From d898d77a966c41f203d2cc9f979ebe1ba46b3f09 Mon Sep 17 00:00:00 2001
From: aca <aca>
Date: Tue, 4 Mar 2025 10:47:46 +0000
Subject: [PATCH] new configuration version

---
 ...8s-nevisauth-7022472ae407577ae604bbb8.yaml |   2 +-
 .../opt/nevisauth/default/conf/esauth4.xml    | 144 +++++++++++++++++-
 .../conf/saml_idp_agov_authorization.groovy   |   1 +
 .../conf/saml_idp_agov_dispatcher.groovy      |   1 +
 4 files changed, 139 insertions(+), 9 deletions(-)

diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml
index 4e8aa3f..6e9827c 100644
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml
@@ -45,7 +45,7 @@ spec:
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-b0ee5bf8f21b6deb852634ece4565dee10c29032"
+    tag: "r-20ae46349f67d35e89254106268a3ee7b00877de"
     dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth"
     credentials: "git-credentials"
   keystores:
diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml
index d2bacfd..23cd04a 100644
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml
@@ -105,6 +105,8 @@
             <KeyObject name="Signer_IDP_AGOV" certificate="/var/opt/keys/own/idp-pem-signer/cert.pem" privateKey="/var/opt/keys/own/idp-pem-signer/keystore.jks" passPhrase="pipe:///var/opt/keys/own/idp-pem-signer/keypass"/>
             <!-- source: pattern://27cefc3861bce987f6766342 -->
             <KeyObject name="https://trustbroker.agov-d.azure.adnovum.net" certificate="/var/opt/keys/trust/idp-pem-atb/truststore.jks"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <KeyObject name="https://trustbroker-idp.agov-w.azure.adnovum.net" certificate="/var/opt/keys/trust/idp-pem-atb/truststore.jks"/>
         </KeyStore>
         <!-- source: pattern://cb8c63274fe346280de0ffd5 -->
         <KeyStore name="Auth_Realm_Mobile_FIDO_UAFKeyStore">
@@ -1239,6 +1241,8 @@
             <!-- source: pattern://c642107fde6b2e07f16bfedb -->
             <ResultCond name="forbidden_0" next="Auth_Realm_Main_IDP_IDP_AGOV_Authorization"/>
             <!-- source: pattern://c642107fde6b2e07f16bfedb -->
+            <ResultCond name="forbidden_1" next="Auth_Realm_Main_IDP_IDP_AGOV_Authorization"/>
+            <!-- source: pattern://c642107fde6b2e07f16bfedb -->
             <ResultCond name="stepup" next="Auth_Realm_Main_IDP_Selector"/>
             <!-- source: pattern://c642107fde6b2e07f16bfedb -->
             <Response value="AUTH_ERROR">
@@ -1310,6 +1314,8 @@
             <!-- source: pattern://c642107fde6b2e07f16bfedb -->
             <ResultCond name="state0" next="Auth_Realm_Main_IDP_IDP_AGOV_IDP_SP_Connector"/>
             <!-- source: pattern://c642107fde6b2e07f16bfedb -->
+            <ResultCond name="state1" next="Auth_Realm_Main_IDP_IDP_AGOV_IDP_SP_EPD_Connector"/>
+            <!-- source: pattern://c642107fde6b2e07f16bfedb -->
             <Response value="AUTH_CONTINUE">
                 <!-- source: pattern://c642107fde6b2e07f16bfedb -->
                 <Gui name="saml_dispatcher" label="title.saml.failed">
@@ -1455,29 +1461,151 @@
             <!-- source: pattern://27cefc3861bce987f6766342 -->
             <property name="out.audienceRestriction" value="https://trustbroker.agov-d.azure.adnovum.net"/>
         </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_IDP_AGOV_IDP_SP_EPD_Connector" class="ch.nevis.esauth.auth.states.saml.IdentityProviderState" final="false" resumeState="true">
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <ResultCond name="IDP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Concurrent_Logout"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <ResultCond name="IDP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Prepare_Done"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <ResultCond name="LogoutCompleted" next="Auth_Realm_Main_IDP_Logout_Done"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <ResultCond name="LogoutFailed" next="Auth_Realm_Main_IDP_Logout_Fail"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <ResultCond name="SP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Concurrent_Logout"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <ResultCond name="SP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Prepare_Done"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <ResultCond name="authenticate:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <ResultCond name="authenticate:SP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <ResultCond name="invalidAssertionConsumerUrl" next="Auth_Realm_Main_IDP_IDP_AGOV_IDP_SP_EPD_Connector"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <ResultCond name="ok" next="Auth_Realm_Main_IDP_Prepare_Done"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <ResultCond name="stepup:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_Selector"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <ResultCond name="stepup:SP-initiated-SSO" next="Auth_Realm_Main_IDP_Selector"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+                <Gui name="saml_idp" label="title.saml.failed">
+                    <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+                    <GuiElem name="lasterror" type="error" label="error.saml.failed"/>
+                </Gui>
+            </Response>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="session.participants-store.key" value="IDP_AGOV-session-participants"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="logoutMode" value="ConcurrentLogout-Redirect"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="in.keystoreref" value="Store_IDP_AGOV"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="logoutTrigger" value="#{request['currentResource'].contains('logout') || inargs.containsKey('logout') || inargs.containsKey('SAMLLogout')}"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="out.binding" value="http-post"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="out.post.relayStateEncoding" value="HTML"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="out.sign" value="Response Assertion"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="out.signatureKeyInfo" value="Certificate"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="out.ttl" value="30"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="out.subject" value="${response:userId}"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="out.subject.format" value="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="out.extension.Bearer" value="ch.nevis.esauth.auth.states.saml.extensions.SubjectConfirmationExtender"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="out.issuer" value="https://auth.agov-w.azure.adnovum.net/SAML2/"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="out.keystoreref" value="Store_IDP_AGOV"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="out.keyobjectref" value="Signer_IDP_AGOV"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="spURL" value="https://trustbroker-idp.agov-w.azure.adnovum.net/adfs/ls"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="spIssuer" value="https://trustbroker-idp.agov-w.azure.adnovum.net"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="acsUrlWhitelist.uris" value="https://trustbroker-idp.agov-w.azure.adnovum.net/adfs/ls"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="in.binding" value="auto"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="in.max_age" value="60"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="out.authnContextClassRef" value="${sess:contextClassRefToSet}"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" value="${sess:ch.nevis.idm.User.email}"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/languageOfCorrespondance" value="${sess:ch.nevis.idm.User.language}"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" value="${sess:ch.nevis.idm.User.firstName}"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" value="${sess:ch.nevis.idm.User.lastName}"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/dateOfBirth" value="${sess:ch.nevis.idm.User.birthDate:^(\d\d\d\d-\d\d-\d\d).*$}"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/sex" value="${sess:ch.nevis.idm.User.gender}"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/socialSecurityNumber" value="#{ (sess['agov.appSvnrAllowed'] == 'true') ? sess['ch.nevis.idm.User.prop.svnr'] : ''}"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/placeOfBirth" value="#{ (sess['agov.appSvnrAllowed'] == 'true') ? sess['ch.nevis.idm.User.prop.placeOfBirth'] : ''}"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/eIdNumber" value="${sess:ch.nevis.idm.User.prop.eIdNumber}"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/qa/dateOfVerification" value="${sess:ValidFrom}"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/qa/validTillDate" value="${sess:ValidTo}"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/qa/verificationMethod" value="#{ ''.concat(sess.get('idVerification')).replace('SelfPaid', '') }"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/nationality" value="#{ sess.containsKey('ch.nevis.idm.User.prop.nationality') ? sess['ch.nevis.idm.User.prop.nationality'].toUpperCase(): '' }"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/authenticatedWith" value="${sess:authenticatedWith}"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/08/identity/claims/emailVerified" value="true"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/08/identity/claims/address/street" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['ch.nevis.idm.User.street'] : '' }"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/08/identity/claims/address/houseNumber" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['ch.nevis.idm.User.houseNumber'] : '' }"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/08/identity/claims/address/zipCode" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['ch.nevis.idm.User.postalCode'] : '' }"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2023/08/identity/claims/address/town" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['ch.nevis.idm.User.city'] : '' }"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2024/02/identity/claims/address/country" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['ch.nevis.idm.User.country'].toUpperCase() : '' }"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2024/02/identity/claims/address/qa/verificationMethod" value="#{ (sess['agov.appAddressRequired'] == 'true') ? ''.concat(sess.get('agov.adressVerification')).replace('Location', 'Domicile') : '' }"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="out.attribute.http://schemas.agov.ch/ws/2024/02/identity/claims/address/countryName" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['agov.countryName'] : ''}"/>
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
+            <property name="out.audienceRestriction" value="https://trustbroker-idp.agov-w.azure.adnovum.net"/>
+        </AuthState>
         <AuthState name="Auth_Realm_Main_IDP_Concurrent_Logout" class="ch.nevis.esauth.auth.states.standard.AuthLogout" final="false" resumeState="false">
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
             <Response value="AUTH_CONTINUE">
-                <!-- source: pattern://27cefc3861bce987f6766342 -->
+                <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
                 <Gui name="saml_logout" label="title.logout">
-                    <!-- source: pattern://27cefc3861bce987f6766342 -->
+                    <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
                     <GuiElem name="saml.logoutURLs" type="hidden" value="${outargs:saml.logoutURLs}" optional="true"/>
-                    <!-- source: pattern://27cefc3861bce987f6766342 -->
+                    <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
                     <GuiElem name="saml.logoutURL" type="hidden" value="#{ session.containsKey('saml.logoutURL') ? session.get('saml.logoutURL') : '/' }" optional="true"/>
                 </Gui>
             </Response>
         </AuthState>
         <AuthState name="Auth_Realm_Main_IDP_Logout_Done" class="ch.nevis.esauth.auth.states.standard.AuthGeneric" final="true">
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
             <Response value="AUTH_ERROR">
-                <!-- source: pattern://27cefc3861bce987f6766342 -->
+                <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
                 <Gui name="empty"/>
             </Response>
         </AuthState>
         <AuthState name="Auth_Realm_Main_IDP_Logout_Fail" class="ch.nevis.esauth.auth.states.standard.AuthGeneric" final="true">
-            <!-- source: pattern://27cefc3861bce987f6766342 -->
+            <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
             <Response value="AUTH_ERROR">
-                <!-- source: pattern://27cefc3861bce987f6766342 -->
+                <!-- source: pattern://b8139a4b73abce1ce1a22170 -->
                 <Gui name="empty"/>
             </Response>
         </AuthState>
diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/saml_idp_agov_authorization.groovy b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/saml_idp_agov_authorization.groovy
index 8c2bc9d..7c3a5d9 100644
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/saml_idp_agov_authorization.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/saml_idp_agov_authorization.groovy
@@ -168,6 +168,7 @@ def i2r = [:]
 // issuer to ResultCond name
 def i2e = [:]
 i2e.put('https://trustbroker.agov-d.azure.adnovum.net', 'forbidden_0')
+i2e.put('https://trustbroker-idp.agov-w.azure.adnovum.net', 'forbidden_1')
 
 
 if (!i2r.isEmpty() && !hasAnyRequiredRole(i2r, issuer)) {
diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/saml_idp_agov_dispatcher.groovy b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/saml_idp_agov_dispatcher.groovy
index c79c6bc..115cd87 100644
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/saml_idp_agov_dispatcher.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/saml_idp_agov_dispatcher.groovy
@@ -109,6 +109,7 @@ def i2s = new TreeMap<String, String>(String.CASE_INSENSITIVE_ORDER)
 
 
 i2s.put('https://trustbroker.agov-d.azure.adnovum.net', 'state0')
+i2s.put('https://trustbroker-idp.agov-w.azure.adnovum.net', 'state1')
 
 if (parameters.get('spInitiated') == 'true' && inargs.containsKey('SAMLRequest')) { // SP-initiated authentication
     LOG.debug("found SAMLRequest parameter for SP-initiated authentication")