"

patterns/IDENT-Entry-Point_6977f8a683f63744bbd56d69.yml

@@ -0,0 +1,12 @@
+schemaVersion: "1.0"
+pattern:
+  id: "6977f8a683f63744bbd56d69"
+  className: "ch.nevis.admin.v4.plugin.nevisauth.patterns.AuthenticationFlow"
+  name: "IDENT-Entry-Point"
+  label: "IDENT"
+  properties:
+    host:
+    - "pattern://816a1456192f974b57418ca9"
+    path: "exact:/process"
+    realm:
+    - "pattern://3fd09bb6cfbd34874595c263"

patterns/IDENT-Failed-WithRetry_ea2c110e0adfa95722c2cc99.yml

@@ -0,0 +1,11 @@
+schemaVersion: "1.0"
+pattern:
+  id: "ea2c110e0adfa95722c2cc99"
+  className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.UserInformation"
+  name: "IDENT-Failed-WithRetry"
+  label: "IDENT"
+  properties:
+    messageType: "warning"
+    buttonType: "submit"
+    onSubmit:
+    - "pattern://0f6977caedca600b17221f0a"

patterns/IDENT-Failed_026e4ae8ef4cc5496a7fe8c6.yml

@@ -0,0 +1,9 @@
+schemaVersion: "1.0"
+pattern:
+  id: "026e4ae8ef4cc5496a7fe8c6"
+  className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.UserInformation"
+  name: "IDENT-Failed"
+  label: "IDENT"
+  properties:
+    messageType: "error"
+    buttonType: "none"

patterns/IDENT-Process-and-Dispatch_0f6977caedca600b17221f0a.yml

@@ -0,0 +1,14 @@
+schemaVersion: "1.0"
+pattern:
+  id: "0f6977caedca600b17221f0a"
+  className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.GenericAuthenticationStep"
+  name: "IDENT-Process-and-Dispatch"
+  label: "IDENT"
+  properties:
+    authStatesFile: "res://0f6977caedca600b17221f0a#authStatesFile"
+    onFailure:
+    - "pattern://026e4ae8ef4cc5496a7fe8c6"
+    nextSteps:
+    - "pattern://dce20cc904f88df4b77f93d9"
+    - "pattern://ac1151fe6a973b135fd4a460"
+    resources: "res://0f6977caedca600b17221f0a#resources"

patterns/IDENT-SamlServiceProvider-AuthnRequest_dce20cc904f88df4b77f93d9.yml

@@ -0,0 +1,11 @@
+schemaVersion: "1.0"
+pattern:
+  id: "dce20cc904f88df4b77f93d9"
+  className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.GenericAuthenticationStep"
+  name: "IDENT-SamlServiceProvider-AuthnRequest"
+  label: "IDENT"
+  properties:
+    authStatesFile: "res://dce20cc904f88df4b77f93d9#authStatesFile"
+    parameters: "var://op-samlserviceprovider-parameters"
+    keyObjects:
+    - "pattern://6589067d403de8c65bcdcb16"

patterns/IDENT-SamlServiceProvider-ProcessResponse_ac1151fe6a973b135fd4a460.yml

@@ -0,0 +1,13 @@
+schemaVersion: "1.0"
+pattern:
+  id: "ac1151fe6a973b135fd4a460"
+  className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.GenericAuthenticationStep"
+  name: "IDENT-SamlServiceProvider-ProcessResponse"
+  label: "IDENT"
+  properties:
+    authStatesFile: "res://ac1151fe6a973b135fd4a460#authStatesFile"
+    parameters: "var://op-samlserviceprovider-parameters"
+    onSuccess:
+    - "pattern://5f2cdff72cb899bff468ad90"
+    onFailure:
+    - "pattern://ea2c110e0adfa95722c2cc99"

patterns/IDENT-Succeeded_5f2cdff72cb899bff468ad90.yml

@@ -0,0 +1,10 @@
+schemaVersion: "1.0"
+pattern:
+  id: "5f2cdff72cb899bff468ad90"
+  className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.UserInformation"
+  name: "IDENT-Succeeded"
+  label: "IDENT"
+  properties:
+    messageType: "info"
+    label: "not-used"
+    buttonType: "none"

patterns/IDENT_Signer_KeyObject_6589067d403de8c65bcdcb16.yml

@@ -0,0 +1,12 @@
+schemaVersion: "1.0"
+pattern:
+  id: "6589067d403de8c65bcdcb16"
+  className: "ch.nevis.admin.v4.plugin.nevisauth.patterns.KeyObject"
+  name: "IDENT_Signer_KeyObject"
+  label: "IDENT"
+  properties:
+    keyObjectId: "AGOV_IDENT_SIGNER"
+    keyStoreName: "AGOV_IDENT_KS"
+    type: "keystore"
+    keyStore:
+    - "pattern://f739deb8632efc4ff0c2a21d"

patterns/OP-ONBRDNG-AuthenticationRealm_6df66943ca713eed2a25d935.yml

@@ -3,6 +3,7 @@ pattern:
   id: "6df66943ca713eed2a25d935"
   className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.NevisAuthRealm"
   name: "OP-ONBRDNG-AuthenticationRealm"
+  label: "OP-ONBRDNG"
   properties:
     authenticate:
     - "pattern://2787b678d9cce5310a335419"

patterns/OP-ONBRDNG-Entry-Point_9415bf61610843e0f5c77e39.yml

@@ -3,6 +3,7 @@ pattern:
   id: "9415bf61610843e0f5c77e39"
   className: "ch.nevis.admin.v4.plugin.nevisauth.patterns.AuthenticationFlow"
   name: "OP-ONBRDNG-Entry-Point"
+  label: "OP-ONBRDNG"
   properties:
     host:
     - "pattern://39ecde9a0d101628fed3e3be"

patterns/OP-ONBRDNG-ModSecuritySettings_f02bc0de60aad829670e4c5b.yml

@@ -3,6 +3,7 @@ pattern:
   id: "f02bc0de60aad829670e4c5b"
   className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.RequestValidationSettings"
   name: "OP-ONBRDNG-ModSecuritySettings"
+  label: "OP-ONBRDNG"
   properties:
     scope: "all"
     logOnlyMode: "var://op-admin-mod-security-op-onboarding-log-only-mode"

patterns/OP-ONBRDNG-PostProcessing_fd3912c7af7a88b6342a4c78.yml

@@ -3,6 +3,7 @@ pattern:
   id: "fd3912c7af7a88b6342a4c78"
   className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.GenericAuthenticationStep"
   name: "OP-ONBRDNG-PostProcessing"
+  label: "OP-ONBRDNG"
   properties:
     authStatesFile: "res://fd3912c7af7a88b6342a4c78#authStatesFile"
     onSuccess:

patterns/OP-ONBRDNG-PreProcessing_2787b678d9cce5310a335419.yml

@@ -3,6 +3,7 @@ pattern:
   id: "2787b678d9cce5310a335419"
   className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.GenericAuthenticationStep"
   name: "OP-ONBRDNG-PreProcessing"
+  label: "OP-ONBRDNG"
   properties:
     authStatesFile: "res://2787b678d9cce5310a335419#authStatesFile"
     nextSteps:

patterns/OP-ONBRDNG-SamlServiceProvider-AuthnRequest_d56823f55065139ba437dc5c.yml

@@ -3,6 +3,7 @@ pattern:
   id: "d56823f55065139ba437dc5c"
   className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.GenericAuthenticationStep"
   name: "OP-ONBRDNG-SamlServiceProvider-AuthnRequest"
+  label: "OP-ONBRDNG"
   properties:
     authStatesFile: "res://d56823f55065139ba437dc5c#authStatesFile"
     parameters: "var://op-samlserviceprovider-parameters"

patterns/OP-ONBRDNG-SamlServiceProvider-ProcessResponse_9be76d365909bb2ec294569c.yml

@@ -3,6 +3,7 @@ pattern:
   id: "9be76d365909bb2ec294569c"
   className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.GenericAuthenticationStep"
   name: "OP-ONBRDNG-SamlServiceProvider-ProcessResponse"
+  label: "OP-ONBRDNG"
   properties:
     authStatesFile: "res://9be76d365909bb2ec294569c#authStatesFile"
     parameters: "var://op-samlserviceprovider-parameters"

patterns/Virtual_Host_AgovIdent_816a1456192f974b57418ca9.yml

@@ -0,0 +1,17 @@
+schemaVersion: "1.0"
+pattern:
+  id: "816a1456192f974b57418ca9"
+  className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.HostContext"
+  name: "Virtual_Host_AgovIdent"
+  label: "IDENT"
+  properties:
+    proxy:
+    - "pattern://bd83dfbd467e8211ffe71d28"
+    addresses: "var://virtual_host_agovident-frontend-addresses"
+    defaultEntry: "/process"
+    resources: "res://816a1456192f974b57418ca9#resources"
+    securityHeaders: "custom"
+    trailingSlashRedirect: "disabled"
+    addons:
+    - "pattern://58ece0328f5bf4d78e1a82d2"
+    - "pattern://36886a1934993d1f69690e1d"

patterns/_GreenMail-OP-Headers_a6db9f243e2ecabfba832868.yml

@@ -1,6 +1,6 @@
 schemaVersion: "1.0"
 pattern:
-  id: "4c0d206244a4e16e9aa49f5c"
+  id: "a6db9f243e2ecabfba832868"
   className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.HeaderCustomization"
   name: " GreenMail-OP-Headers"
   properties:

patterns/ac1151fe6a973b135fd4a460_authStatesFile/Ident_SamlResponseProcessing.xml

@@ -0,0 +1,20 @@
+<AuthState name="${state.entry}" class="ch.nevis.esauth.auth.states.saml.ServiceProviderState" final="false" resumeState="false">
+	<ResultCond name="ok" next="${state.done}" />
+	<ResultCond name="status-Responder" next="${state.failed}"/>
+	<ResultCond name="status-Requester" next="${state.failed}"/>
+	<Response value="AUTH_ERROR">
+		<Gui name="NoGui"/>
+	</Response>
+	<!-- used for the key material -->
+	<propertyRef name="SAML_SP_nevisidm_operations_Realm_SAML_IDP_op_Connector_Connector"/>
+	<property name="idpURL" value="${param.op.atb.ssoUrl}"/>
+	<property name="consumerURL" value="${param.op.ident.consumerURL}"/>
+	<property name="relayState" value=""/>
+	<property name="out.binding" value="none"/>
+	<property name="in.binding" value="auto"/>
+	<property name="in.relayState" value=""/>
+	<property name="in.audienceRegex" value="${session:agov.ident.entityId}"/>
+	<property name="in.audience.checkrequired" value="true"/>
+	<property name="in.map_issuer_certificate" value="false"/>
+	<property name="in.verify" value="Response Assertion"/>
+</AuthState>

patterns/dce20cc904f88df4b77f93d9_authStatesFile/Ident_SamlServiceProvider.xml

@@ -0,0 +1,26 @@
+<AuthState name="${state.entry}" class="ch.nevis.esauth.auth.states.saml.AssertionRequestState" final="false" resumeState="false">
+	<ResultCond name="ok" next="${state.done}"/>
+	<ResultCond name="default"  next="${state.failed}"/>
+	<Response value="AUTH_ERROR">
+		<Gui name="NoGui"/>
+	</Response>
+
+	<property name="idpURL" value="${param.op.atb.ssoUrl}"/>
+	<property name="consumerURL" value="${param.op.ident.consumerURL}"/>
+
+	<property name="out.binding" value="http-post"/>
+    <property name="out.requestType" value="AuthnRequest"/>
+	<property name="out.sign" value="AuthnRequest"/>
+	<property name="out.signatureKeyInfo" value="Certificate"/>
+
+	<property name="out.keystoreref" value="AGOV_IDENT_KS"/>
+	<property name="out.keyobjectref" value="AGOV_IDENT_SIGNER"/>
+
+	<property name="out.issuer" value="${sess:agov.ident.entityId}"/>
+    <!-- TODO/haburger/2025-05-06: disable for now, might be needed later 
+	<property name="request.RequestedAuthnContext.AuthnContextClassRef" value="${sess:agov.ident.ctxClass}"/>
+	<property name="request.RequestedAuthnContext.Comparison" value="minimum"/>
+    -->
+    <property name="request.ttl" value="60"/>
+    <property name="relayState" value="${sess:agov.ident.rpcode}"/>
+</AuthState>

patterns/nevisIdm_sectoken_Truststore_c4f291a121b2d19157049cdc.yml

@@ -6,4 +6,3 @@ pattern:
   properties:
     keystore:
     - "pattern://02cc34b35d83a306f48abe47"
-    truststoreFile: "var://nevisidm-signer-truststore-trusted-certificates"

patterns/operations_nevisProxy_Instance_bd83dfbd467e8211ffe71d28.yml

@@ -6,6 +6,8 @@ pattern:
   deploymentHosts: "proxy-sp"
   label: "Operations"
   properties:
+    logging:
+    - "pattern://92be6cb7c75ce097f0219577"
     defaultHostContext:
     - "pattern://39ecde9a0d101628fed3e3be"
     addons:

patterns/operations_nevisProxy_Log_Settings_92be6cb7c75ce097f0219577.yml

@@ -0,0 +1,10 @@
+schemaVersion: "1.0"
+pattern:
+  id: "92be6cb7c75ce097f0219577"
+  className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.CustomProxyLogFile"
+  name: "operations nevisProxy Log Settings"
+  properties:
+    logLevel: "NOTICE"
+    logLevelParameters:
+    - NavajoRequ: "DEBUG"
+    - NavajoStar: "DEBUG"

variables.yml

@@ -18,6 +18,21 @@ variables:
       - "disabled"
     value: "disabled"
     requireOverloading: true
+  agov_ident_signer_keystore:
+    className: "ch.nevis.admin.v4.plugin.base.generation.property.AttachmentProperty"
+    parameters:
+      minRequired: 0
+      secretPreserving: true
+    value: null
+    requireOverloading: true
+  agov_ident_signer_passphrase:
+    className: "ch.nevis.admin.v4.plugin.base.generation.property.SimpleTextProperty"
+    parameters:
+      minRequired: 0
+      maxAllowed: 1
+      secret: true
+    value: "sample password"
+    requireOverloading: true
   agov_operations_pem_signer-key-store-content:
     className: "ch.nevis.admin.v4.plugin.base.generation.property.AttachmentProperty"
     parameters:
@@ -126,6 +141,18 @@ variables:
     value:
     - X-Frame-Options: "DENY"
     requireOverloading: true
+  greenmail-response-rewriting:
+    className: "ch.nevis.admin.v4.plugin.base.generation.property.SelectionProperty"
+    parameters:
+      minRequired: 0
+      maxAllowed: 1
+      options:
+      - "off"
+      - "header"
+      - "complete"
+      - "custom"
+    value: "header"
+    requireOverloading: true
   idm-admin-settings:
     className: "ch.nevis.admin.v4.plugin.base.generation.property.KeyValueProperty"
     parameters:
@@ -677,7 +704,8 @@ variables:
       syntax: "YAML"
     value: "op.atb.ssoUrl: https://trustbroker.agov-d.azure.adnovum.net/adfs/ls\n\
       op.onboarding.issuer: https://op.agov-d.azure.adnovum.net/AUTH/ONBOARDING\n\
-      op.onboarding.consumerURL: https://op.agov-d.azure.adnovum.net/AUTH/ONBOARDING"
+      op.onboarding.consumerURL: https://op.agov-d.azure.adnovum.net/AUTH/ONBOARDING\n\
+      op.ident.consumerURL: https://ident.agov-d.azure.adnovum.net/process"
     requireOverloading: true
   operations-admin-signer-pem-key-store-private-key-passphrase:
     className: "ch.nevis.admin.v4.plugin.base.generation.property.SimpleTextProperty"
@@ -885,6 +913,17 @@ variables:
       \ accounts (100d no activity)\"/>\n    <property name=\"jobDetail\" ref=\"pruneAgovAccountsJob\"\
       />\n</bean>"
     requireOverloading: true
+  virtual_host_agovident-frontend-addresses:
+    className: "ch.nevis.admin.v4.plugin.base.generation.property.URLProperty"
+    parameters:
+      minRequired: 1
+      schemeInputMode: "REQUIRED"
+      allowedSchemes: "http,https"
+      hostNameInputMode: "REQUIRED"
+      portInputMode: "OPTIONAL"
+      pathInputMode: "OPTIONAL"
+    value: "https://ident.agov-w.azure.adnovum.net/"
+    requireOverloading: true
   virtual_host_idmadmin-frontend-addresses:
     className: "ch.nevis.admin.v4.plugin.base.generation.property.URLProperty"
     parameters: