new configuration version

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-auth-internal-idp-auth-signer-trust-7022472ae407577ae604bbb8.yaml

@@ -1,7 +1,7 @@
 apiVersion: "operator.nevis-security.ch/v1"
 kind: "NevisTrustStore"
 metadata:
-  name: "auth-default-default-signer-trust"
+  name: "auth-internal-idp-auth-signer-trust"
   namespace: "adn-agov-nevisidm-01-uat"
   labels:
     deploymentTarget: "auth"
@@ -10,5 +10,7 @@ metadata:
     patternId: "7022472ae407577ae604bbb8"
 spec:
   keystores:
+  - name: "auth-sts-sh4r3d-internal-idp-auth-signer"
+    namespace: "adn-agov-nevisidm-01-uat"
   - name: "auth-sh4r3d-internal-idp-auth-signer"
     namespace: "adn-agov-nevisidm-01-uat"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-auth-technical-trust-store-7022472ae407577ae604bbb8.yaml

@@ -12,6 +12,8 @@ spec:
   keystores:
   - name: "proxy-idp-notused-auth-realm-identity"
     namespace: "adn-agov-nevisidm-01-uat"
+  - name: "proxy-idp-auth-realm-main-idp-identity"
+    namespace: "adn-agov-nevisidm-01-uat"
   - name: "proxy-idp-auth-realm-mobile-fido-uaf-identity"
     namespace: "adn-agov-nevisidm-01-uat"
   - name: "proxy-idp-auth-realm-recovery-identity"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml

@@ -45,7 +45,7 @@ spec:
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-1663a8d1d9ae71e0fb7c5af2e10bfc2536ee973b"
+    tag: "r-d9f8becba9a6acfa30f490d16e18038ab79e9d92"
     dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth"
     credentials: "git-credentials"
   keystores:
@@ -55,7 +55,7 @@ spec:
   truststores:
   - "auth-default-tls-trust"
   - "auth-auth-realm-mobile-fido-uaf-tls-trust-nevisfido"
-  - "auth-default-default-signer-trust"
+  - "auth-internal-idp-auth-signer-trust"
   - "auth-technical-trust-store"
   podSecurity:
     policy: "baseline"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/authorization.groovy

@@ -167,8 +167,8 @@ def i2r = [:]
 
 // issuer to ResultCond name
 def i2e = [:]
-i2e.put('https://trustbroker.agov-d.azure.adnovum.net', 'forbidden_0')
-i2e.put('https://trustbroker-idp.agov-w.azure.adnovum.net', 'forbidden_1')
+i2e.put('https://trustbroker.agov-epr-lab.azure.adnovum.net', 'forbidden_0')
+i2e.put('https://trustbroker-idp.agov-epr-lab.azure.adnovum.net', 'forbidden_1')
 
 
 if (!i2r.isEmpty() && !hasAnyRequiredRole(i2r, issuer)) {

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/checkloa.groovy

@@ -165,12 +165,12 @@ try {
   if (role.startsWith('level')) {
     def roleLevel = role.substring(5)
     int roleLevelNumber = Integer.parseInt(roleLevel)
+    
     if (highestRoleLevelNumber< roleLevelNumber) { 
       highestRoleLevelNumber=roleLevelNumber 
     } 
   } 
   } 
-
   LOG.debug('CheckLoa: Highest role Level ' + highestRoleLevelNumber.toString() +' contextclassref ' + requestedRoleLevelNumber.toString()) 
   LOG.debug('CheckLoa: Compare ' + (highestRoleLevelNumber>=requestedRoleLevelNumber))  
 
@@ -178,17 +178,6 @@ try {
   session.setAttribute('agov.actualRoleLevel', '' + highestRoleLevelNumber)
   LOG.debug('CheckLoa: actual role level (agov) '+ highestRoleLevelNumber)
 
-
-  // Best Token Available only if account's AQlevel is high enough
-  if ((session.getAttribute('agov.appAddressRequired') == 'true') && (highestRoleLevelNumber < 200)) {
-     LOG.debug("Best Token: Address requested but account has to low AQ (${highestRoleLevelNumber})") 
-     session.setAttribute('agov.appAddressRequired', 'false')
-  }
-  if ((session.getAttribute('agov.appSvnrAllowed') == 'true') && (highestRoleLevelNumber < 400)) {
-     LOG.debug("Best Token: SVNr requested but account has to low AQ (${highestRoleLevelNumber})") 
-     session.setAttribute('agov.appSvnrAllowed', 'false')
-  }
-
   if (highestRoleLevelNumber > 0) {
     // set attribute contextClassRefToSet
     session.setAttribute('contextClassRefToSet','urn:qa.agov.ch:names:tc:ac:classes:' .concat(highestRoleLevelNumber.toString()))

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/idp_dispatcher.groovy

@@ -75,9 +75,18 @@ def dispatchIssuer(i2s, String issuer) {
     if (result == null) {
         LOG.info("No SP found for issuer '$issuer'. Hint: check SAML SP Connector patterns.")
     }
+    
+    // dispatch different idp if artifact binding is enabled
+    if(parameters.get('epdMode') == 'artifact' && result == 'epd'){
+        LOG.debug("EPD: Artifact mode")
+        result = result + "_artifact"
+    }else{
+        LOG.debug("EPD: POST mode")
+    }
     response.setResult(result)
     session.put("saml.inbound.issuer", issuer)
     session.put('saml.idp.result', result) // remember decision for sub-sequent requests without a SAML message
+    
 }
 
 def dispatchMessage(i2s, String message) {
@@ -108,8 +117,8 @@ if (request.getSession(false) == null) {
 def i2s = new TreeMap<String, String>(String.CASE_INSENSITIVE_ORDER)
 
 
-i2s.put('https://trustbroker.agov-d.azure.adnovum.net', 'state0')
-i2s.put('https://trustbroker-idp.agov-w.azure.adnovum.net', 'state1')
+i2s.put('https://trustbroker.agov-epr-lab.azure.adnovum.net', 'main')
+i2s.put('https://trustbroker-idp.agov-epr-lab.azure.adnovum.net', 'epd')
 
 if (parameters.get('spInitiated') == 'true' && inargs.containsKey('SAMLRequest')) { // SP-initiated authentication
     LOG.debug("found SAMLRequest parameter for SP-initiated authentication")

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/etc/nevis/k8s-nevisproxy-idp-0ceb05c56644a59d648c13b9.yaml

@@ -46,7 +46,7 @@ spec:
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-50299cb935be4a677ffbde29128d0706fb4a25d9"
+    tag: "r-d9f8becba9a6acfa30f490d16e18038ab79e9d92"
     dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp"
     credentials: "git-credentials"
   keystores:

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/var/opt/nevisproxy/default/host-auth.agov-w.azure.adnovum.net/WEB-INF/web.xml

@@ -1597,10 +1597,10 @@
             <param-value>true</param-value>
         </init-param>
     </servlet>
-    <!-- source: pattern://e0fda9336be9c69dafc9b69e, pattern://c642107fde6b2e07f16bfedb, pattern://decb9b3f88d430fb5c95f466 -->
+    <!-- source: pattern://e0fda9336be9c69dafc9b69e, pattern://a6f6dc6affdc7c692ff857b9, pattern://decb9b3f88d430fb5c95f466 -->
     <servlet>
         <servlet-name>Hosting_Default</servlet-name>
-        <!-- source: pattern://e0fda9336be9c69dafc9b69e, pattern://c642107fde6b2e07f16bfedb, pattern://decb9b3f88d430fb5c95f466 -->
+        <!-- source: pattern://e0fda9336be9c69dafc9b69e, pattern://a6f6dc6affdc7c692ff857b9, pattern://decb9b3f88d430fb5c95f466 -->
         <servlet-class>ch::nevis::isiweb4::servlet::defaults::DefaultServlet</servlet-class>
     </servlet>
     <!-- source: pattern://cb8c63274fe346280de0ffd5 -->
@@ -1671,7 +1671,7 @@
         <servlet-name>Hosting_Default</servlet-name>
         <url-pattern>/AUTH/RECOVERY/*</url-pattern>
     </servlet-mapping>
-    <!-- source: pattern://c642107fde6b2e07f16bfedb -->
+    <!-- source: pattern://a6f6dc6affdc7c692ff857b9 -->
     <servlet-mapping>
         <servlet-name>Hosting_Default</servlet-name>
         <url-pattern>/SAML2/SSO/*</url-pattern>