new configuration version

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/etc/nevis/k8s-nevisauth-sts-4bad2fe3ccc54716cc87138f.yaml

@@ -46,7 +46,7 @@ spec:
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-9849dba282e5e9421988bf7092f242ff73d83ce5"
+    tag: "r-d6878093aefa2bfb8cc241b61fff5fe94bc95282"
     dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts"
     credentials: "git-credentials"
   keystores:

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/logging.yml

@@ -20,6 +20,8 @@ Configuration:
       level: "DEBUG"
     - name: "AgovCaptcha"
       level: "DEBUG"
+    - name: "ArtifactResolutionService"
+      level: "DEBUG"
     - name: "AuthEngine"
       level: "INFO"
     - name: "AuthPerf"
@@ -27,9 +29,11 @@ Configuration:
     - name: "IdmAuth"
       level: "DEBUG"
     - name: "OpTrace"
-      level: "DEBUG"
+      level: "INFO"
     - name: "Recovery"
       level: "DEBUG"
+    - name: "Saml"
+      level: "DEBUG"
     - name: "Script"
       level: "DEBUG"
     - name: "SessCoord"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml

@@ -46,7 +46,7 @@ spec:
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-9849dba282e5e9421988bf7092f242ff73d83ce5"
+    tag: "r-53c09bd6632aebeda2b892197a01a8f7f185561d"
     dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth"
     credentials: "git-credentials"
   database:

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/keys/trust/idp-pem-atb-enc/keypass

@@ -0,0 +1,2 @@
+#!/bin/bash
+echo 'password'

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/keys/trust/idp-pem-atb-enc/truststore.pem

@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFdzCCA1+gAwIBAgIUdL2pr5w+jKA9HF9llVbMRTK4MO8wDQYJKoZIhvcNAQEL
+BQAwSzELMAkGA1UEBhMCQ0gxDTALBgNVBAcMBEJlcm4xEjAQBgNVBAoMCUFHT1Yg
+V29yazEZMBcGA1UEAwwQYXRiLXdvcmstaWRwLWtleTAeFw0yNTA5MDMwNjQ2Mjha
+Fw0zNTA5MDEwNjQ2MjhaMEsxCzAJBgNVBAYTAkNIMQ0wCwYDVQQHDARCZXJuMRIw
+EAYDVQQKDAlBR09WIFdvcmsxGTAXBgNVBAMMEGF0Yi13b3JrLWlkcC1rZXkwggIi
+MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC2s6fPlpWv/1zEnail7TCUphEQ
+A/dr/uY+qQqA/okB+Okd5hGDow7zBe/zICn7PJlGXzkq87o4Q3ZFvOFLqvlhwprp
+OQquIviN6VBss2F3c174Zkk7ksciLQzPYjGBgw+l/ZeZY/AOYBeConsrHobTbjPd
+StI8FZr8zVnamMWd/nBnryA5mZy9+vKz3iPJXPXZmyhBnOJfPZjMmkLvY9wEfGfc
+rGrbqh6f7grleVNU16Rt46TtJRIqWEAdqi1I81d3kEWuqHkYCZf1ZJpDtprJPVko
+fWViFzMz7zuAK5kdaGVwu0R7zeKz6FCHWWQ5bqScQbZ53zX6D3sP6ZNnZXdo6n0L
+i+x17sgZa6VJtWF6s/UUxl8jPteprfRHrgIT3yKK9ewpXEhcc4aNJyCTiXpicOOn
+QUBkkxyT7MtG1j51GPFcoFsBn4X9A1BXUmz2+YrDfFKtj0LwKZe6naI5v+FGtqeQ
+/GeRpaFISwg/L5ewHe3NTH//8ZyWQsbJ2FEIff3LM+0+ivrORJs45GW12ny6MDY1
+Q8PTEsPL/9nhY1Mf99qpB9ivouVF/vGDWont16PhaZ2N31Osbbok3Emfbk0MVfvh
+MuY0PPX/eWfn+5WlxBegS9PXbrcNW7MV0vsow8Js9+B29nao/VeFOQDfrU9p//xu
+nDkeh9z5vqRP7clgMQIDAQABo1MwUTAdBgNVHQ4EFgQUqqmWA9MTwbzRFOfxZbu8
+nIyk4dEwHwYDVR0jBBgwFoAUqqmWA9MTwbzRFOfxZbu8nIyk4dEwDwYDVR0TAQH/
+BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAnh1nayZy7CjTDvXjht0jNEyCPahL
+/gzcfx173FWnDbG3DMqjKB0u7bbpWIdStvTHpvs4NOg7H1/3Xc3cu3vtw6PF3Tkt
+ZGJrMgZ5H9BUPW7BeNPqylh0Xj9vWUhxOdRfthzHcuSg2H6k5GBe+ROVIWLcc5g2
+vIuEEnpL9H5mlt4MofodPJjDrOvbJ5eDOGnNlcSKgPy8ZxrvyesmjFquu9/941p5
+wOpGhfVRH6U9GBIy1wWjjO4y2oRtgdgV0Dm57VNaxNi4R0cRW+eg7H7jED2gWVdS
+Zftkrq44/lXFnWZDXWq8JJs0QPPD30i8fbGvZjRbrVQus5wW+dlirSkljQD8WpiY
+N7PS2y+Io9WDetabxDSkHQGduldlHqnjvvR7TtLBT73fbmrra7nLrxbwAyQs/lp9
+r2904tzgBfhHb5GCrYE1s3h339eb/HXZlPqG1EcYimsAIyyBQ7WyHOgXq5RqwgbW
+9O8aQUWPQrdtWrv8BkYSjjgDSxj9Pu7yBFnSdyI879uvBZDYovm/MmgcguAaJ8UC
+PUcchbvgdLJHnbBA5aFm/Fkhb2WKi3Q0vExUHM3sXazJAAjIplbunHkqf8Wc7lva
+94y3AXN9dg5LEjcwkjQbyGmmuSFq0Hse0b1KE+4INYUigECUcXuKYWrP0RuPzCKU
+4g4p3ZpFGmoq4lM=
+-----END CERTIFICATE-----

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml

@@ -134,6 +134,11 @@
             <!-- source: pattern://8dbec5bb024707d73fca93ef -->
             <KeyObject name="https://trustbroker-idp.agov-w.azure.adnovum.net" certificate="/var/opt/keys/trust/idp-pem-atb/truststore.jks"/>
         </KeyStore>
+        <!-- source: pattern://b09a3092a59797b317c06ae4 -->
+        <KeyStore name="EncryptionKeys">
+            <!-- source: pattern://b09a3092a59797b317c06ae4 -->
+            <KeyObject name="DefaultEncryptionKey" certificate="/var/opt/keys/trust/idp-pem-atb-enc/truststore.jks"/>
+        </KeyStore>
         <!-- source: pattern://cb8c63274fe346280de0ffd5 -->
         <KeyStore name="Auth_Realm_Mobile_FIDO_UAFKeyStore">
             <!-- source: pattern://cb8c63274fe346280de0ffd5 -->
@@ -426,6 +431,8 @@
             <!-- source: pattern://73efd00d67082ff1eb927922 -->
             <ResultCond name="main" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP"/>
             <!-- source: pattern://73efd00d67082ff1eb927922 -->
+            <ResultCond name="main_secure" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC"/>
+            <!-- source: pattern://73efd00d67082ff1eb927922 -->
             <Response value="AUTH_CONTINUE">
                 <!-- source: pattern://73efd00d67082ff1eb927922 -->
                 <Gui name="saml_dispatcher" label="title.saml.failed">
@@ -853,6 +860,10 @@
             <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
             <property name="logoutTrigger" value="#{request['currentResource'].contains('logout') || inargs.containsKey('logout') || inargs.containsKey('SAMLLogout')}"/>
             <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="in.verify" value="Assertion, AuthnRequest, ArtifactResolve, ArtifactResponse"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
+            <property name="in.prospectVerification" value="ArtifactResolve"/>
+            <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
             <property name="out.binding" value="http-post"/>
             <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
             <property name="out.post.relayStateEncoding" value="HTML"/>
@@ -939,6 +950,19 @@
             <!-- source: pattern://92cb6d5256008a32f12ceb93 -->
             <property name="out.attribute.http://schemas.agov.ch/ws/2025/07/identity/claims/op/conversationId" value="${inctx:connection.HttpHeader.traceparent:^([0-9a-f]+)-([0-9a-f]+)-([0-9a-f]+)-([0-9a-f]+)$:$2}"/>
         </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false" resumeState="false">
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="default" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC_post"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="useArtifact" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC_artifact"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+                <Gui name="AuthErrorDialog"/>
+            </Response>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="condition:useArtifact" value="${sess:agov.idp.use.artifact:^true$}"/>
+        </AuthState>
         <AuthState name="Auth_Realm_Main_IDP_ReturnTimeoutButKeepSession" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
             <!-- source: pattern://826166d230a6a4849f2837ae -->
             <Response value="AUTH_CONTINUE">
@@ -1194,6 +1218,100 @@
                 <Arg name="ch.nevis.isiweb4.response.status" value="403"/>
             </Response>
         </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC_post" class="ch.nevis.esauth.auth.states.saml.IdentityProviderState" final="false" resumeState="true">
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="IDP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Concurrent_Logout"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="IDP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="LogoutCompleted" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Done"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="LogoutFailed" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Fail"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="SP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Concurrent_Logout"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="SP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="authenticate:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="authenticate:SP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="invalidAssertionConsumerUrl" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="ok" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="stepup:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="stepup:SP-initiated-SSO" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+                <Gui name="saml_idp" label="title.saml.failed">
+                    <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+                    <GuiElem name="lasterror" type="error" label="error.saml.failed"/>
+                </Gui>
+            </Response>
+            <propertyRef name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.issuer" value="https://auth.agov-w.azure.adnovum.net/SAML2SEC/"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.binding" value="http-post"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.post.relayStateEncoding" value="HTML"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.encrypt" value="none"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.encrypt.keystoreref" value="EncryptionKeys"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.encrypt.keyobjectref" value="DefaultEncryptionKey"/>
+        </AuthState>
+        <AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC_artifact" class="ch.nevis.esauth.auth.states.saml.IdentityProviderState" final="false" resumeState="true">
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="IDP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Concurrent_Logout"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="IDP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="LogoutCompleted" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Done"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="LogoutFailed" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Fail"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="SP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Concurrent_Logout"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="SP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="authenticate:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="authenticate:SP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="invalidAssertionConsumerUrl" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="ok" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="stepup:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <ResultCond name="stepup:SP-initiated-SSO" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+                <Gui name="saml_idp" label="title.saml.failed">
+                    <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+                    <GuiElem name="lasterror" type="error" label="error.saml.failed"/>
+                </Gui>
+            </Response>
+            <propertyRef name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.issuer" value="https://auth.agov-w.azure.adnovum.net/SAML2SEC/"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.binding" value="http-artifact"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.post.relayStateEncoding" value="HTML"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.encrypt" value="none"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.encrypt.keystoreref" value="EncryptionKeys"/>
+            <!-- source: pattern://bb9e7806a04578e0ad468829 -->
+            <property name="out.encrypt.keyobjectref" value="DefaultEncryptionKey"/>
+        </AuthState>
         <AuthState name="Auth_Realm_Main_IDP_Fido_Email_Verify" class="ch.nevis.idm.authstate.IdmUserVerifyState" final="false" resumeState="false">
             <!-- source: pattern://7fb39bfd6c34685866a22180 -->
             <ResultCond name="clientNotFound" next="Auth_Realm_Main_IDP_AuthnFailed_Client_NotFound"/>
@@ -3452,6 +3570,21 @@
         <!-- source: pattern://ab5a82719993921822e95751 -->
         <property name="out.keyobjectref" value="Signer_IDP_AGOV"/>
     </WebService>
+    <!-- source: pattern://14efdcb489f3f295fcbdf811 -->
+    <WebService name="IDP_AGOV_SEC_ARS" class="ch.nevis.esauth.auth.adapter.saml.ArtifactResolutionService" uri="/nevisauth/services/ars/sec" SSODomain="Auth_Realm_Main_IDP">
+        <!-- source: pattern://14efdcb489f3f295fcbdf811 -->
+        <property name="issuer" value="https://auth.agov-w.azure.adnovum.net/SAML2SEC/"/>
+        <!-- source: pattern://14efdcb489f3f295fcbdf811 -->
+        <property name="out.keystoreref" value="Store_IDP_AGOV"/>
+        <!-- source: pattern://14efdcb489f3f295fcbdf811 -->
+        <property name="out.keyobjectref" value="Signer_IDP_AGOV"/>
+        <!-- source: pattern://14efdcb489f3f295fcbdf811 -->
+        <property name="in.keystoreref" value="Store_IDP_AGOV"/>
+        <!-- source: pattern://14efdcb489f3f295fcbdf811 -->
+        <property name="in.verify" value="ArtifactResolve"/>
+        <!-- source: pattern://14efdcb489f3f295fcbdf811 -->
+        <property name="in.prospectVerification" value=""/>
+    </WebService>
     <!-- source: pattern://7022472ae407577ae604bbb8 -->
     <RESTService name="ManagementService" class="ch.nevis.esauth.rest.service.session.ManagementService"/>
 </esauth-server>

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/idp_dispatcher.groovy

@@ -23,54 +23,72 @@ def redirect(String url) {
     outargs.put('nevis.transfer.destination', url)
 }
 
-/**
+String getNormalisedSamlMessage(String parameter) {
- * Extracts the content of the Issuer element from a parsed SAML message.
+    if (parameter == null) {
- * The Issuer is optional according to SAML specification but we need it for dispatching.
- *
- * @param xml - as parsed by Groovy XmlSlurper
- * @return text content of Issuer element converted or null
- */
-String getIssuer(GPathResult xml) {
-    return xml.depthFirst().find { GPathResult node -> {
-        node.name().endsWith(":Issuer") || node.name().equalsIgnoreCase("Issuer")
-      }
-    }?.text()
-}
-
-String getIssuer(String value) {
-    if (value == null) {
         return
     }
     String text
     byte[] decoded
-    def parser = new XmlSlurper()
-    // if value is raw xml then continue otherwise try to parse the base64 encoding
-    if (value.startsWith("<")) {
-        text = new String(value)
-    }
-    else {
-        decoded = value.decodeBase64()
-        text = new String(decoded)
-        LOG.info("received SAML request $value")
-    }
 
-    // after decoded, if redirect binding, we need to parse string to xml
+    // if parameter is raw xml then continue otherwise try to parse the base64 encoding
-    if (text.startsWith("<")) {
+    if (parameter.startsWith("<")) {
-        LOG.debug("assuming POST/SOAP binding")
+        text = new String(parameter)
-        // plain String (POST/SOAP parameter)
-        def xml = parser.parseText(text)
-        return getIssuer(xml)
     }
     else {
-        LOG.debug("assuming redirect binding")
+        decoded = parameter.decodeBase64()
-        // should be deflate encoded (query parameter)
+        text = new String(decoded)
-        def is = new InflaterInputStream(new ByteArrayInputStream(decoded), new Inflater(true))
-        def xml = parser.parse(is)
-        return getIssuer(xml)
     }
+    return text
 }
 
-def dispatchIssuer(i2s, String issuer) {
+
+String getNodeText(GPathResult xml, String nodeName) {
+    return xml.depthFirst().find { GPathResult node -> {
+        node.name().endsWith(":${nodeName}") || node.name().equalsIgnoreCase(nodeName)
+      }
+    }?.text()?.trim()
+}
+
+String getAttribute(GPathResult xml, String attributeName) {
+    return xml.depthFirst().find { GPathResult node -> {
+        node.attributes().containsKey(attributeName)
+      }
+    }?.attributes()?.get(attributeName)
+}
+
+String getNodeText(String parameter, String nodeName) {
+    String samlMessage = getNormalisedSamlMessage(parameter)
+    if (samlMessage == null) {
+        return
+    }
+    def parser = new XmlSlurper()
+    def xml = parser.parseText(samlMessage)
+    return getNodeText(xml, nodeName)
+}
+
+String getAttribute(String parameter, String attributeName) {
+    String samlMessage = getNormalisedSamlMessage(parameter)
+    if (samlMessage == null) {
+        return
+    }
+    def parser = new XmlSlurper()
+    def xml = parser.parseText(samlMessage)
+    return getAttribute(xml, attributeName)
+}
+
+String getIssuer(String value) {
+  return getNodeText(value, 'Issuer')
+}
+
+String getAttributeConsumingServiceIndex(String value) {
+  return getAttribute(value, 'AttributeConsumingServiceIndex')
+}
+
+String getProtocolBinding(String value) {
+  return getAttribute(value, 'ProtocolBinding')
+}
+
+def dispatchIssuer(i2s, String issuer, boolean secureMode) {
     def result = i2s.get(issuer)
     if (result == null) {
         LOG.info("No SP found for issuer '$issuer'. Hint: check SAML SP Connector patterns.")
@@ -80,22 +98,33 @@ def dispatchIssuer(i2s, String issuer) {
     if(parameters.get('epdMode') == 'artifact' && result == 'epd'){
         LOG.debug("EPD: Artifact mode")
         result = result + "_artifact"
-    }else{
+    } else if (result == 'main' && secureMode) {
-        LOG.debug("EPD: POST mode")
+        LOG.debug("AGOV: Secure mode requested")
+        result =  result + "_secure"
     } 
     response.setResult(result)
-    session.put("saml.inbound.issuer", issuer)
+    session.put('saml.inbound.issuer', issuer)
     session.put('saml.idp.result', result) // remember decision for sub-sequent requests without a SAML message
     
 }
 
+def dispatchIssuer(i2s, String issuer) {
+  dispatchIssuer(i2s, issuer, false)
+}
+
 def dispatchMessage(i2s, String message) {
     def issuer = getIssuer(message)
+    def secureMode = (getAttributeConsumingServiceIndex(message) == '10101')
+    def useArtifact = ('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact' == getProtocolBinding(message))
+
+    LOG.info("secureMode requested: ${secureMode}")
+
     if (issuer == null) {
         LOG.info("No issuer found in incoming SAML message. Giving up.")
     }
-    session.put("saml.inbound.issuer", issuer)
+    session.put('saml.inbound.issuer', issuer)
-    dispatchIssuer(i2s, issuer)
+    session.put('agov.idp.use.artifact', '' + useArtifact)
+    dispatchIssuer(i2s, issuer, secureMode)
 }
 
 if (parameters.get('logoutConfirmation') == 'true' && "stepup" == request.getMethod()) {

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/logging.yml

@@ -20,6 +20,8 @@ Configuration:
       level: "DEBUG"
     - name: "AgovCaptcha"
       level: "DEBUG"
+    - name: "ArtifactResolutionService"
+      level: "DEBUG"
     - name: "AuthEngine"
       level: "INFO"
     - name: "AuthPerf"
@@ -27,9 +29,11 @@ Configuration:
     - name: "IdmAuth"
       level: "DEBUG"
     - name: "OpTrace"
-      level: "DEBUG"
+      level: "INFO"
     - name: "Recovery"
       level: "DEBUG"
+    - name: "Saml"
+      level: "DEBUG"
     - name: "Script"
       level: "DEBUG"
     - name: "SessCoord"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/etc/nevis/k8s-idp-nevisproxy-remote-hybrid-session-store-699f0a21dd0e852f28d27e9d.yaml

@@ -0,0 +1,26 @@
+apiVersion: "operator.nevis-security.ch/v1"
+kind: "NevisDatabase"
+metadata:
+  name: "proxy-idp"
+  namespace: "adn-agov-nevisidm-01-uat"
+  labels:
+    deploymentTarget: "proxy-idp"
+  annotations:
+    projectKey: "DEFAULT-ADN-AGOV-PROJECT"
+    patternId: "699f0a21dd0e852f28d27e9d"
+spec:
+  type: "NevisProxy"
+  databaseType: "MariaDB"
+  version: "8.2505.5"
+  url: "mariadb-session-store-service.adn-agov-nevisidm-ob-01-uat"
+  port: 3306
+  database: "workproxy"
+  bootstrap: true
+  migrate: true
+  rootCredentials:
+    name: "root-mariadb-session-store"
+    namespace: "adn-agov-nevisidm-ob-01-uat"
+  podSecurity:
+    policy: "baseline"
+    automountServiceAccountToken: false
+  timeZone: "Europe/Zurich"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/etc/nevis/k8s-nevisproxy-idp-0ceb05c56644a59d648c13b9.yaml

@@ -47,9 +47,12 @@ spec:
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-5e17b7ae74eadb8800587a4f4db74406a7e21e95"
+    tag: "r-0574c5a2098562d6585435194234bdb2b0cf0858"
     dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp"
     credentials: "git-credentials"
+  database:
+    name: "proxy-idp"
+    requiredVersion: "8.2505.5"
   keystores:
   - "proxy-idp-notused-auth-realm-identity"
   - "proxy-idp-1f0702aaabef60a615abf41f"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/var/opt/nevisproxy/default/conf/log.properties

@@ -3,15 +3,15 @@ BC.Tracer.LogFile=pipe:///bin/sed -u -e "s/^/[navajo.log] /g" | /bin/egrep --lin
 # source: pattern://2be125abf4a8be1a0ae5f007
 BC.Tracer.ThresholdBase=3
 # source: pattern://2be125abf4a8be1a0ae5f007
-BC.Tracer.DebugProfile.IW4LuaFlt=4
+BC.Tracer.DebugProfile.IW4LuaFlt=3
 # source: pattern://2be125abf4a8be1a0ae5f007
 BC.Tracer.DebugProfile.IsiwebOp=3
 # source: pattern://2be125abf4a8be1a0ae5f007
 BC.Tracer.DebugProfile.NPMySQLSes=3
 # source: pattern://2be125abf4a8be1a0ae5f007
-BC.Tracer.DebugProfile.NProxyOp=4
+BC.Tracer.DebugProfile.NProxyOp=3
 # source: pattern://2be125abf4a8be1a0ae5f007
-BC.Tracer.DebugProfile.NavajoOp=3
+BC.Tracer.DebugProfile.NavajoOp=4
 # source: pattern://0ceb05c56644a59d648c13b9
 ch.nevis.nevisproxy.LocalLogFileName=/var/opt/nevisproxy/default/conf/conditionallog.properties
 # source: pattern://0ceb05c56644a59d648c13b9

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/var/opt/nevisproxy/default/host-auth.agov-w.azure.adnovum.net/WEB-INF/web.xml

@@ -1,6 +1,11 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "/opt/nevisproxy/dtd/web-app_2_3.dtd">
 <web-app>
+    <!-- source: pattern://699f0a21dd0e852f28d27e9d -->
+    <context-param>
+        <param-name>application-id</param-name>
+        <param-value>auth.agov-w.azure.adnovum.net</param-value>
+    </context-param>
     <!-- source: pattern://06aeae2d799e492f5580d03b, pattern://4fcfadb4a5c946ead7e6e995, pattern://204c22beaccdfd22727af378 -->
     <context-param>
         <param-name>SectokenVerifierCert</param-name>
@@ -859,7 +864,7 @@
         <!-- source: pattern://4fcfadb4a5c946ead7e6e995 -->
         <init-param>
             <param-name>Servlet</param-name>
-            <param-value>LocalSessionStoreServlet</param-value>
+            <param-value>MySQLSessionStoreServlet</param-value>
         </init-param>
         <!-- source: pattern://4fcfadb4a5c946ead7e6e995 -->
         <init-param>
@@ -904,7 +909,7 @@
         <!-- source: pattern://cb8c63274fe346280de0ffd5 -->
         <init-param>
             <param-name>Servlet</param-name>
-            <param-value>LocalSessionStoreServlet</param-value>
+            <param-value>MySQLSessionStoreServlet</param-value>
         </init-param>
         <!-- source: pattern://cb8c63274fe346280de0ffd5 -->
         <init-param>
@@ -949,7 +954,7 @@
         <!-- source: pattern://204c22beaccdfd22727af378 -->
         <init-param>
             <param-name>Servlet</param-name>
-            <param-value>LocalSessionStoreServlet</param-value>
+            <param-value>MySQLSessionStoreServlet</param-value>
         </init-param>
         <!-- source: pattern://204c22beaccdfd22727af378 -->
         <init-param>
@@ -994,7 +999,7 @@
         <!-- source: pattern://e0fda9336be9c69dafc9b69e -->
         <init-param>
             <param-name>Servlet</param-name>
-            <param-value>LocalSessionStoreServlet</param-value>
+            <param-value>MySQLSessionStoreServlet</param-value>
         </init-param>
         <!-- source: pattern://06aeae2d799e492f5580d03b -->
         <init-param>
@@ -1049,7 +1054,7 @@
     <filter-mapping>
         <filter-name>DefaultErrorFilter</filter-name>
         <url-pattern>/*</url-pattern>
-        <exclude-url-regex>^/oidc4vp/.*$|^/resource/utility/.*$</exclude-url-regex>
+        <exclude-url-regex>^/auth/fidouaf$|^/auth/fidouaf/authenticationresponse/.*$|^/nevisfido/devices/credentials/.*$|^/nevisfido/devices/oobOperations/.*$|^/nevisfido/status$|^/nevisfido/token/dispatch/registration$|^/nevisfido/token/dispatch/targets/.*$|^/nevisfido/token/redeem/authentication$|^/nevisfido/token/redeem/registration$|^/nevisfido/uaf/1.1/authentication$|^/nevisfido/uaf/1.1/authentication/.*$|^/nevisfido/uaf/1.1/facets$|^/nevisfido/uaf/1.1/registration/.*$|^/nevisfido/uaf/1.1/request/deregistration/.*$|^/oidc4vp/.*$|^/resource/utility/.*$</exclude-url-regex>
     </filter-mapping>
     <!-- source: pattern://ecf4381f4653b0aa9a69b417, pattern://ecf4381f4653b0aa9a69b417#filters -->
     <filter-mapping>
@@ -1636,27 +1641,6 @@
         <!-- source: pattern://e0fda9336be9c69dafc9b69e, pattern://a6f6dc6affdc7c692ff857b9, pattern://decb9b3f88d430fb5c95f466 -->
         <servlet-class>ch::nevis::isiweb4::servlet::defaults::DefaultServlet</servlet-class>
     </servlet>
-    <!-- source: pattern://cb8c63274fe346280de0ffd5 -->
-    <servlet>
-        <servlet-name>LocalSessionStoreServlet</servlet-name>
-        <!-- source: pattern://cb8c63274fe346280de0ffd5 -->
-        <servlet-class>ch::nevis::nevisproxy::servlet::cache::local::LocalSessionStoreServlet</servlet-class>
-        <!-- source: pattern://cb8c63274fe346280de0ffd5 -->
-        <init-param>
-            <param-name>MaxInactiveInterval</param-name>
-            <param-value>600</param-value>
-        </init-param>
-        <!-- source: pattern://cb8c63274fe346280de0ffd5 -->
-        <init-param>
-            <param-name>MaxLifetime</param-name>
-            <param-value>28800</param-value>
-        </init-param>
-        <!-- source: pattern://cb8c63274fe346280de0ffd5 -->
-        <init-param>
-            <param-name>MemorySize</param-name>
-            <param-value>512000000</param-value>
-        </init-param>
-    </servlet>
     <!-- source: pattern://097929211988398a87bcbb0c -->
     <servlet>
         <servlet-name>LoginRenderer_nevisLogrend</servlet-name>
@@ -1673,6 +1657,72 @@
             <param-value>remote:NevisLogrendConnector_nevisLogrend:/nevislogrend/index.vm?logrendresourcepath=/nevislogrend</param-value>
         </init-param>
     </servlet>
+    <!-- source: pattern://699f0a21dd0e852f28d27e9d -->
+    <servlet>
+        <servlet-name>MySQLSessionStoreServlet</servlet-name>
+        <!-- source: pattern://699f0a21dd0e852f28d27e9d -->
+        <servlet-class>ch::nevis::nevisproxy::servlet::cache::mysql::MySQLSessionStoreServlet</servlet-class>
+        <!-- source: pattern://699f0a21dd0e852f28d27e9d -->
+        <init-param>
+            <param-name>AttributesTableName</param-name>
+            <param-value>attribute</param-value>
+        </init-param>
+        <!-- source: pattern://699f0a21dd0e852f28d27e9d -->
+        <init-param>
+            <param-name>ConfigurationsTableName</param-name>
+            <param-value>conf</param-value>
+        </init-param>
+        <!-- source: pattern://699f0a21dd0e852f28d27e9d -->
+        <init-param>
+            <param-name>ConnectString</param-name>
+            <param-value>//mariadb-session-store-service.adn-agov-nevisidm-ob-01-uat:3306/workproxy?connect_timeout=10&amp;ping_timeout=2</param-value>
+        </init-param>
+        <!-- source: pattern://699f0a21dd0e852f28d27e9d -->
+        <init-param>
+            <param-name>DisableDatabaseSchemaCheck</param-name>
+            <param-value>false</param-value>
+        </init-param>
+        <!-- source: pattern://699f0a21dd0e852f28d27e9d -->
+        <init-param>
+            <param-name>KeyToIdMapTableName</param-name>
+            <param-value>key_id_map</param-value>
+        </init-param>
+        <!-- source: pattern://699f0a21dd0e852f28d27e9d -->
+        <init-param>
+            <param-name>MaxConn</param-name>
+            <param-value>150</param-value>
+        </init-param>
+        <!-- source: pattern://699f0a21dd0e852f28d27e9d -->
+        <init-param>
+            <param-name>MaxLimitOnDelete</param-name>
+            <param-value>100</param-value>
+        </init-param>
+        <!-- source: pattern://699f0a21dd0e852f28d27e9d -->
+        <init-param>
+            <param-name>MinConn</param-name>
+            <param-value>10</param-value>
+        </init-param>
+        <!-- source: pattern://699f0a21dd0e852f28d27e9d -->
+        <init-param>
+            <param-name>Password</param-name>
+            <param-value>${exec:/var/opt/nevisproxy/default/conf/credentials/dbPassword}</param-value>
+        </init-param>
+        <!-- source: pattern://699f0a21dd0e852f28d27e9d -->
+        <init-param>
+            <param-name>SessionsTableName</param-name>
+            <param-value>session</param-value>
+        </init-param>
+        <!-- source: pattern://699f0a21dd0e852f28d27e9d -->
+        <init-param>
+            <param-name>TimeOut</param-name>
+            <param-value>600</param-value>
+        </init-param>
+        <!-- source: pattern://699f0a21dd0e852f28d27e9d -->
+        <init-param>
+            <param-name>UserName</param-name>
+            <param-value>${exec:/var/opt/nevisproxy/default/conf/credentials/dbUser}</param-value>
+        </init-param>
+    </servlet>
     <!-- source: pattern://097929211988398a87bcbb0c -->
     <servlet>
         <servlet-name>NevisLogrendConnector_nevisLogrend</servlet-name>