nevis
/
adn-agov-iam-inventory
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

new configuration version

This commit is contained in:
aca 2025-03-04 10:47:46 +00:00
parent cab6910fb9
commit d898d77a96
4 changed files with 139 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml
View File

@ -45,7 +45,7 @@ spec:
podDisruptionBudget:
maxUnavailable: "50%"
git:
tag: "r-b0ee5bf8f21b6deb852634ece4565dee10c29032"
tag: "r-20ae46349f67d35e89254106268a3ee7b00877de"
dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth"
credentials: "git-credentials"
keystores:

144
DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml
View File

@ -105,6 +105,8 @@
<KeyObject name="Signer_IDP_AGOV" certificate="/var/opt/keys/own/idp-pem-signer/cert.pem" privateKey="/var/opt/keys/own/idp-pem-signer/keystore.jks" passPhrase="pipe:///var/opt/keys/own/idp-pem-signer/keypass"/>
<!-- source: pattern://27cefc3861bce987f6766342 -->
<KeyObject name="https://trustbroker.agov-d.azure.adnovum.net" certificate="/var/opt/keys/trust/idp-pem-atb/truststore.jks"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<KeyObject name="https://trustbroker-idp.agov-w.azure.adnovum.net" certificate="/var/opt/keys/trust/idp-pem-atb/truststore.jks"/>
</KeyStore>
<!-- source: pattern://cb8c63274fe346280de0ffd5 -->
<KeyStore name="Auth_Realm_Mobile_FIDO_UAFKeyStore">
@ -1239,6 +1241,8 @@
<!-- source: pattern://c642107fde6b2e07f16bfedb -->
<ResultCond name="forbidden_0" next="Auth_Realm_Main_IDP_IDP_AGOV_Authorization"/>
<!-- source: pattern://c642107fde6b2e07f16bfedb -->
<ResultCond name="forbidden_1" next="Auth_Realm_Main_IDP_IDP_AGOV_Authorization"/>
<!-- source: pattern://c642107fde6b2e07f16bfedb -->
<ResultCond name="stepup" next="Auth_Realm_Main_IDP_Selector"/>
<!-- source: pattern://c642107fde6b2e07f16bfedb -->
<Response value="AUTH_ERROR">
@ -1310,6 +1314,8 @@
<!-- source: pattern://c642107fde6b2e07f16bfedb -->
<ResultCond name="state0" next="Auth_Realm_Main_IDP_IDP_AGOV_IDP_SP_Connector"/>
<!-- source: pattern://c642107fde6b2e07f16bfedb -->
<ResultCond name="state1" next="Auth_Realm_Main_IDP_IDP_AGOV_IDP_SP_EPD_Connector"/>
<!-- source: pattern://c642107fde6b2e07f16bfedb -->
<Response value="AUTH_CONTINUE">
<!-- source: pattern://c642107fde6b2e07f16bfedb -->
<Gui name="saml_dispatcher" label="title.saml.failed">
@ -1455,29 +1461,151 @@
<!-- source: pattern://27cefc3861bce987f6766342 -->
<property name="out.audienceRestriction" value="https://trustbroker.agov-d.azure.adnovum.net"/>
</AuthState>
<AuthState name="Auth_Realm_Main_IDP_IDP_AGOV_IDP_SP_EPD_Connector" class="ch.nevis.esauth.auth.states.saml.IdentityProviderState" final="false" resumeState="true">
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<ResultCond name="IDP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Concurrent_Logout"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<ResultCond name="IDP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Prepare_Done"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<ResultCond name="LogoutCompleted" next="Auth_Realm_Main_IDP_Logout_Done"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<ResultCond name="LogoutFailed" next="Auth_Realm_Main_IDP_Logout_Fail"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<ResultCond name="SP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Concurrent_Logout"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<ResultCond name="SP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Prepare_Done"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<ResultCond name="authenticate:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<ResultCond name="authenticate:SP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<ResultCond name="invalidAssertionConsumerUrl" next="Auth_Realm_Main_IDP_IDP_AGOV_IDP_SP_EPD_Connector"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<ResultCond name="ok" next="Auth_Realm_Main_IDP_Prepare_Done"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<ResultCond name="stepup:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_Selector"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<ResultCond name="stepup:SP-initiated-SSO" next="Auth_Realm_Main_IDP_Selector"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<Response value="AUTH_ERROR">
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<Gui name="saml_idp" label="title.saml.failed">
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<GuiElem name="lasterror" type="error" label="error.saml.failed"/>
</Gui>
</Response>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="session.participants-store.key" value="IDP_AGOV-session-participants"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="logoutMode" value="ConcurrentLogout-Redirect"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="in.keystoreref" value="Store_IDP_AGOV"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="logoutTrigger" value="#{request['currentResource'].contains('logout') || inargs.containsKey('logout') || inargs.containsKey('SAMLLogout')}"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="out.binding" value="http-post"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="out.post.relayStateEncoding" value="HTML"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="out.sign" value="Response Assertion"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="out.signatureKeyInfo" value="Certificate"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="out.ttl" value="30"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="out.subject" value="${response:userId}"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="out.subject.format" value="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="out.extension.Bearer" value="ch.nevis.esauth.auth.states.saml.extensions.SubjectConfirmationExtender"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="out.issuer" value="https://auth.agov-w.azure.adnovum.net/SAML2/"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="out.keystoreref" value="Store_IDP_AGOV"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="out.keyobjectref" value="Signer_IDP_AGOV"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="spURL" value="https://trustbroker-idp.agov-w.azure.adnovum.net/adfs/ls"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="spIssuer" value="https://trustbroker-idp.agov-w.azure.adnovum.net"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="acsUrlWhitelist.uris" value="https://trustbroker-idp.agov-w.azure.adnovum.net/adfs/ls"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="in.binding" value="auto"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="in.max_age" value="60"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="out.authnContextClassRef" value="${sess:contextClassRefToSet}"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" value="${sess:ch.nevis.idm.User.email}"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/languageOfCorrespondance" value="${sess:ch.nevis.idm.User.language}"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" value="${sess:ch.nevis.idm.User.firstName}"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" value="${sess:ch.nevis.idm.User.lastName}"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/dateOfBirth" value="${sess:ch.nevis.idm.User.birthDate:^(\d\d\d\d-\d\d-\d\d).*$}"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/sex" value="${sess:ch.nevis.idm.User.gender}"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/socialSecurityNumber" value="#{ (sess['agov.appSvnrAllowed'] == 'true') ? sess['ch.nevis.idm.User.prop.svnr'] : ''}"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/placeOfBirth" value="#{ (sess['agov.appSvnrAllowed'] == 'true') ? sess['ch.nevis.idm.User.prop.placeOfBirth'] : ''}"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/eIdNumber" value="${sess:ch.nevis.idm.User.prop.eIdNumber}"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/qa/dateOfVerification" value="${sess:ValidFrom}"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/qa/validTillDate" value="${sess:ValidTo}"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/qa/verificationMethod" value="#{ ''.concat(sess.get('idVerification')).replace('SelfPaid', '') }"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/nationality" value="#{ sess.containsKey('ch.nevis.idm.User.prop.nationality') ? sess['ch.nevis.idm.User.prop.nationality'].toUpperCase(): '' }"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/authenticatedWith" value="${sess:authenticatedWith}"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="out.attribute.http://schemas.agov.ch/ws/2023/08/identity/claims/emailVerified" value="true"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="out.attribute.http://schemas.agov.ch/ws/2023/08/identity/claims/address/street" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['ch.nevis.idm.User.street'] : '' }"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="out.attribute.http://schemas.agov.ch/ws/2023/08/identity/claims/address/houseNumber" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['ch.nevis.idm.User.houseNumber'] : '' }"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="out.attribute.http://schemas.agov.ch/ws/2023/08/identity/claims/address/zipCode" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['ch.nevis.idm.User.postalCode'] : '' }"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="out.attribute.http://schemas.agov.ch/ws/2023/08/identity/claims/address/town" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['ch.nevis.idm.User.city'] : '' }"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="out.attribute.http://schemas.agov.ch/ws/2024/02/identity/claims/address/country" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['ch.nevis.idm.User.country'].toUpperCase() : '' }"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="out.attribute.http://schemas.agov.ch/ws/2024/02/identity/claims/address/qa/verificationMethod" value="#{ (sess['agov.appAddressRequired'] == 'true') ? ''.concat(sess.get('agov.adressVerification')).replace('Location', 'Domicile') : '' }"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="out.attribute.http://schemas.agov.ch/ws/2024/02/identity/claims/address/countryName" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['agov.countryName'] : ''}"/>
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<property name="out.audienceRestriction" value="https://trustbroker-idp.agov-w.azure.adnovum.net"/>
</AuthState>
<AuthState name="Auth_Realm_Main_IDP_Concurrent_Logout" class="ch.nevis.esauth.auth.states.standard.AuthLogout" final="false" resumeState="false">
<!-- source: pattern://27cefc3861bce987f6766342 -->
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<Response value="AUTH_CONTINUE">
<!-- source: pattern://27cefc3861bce987f6766342 -->
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<Gui name="saml_logout" label="title.logout">
<!-- source: pattern://27cefc3861bce987f6766342 -->
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<GuiElem name="saml.logoutURLs" type="hidden" value="${outargs:saml.logoutURLs}" optional="true"/>
<!-- source: pattern://27cefc3861bce987f6766342 -->
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<GuiElem name="saml.logoutURL" type="hidden" value="#{ session.containsKey('saml.logoutURL') ? session.get('saml.logoutURL') : '/' }" optional="true"/>
</Gui>
</Response>
</AuthState>
<AuthState name="Auth_Realm_Main_IDP_Logout_Done" class="ch.nevis.esauth.auth.states.standard.AuthGeneric" final="true">
<!-- source: pattern://27cefc3861bce987f6766342 -->
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<Response value="AUTH_ERROR">
<!-- source: pattern://27cefc3861bce987f6766342 -->
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<Gui name="empty"/>
</Response>
</AuthState>
<AuthState name="Auth_Realm_Main_IDP_Logout_Fail" class="ch.nevis.esauth.auth.states.standard.AuthGeneric" final="true">
<!-- source: pattern://27cefc3861bce987f6766342 -->
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<Response value="AUTH_ERROR">
<!-- source: pattern://27cefc3861bce987f6766342 -->
<!-- source: pattern://b8139a4b73abce1ce1a22170 -->
<Gui name="empty"/>
</Response>
</AuthState>

1
DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/saml_idp_agov_authorization.groovy
View File

@ -168,6 +168,7 @@ def i2r = [:]
// issuer to ResultCond name
def i2e = [:]
i2e.put('https://trustbroker.agov-d.azure.adnovum.net', 'forbidden_0')
i2e.put('https://trustbroker-idp.agov-w.azure.adnovum.net', 'forbidden_1')
if (!i2r.isEmpty() && !hasAnyRequiredRole(i2r, issuer)) {

1
DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/saml_idp_agov_dispatcher.groovy
View File

@ -109,6 +109,7 @@ def i2s = new TreeMap<String, String>(String.CASE_INSENSITIVE_ORDER)
i2s.put('https://trustbroker.agov-d.azure.adnovum.net', 'state0')
i2s.put('https://trustbroker-idp.agov-w.azure.adnovum.net', 'state1')
if (parameters.get('spInitiated') == 'true' && inargs.containsKey('SAMLRequest')) { // SP-initiated authentication
LOG.debug("found SAMLRequest parameter for SP-initiated authentication")