new configuration version

2025-09-09 13:39:10 +00:00 · 2025-09-09 13:39:10 +00:00 · ba48cbb253
parent 9a98a657c2
commit ba48cbb253
3 changed files with 109 additions and 42 deletions
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml
@ -46,7 +46,7 @@ spec:
  podDisruptionBudget:
    maxUnavailable: "50%"
  git:
-    tag: "r-409fd32f98389c9644504cf12ed02ff8c84a9d7a"
+    tag: "r-ad7700b35fd4f776a3e64f37dce372a63b90531b"
    dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth"
    credentials: "git-credentials"
  database:
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml
@ -950,52 +950,18 @@
            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
            <property name="out.attribute.http://schemas.agov.ch/ws/2025/07/identity/claims/op/conversationId" value="${inctx:connection.HttpHeader.traceparent:^([0-9a-f]+)-([0-9a-f]+)-([0-9a-f]+)-([0-9a-f]+)$:$2}"/>
        </AuthState>
-        <AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC" class="ch.nevis.esauth.auth.states.saml.IdentityProviderState" final="false" resumeState="true">
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false" resumeState="false">
            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
-            <ResultCond name="IDP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Concurrent_Logout"/>
+            <ResultCond name="default" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC_post"/>
            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
-            <ResultCond name="IDP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
-            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
-            <ResultCond name="LogoutCompleted" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Done"/>
-            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
-            <ResultCond name="LogoutFailed" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Fail"/>
-            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
-            <ResultCond name="SP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Concurrent_Logout"/>
-            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
-            <ResultCond name="SP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
-            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
-            <ResultCond name="authenticate:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
-            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
-            <ResultCond name="authenticate:SP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
-            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
-            <ResultCond name="invalidAssertionConsumerUrl" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC"/>
-            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
-            <ResultCond name="ok" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
-            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
-            <ResultCond name="stepup:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector"/>
-            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
-            <ResultCond name="stepup:SP-initiated-SSO" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector"/>
+            <ResultCond name="useArtifact" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC_artifact"/>
            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
            <Response value="AUTH_ERROR">
                <!-- source: pattern://bb9e7806a04578e0ad468829 -->
-                <Gui name="saml_idp" label="title.saml.failed">
-                    <!-- source: pattern://bb9e7806a04578e0ad468829 -->
-                    <GuiElem name="lasterror" type="error" label="error.saml.failed"/>
-                </Gui>
+                <Gui name="AuthErrorDialog"/>
            </Response>
-            <propertyRef name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP"/>
            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
-            <property name="out.issuer" value="https://auth.agov-w.azure.adnovum.net/SAML2SEC/"/>
-            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
-            <property name="out.binding" value="http-post"/>
-            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
-            <property name="out.post.relayStateEncoding" value="HTML"/>
-            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
-            <property name="out.encrypt" value="Assertion"/>
-            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
-            <property name="out.encrypt.keystoreref" value="EncryptionKeys"/>
-            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
-            <property name="out.encrypt.keyobjectref" value="DefaultEncryptionKey"/>
+            <property name="condition:useArtifact" value="${sess:agov.idp.use.artifact:^true$}"/>
        </AuthState>
        <AuthState name="Auth_Realm_Main_IDP_ReturnTimeoutButKeepSession" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
            <!-- source: pattern://826166d230a6a4849f2837ae -->
@ -1252,6 +1218,100 @@
                <Arg name="ch.nevis.isiweb4.response.status" value="403"/>
            </Response>
        </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC_post" class="ch.nevis.esauth.auth.states.saml.IdentityProviderState" final="false" resumeState="true">
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="IDP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Concurrent_Logout"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="IDP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="LogoutCompleted" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Done"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="LogoutFailed" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Fail"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="SP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Concurrent_Logout"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="SP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="authenticate:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="authenticate:SP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="invalidAssertionConsumerUrl" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="ok" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="stepup:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="stepup:SP-initiated-SSO" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+                <Gui name="saml_idp" label="title.saml.failed">
+                    <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+                    <GuiElem name="lasterror" type="error" label="error.saml.failed"/>
+                </Gui>
+            </Response>
+            <propertyRef name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.issuer" value="https://auth.agov-w.azure.adnovum.net/SAML2SEC/"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.binding" value="http-post"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.post.relayStateEncoding" value="HTML"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.encrypt" value="Assertion"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.encrypt.keystoreref" value="EncryptionKeys"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.encrypt.keyobjectref" value="DefaultEncryptionKey"/>
+        </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC_artifact" class="ch.nevis.esauth.auth.states.saml.IdentityProviderState" final="false" resumeState="true">
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="IDP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Concurrent_Logout"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="IDP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="LogoutCompleted" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Done"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="LogoutFailed" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Fail"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="SP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Concurrent_Logout"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="SP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="authenticate:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="authenticate:SP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="invalidAssertionConsumerUrl" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="ok" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="stepup:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="stepup:SP-initiated-SSO" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+                <Gui name="saml_idp" label="title.saml.failed">
+                    <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+                    <GuiElem name="lasterror" type="error" label="error.saml.failed"/>
+                </Gui>
+            </Response>
+            <propertyRef name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.issuer" value="https://auth.agov-w.azure.adnovum.net/SAML2SEC/"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.binding" value="http-artifact"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.post.relayStateEncoding" value="HTML"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.encrypt" value="Assertion"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.encrypt.keystoreref" value="EncryptionKeys"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.encrypt.keyobjectref" value="DefaultEncryptionKey"/>
+        </AuthState>
        <AuthState name="Auth_Realm_Main_IDP_Fido_Email_Verify" class="ch.nevis.idm.authstate.IdmUserVerifyState" final="false" resumeState="false">
            <!-- source: pattern://7fb39bfd6c34685866a22180 -->
            <ResultCond name="clientNotFound" next="Auth_Realm_Main_IDP_AuthnFailed_Client_NotFound"/>
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/idp_dispatcher.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/idp_dispatcher.groovy
@ -84,6 +84,10 @@ String getAttributeConsumingServiceIndex(String value) {
  return getAttribute(value, 'AttributeConsumingServiceIndex')
 }

+String getProtocolBinding(String value) {
+  return getAttribute(value, 'ProtocolBinding')
+}
+
 def dispatchIssuer(i2s, String issuer, boolean secureMode) {
    def result = i2s.get(issuer)
    if (result == null) {
@ -99,7 +103,7 @@ def dispatchIssuer(i2s, String issuer, boolean secureMode) {
        result =  result + "_secure"
    } 
    response.setResult(result)
-    session.put("saml.inbound.issuer", issuer)
+    session.put('saml.inbound.issuer', issuer)
    session.put('saml.idp.result', result) // remember decision for sub-sequent requests without a SAML message
    
 }
@ -111,12 +115,15 @@ def dispatchIssuer(i2s, String issuer) {
 def dispatchMessage(i2s, String message) {
    def issuer = getIssuer(message)
    def secureMode = (getAttributeConsumingServiceIndex(message) == '10101')
+    def useArtifact = ('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact' == getProtocolBinding(message))
+
    LOG.info("secureMode requested: ${secureMode}")

    if (issuer == null) {
        LOG.info("No issuer found in incoming SAML message. Giving up.")
    }
-    session.put("saml.inbound.issuer", issuer)
+    session.put('saml.inbound.issuer', issuer)
+    session.put('agov.idp.use.artifact', '' + useArtifact)
    dispatchIssuer(i2s, issuer, secureMode)
 }