new configuration version

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml

@@ -46,7 +46,7 @@ spec:
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-2942bf9fcda0947d8f79b347d28c4097cbbf8c68"
+    tag: "r-53c09bd6632aebeda2b892197a01a8f7f185561d"
     dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth"
     credentials: "git-credentials"
   database:

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml

@@ -950,50 +950,18 @@
             <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
             <property name="out.attribute.http://schemas.agov.ch/ws/2025/07/identity/claims/op/conversationId" value="${inctx:connection.HttpHeader.traceparent:^([0-9a-f]+)-([0-9a-f]+)-([0-9a-f]+)-([0-9a-f]+)$:$2}"/>
         </AuthState>
-        <AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC" class="ch.nevis.esauth.auth.states.saml.IdentityProviderState" final="false" resumeState="true">
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false" resumeState="false">
             <!-- source: pattern://bb9e7806a04578e0ad468829 -->
-            <ResultCond name="IDP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Concurrent_Logout"/>
+            <ResultCond name="default" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC_post"/>
             <!-- source: pattern://bb9e7806a04578e0ad468829 -->
-            <ResultCond name="IDP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <ResultCond name="useArtifact" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC_artifact"/>
-            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
-            <ResultCond name="LogoutCompleted" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Done"/>
-            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
-            <ResultCond name="LogoutFailed" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Fail"/>
-            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
-            <ResultCond name="SP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Concurrent_Logout"/>
-            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
-            <ResultCond name="SP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
-            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
-            <ResultCond name="authenticate:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
-            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
-            <ResultCond name="authenticate:SP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
-            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
-            <ResultCond name="invalidAssertionConsumerUrl" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC"/>
-            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
-            <ResultCond name="ok" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
-            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
-            <ResultCond name="stepup:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector"/>
-            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
-            <ResultCond name="stepup:SP-initiated-SSO" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector"/>
             <!-- source: pattern://bb9e7806a04578e0ad468829 -->
             <Response value="AUTH_ERROR">
                 <!-- source: pattern://bb9e7806a04578e0ad468829 -->
-                <Gui name="saml_idp" label="title.saml.failed">
+                <Gui name="AuthErrorDialog"/>
-                    <!-- source: pattern://bb9e7806a04578e0ad468829 -->
-                    <GuiElem name="lasterror" type="error" label="error.saml.failed"/>
-                </Gui>
             </Response>
-            <propertyRef name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP"/>
             <!-- source: pattern://bb9e7806a04578e0ad468829 -->
-            <property name="out.binding" value="http-post"/>
+            <property name="condition:useArtifact" value="${sess:agov.idp.use.artifact:^true$}"/>
-            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
-            <property name="out.post.relayStateEncoding" value="HTML"/>
-            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
-            <property name="out.encrypt" value="Assertion"/>
-            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
-            <property name="out.encrypt.keystoreref" value="EncryptionKeys"/>
-            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
-            <property name="out.encrypt.keyobjectref" value="DefaultEncryptionKey"/>
         </AuthState>
         <AuthState name="Auth_Realm_Main_IDP_ReturnTimeoutButKeepSession" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
             <!-- source: pattern://826166d230a6a4849f2837ae -->
@@ -1250,6 +1218,100 @@
                 <Arg name="ch.nevis.isiweb4.response.status" value="403"/>
             </Response>
         </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC_post" class="ch.nevis.esauth.auth.states.saml.IdentityProviderState" final="false" resumeState="true">
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="IDP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Concurrent_Logout"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="IDP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="LogoutCompleted" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Done"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="LogoutFailed" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Fail"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="SP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Concurrent_Logout"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="SP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="authenticate:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="authenticate:SP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="invalidAssertionConsumerUrl" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="ok" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="stepup:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="stepup:SP-initiated-SSO" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+                <Gui name="saml_idp" label="title.saml.failed">
+                    <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+                    <GuiElem name="lasterror" type="error" label="error.saml.failed"/>
+                </Gui>
+            </Response>
+            <propertyRef name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.issuer" value="https://auth.agov-w.azure.adnovum.net/SAML2SEC/"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.binding" value="http-post"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.post.relayStateEncoding" value="HTML"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.encrypt" value="none"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.encrypt.keystoreref" value="EncryptionKeys"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.encrypt.keyobjectref" value="DefaultEncryptionKey"/>
+        </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC_artifact" class="ch.nevis.esauth.auth.states.saml.IdentityProviderState" final="false" resumeState="true">
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="IDP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Concurrent_Logout"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="IDP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="LogoutCompleted" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Done"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="LogoutFailed" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Fail"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="SP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Concurrent_Logout"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="SP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="authenticate:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="authenticate:SP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="invalidAssertionConsumerUrl" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="ok" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="stepup:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="stepup:SP-initiated-SSO" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+                <Gui name="saml_idp" label="title.saml.failed">
+                    <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+                    <GuiElem name="lasterror" type="error" label="error.saml.failed"/>
+                </Gui>
+            </Response>
+            <propertyRef name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.issuer" value="https://auth.agov-w.azure.adnovum.net/SAML2SEC/"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.binding" value="http-artifact"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.post.relayStateEncoding" value="HTML"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.encrypt" value="none"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.encrypt.keystoreref" value="EncryptionKeys"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.encrypt.keyobjectref" value="DefaultEncryptionKey"/>
+        </AuthState>
         <AuthState name="Auth_Realm_Main_IDP_Fido_Email_Verify" class="ch.nevis.idm.authstate.IdmUserVerifyState" final="false" resumeState="false">
             <!-- source: pattern://7fb39bfd6c34685866a22180 -->
             <ResultCond name="clientNotFound" next="Auth_Realm_Main_IDP_AuthnFailed_Client_NotFound"/>

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/idp_dispatcher.groovy

@@ -23,13 +23,25 @@ def redirect(String url) {
     outargs.put('nevis.transfer.destination', url)
 }
 
-/**
+String getNormalisedSamlMessage(String parameter) {
- * Extracts the content of the Issuer element from a parsed SAML message.
+    if (parameter == null) {
- * The Issuer is optional according to SAML specification but we need it for dispatching.
+        return
- *
+    }
- * @param xml - as parsed by Groovy XmlSlurper
+    String text
- * @return text content of Issuer element converted or null
+    byte[] decoded
- */
+
+    // if parameter is raw xml then continue otherwise try to parse the base64 encoding
+    if (parameter.startsWith("<")) {
+        text = new String(parameter)
+    }
+    else {
+        decoded = parameter.decodeBase64()
+        text = new String(decoded)
+    }
+    return text
+}
+
+
 String getNodeText(GPathResult xml, String nodeName) {
     return xml.depthFirst().find { GPathResult node -> {
         node.name().endsWith(":${nodeName}") || node.name().equalsIgnoreCase(nodeName)
@@ -37,45 +49,46 @@ String getNodeText(GPathResult xml, String nodeName) {
     }?.text()?.trim()
 }
 
-String getNodeText(String samlMessage, String nodeName) {
+String getAttribute(GPathResult xml, String attributeName) {
+    return xml.depthFirst().find { GPathResult node -> {
+        node.attributes().containsKey(attributeName)
+      }
+    }?.attributes()?.get(attributeName)
+}
+
+String getNodeText(String parameter, String nodeName) {
+    String samlMessage = getNormalisedSamlMessage(parameter)
     if (samlMessage == null) {
         return
     }
-    String text
-    byte[] decoded
     def parser = new XmlSlurper()
-    // if samlMessage is raw xml then continue otherwise try to parse the base64 encoding
+    def xml = parser.parseText(samlMessage)
-    if (samlMessage.startsWith("<")) {
+    return getNodeText(xml, nodeName)
-        text = new String(samlMessage)
+}
-    }
-    else {
-        decoded = samlMessage.decodeBase64()
-        text = new String(decoded)
-    }
 
-    // after decoded, if redirect binding, we need to parse string to xml
+String getAttribute(String parameter, String attributeName) {
-    if (text.startsWith("<")) {
+    String samlMessage = getNormalisedSamlMessage(parameter)
-        // plain String (POST/SOAP parameter)
+    if (samlMessage == null) {
-        def xml = parser.parseText(text)
+        return
-        return getNodeText(xml, nodeName)
-    }
-    else {
-        // should be deflate encoded (query parameter)
-        def is = new InflaterInputStream(new ByteArrayInputStream(decoded), new Inflater(true))
-        def xml = parser.parse(is)
-        return getNodeText(xml, nodeName)
     }
+    def parser = new XmlSlurper()
+    def xml = parser.parseText(samlMessage)
+    return getAttribute(xml, attributeName)
 }
 
 String getIssuer(String value) {
   return getNodeText(value, 'Issuer')
 }
 
-String getRequesterID(String value) {
+String getAttributeConsumingServiceIndex(String value) {
-  return getNodeText(value, 'RequesterID')
+  return getAttribute(value, 'AttributeConsumingServiceIndex')
 }
 
-def dispatchIssuer(i2s, String issuer, String requester) {
+String getProtocolBinding(String value) {
+  return getAttribute(value, 'ProtocolBinding')
+}
+
+def dispatchIssuer(i2s, String issuer, boolean secureMode) {
     def result = i2s.get(issuer)
     if (result == null) {
         LOG.info("No SP found for issuer '$issuer'. Hint: check SAML SP Connector patterns.")
@@ -85,30 +98,33 @@ def dispatchIssuer(i2s, String issuer, String requester) {
     if(parameters.get('epdMode') == 'artifact' && result == 'epd'){
         LOG.debug("EPD: Artifact mode")
         result = result + "_artifact"
-    } else if (result == 'main') {
+    } else if (result == 'main' && secureMode) {
-        if ('https://op.agov-w.azure.adnovum.net/SAML2/ACS/' == requester) {
+        LOG.debug("AGOV: Secure mode requested")
         result =  result + "_secure"
     } 
-    } 
     response.setResult(result)
-    session.put("saml.inbound.issuer", issuer)
+    session.put('saml.inbound.issuer', issuer)
     session.put('saml.idp.result', result) // remember decision for sub-sequent requests without a SAML message
     
 }
 
 def dispatchIssuer(i2s, String issuer) {
-  dispatchIssuer(i2s, issuer, 'unknown')
+  dispatchIssuer(i2s, issuer, false)
 }
 
 def dispatchMessage(i2s, String message) {
     def issuer = getIssuer(message)
-    def requester = getRequesterID(message)
+    def secureMode = (getAttributeConsumingServiceIndex(message) == '10101')
+    def useArtifact = ('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact' == getProtocolBinding(message))
+
+    LOG.info("secureMode requested: ${secureMode}")
 
     if (issuer == null) {
         LOG.info("No issuer found in incoming SAML message. Giving up.")
     }
-    session.put("saml.inbound.issuer", issuer)
+    session.put('saml.inbound.issuer', issuer)
-    dispatchIssuer(i2s, issuer, requester)
+    session.put('agov.idp.use.artifact', '' + useArtifact)
+    dispatchIssuer(i2s, issuer, secureMode)
 }
 
 if (parameters.get('logoutConfirmation') == 'true' && "stepup" == request.getMethod()) {