nevis
/
adn-agov-iam-project
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Before Migration

This commit is contained in:
haburger 2025-08-20 07:04:08 +00:00
parent 73f054c7f0
commit 4b630d3dbc
33 changed files with 563 additions and 82 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
patterns/1d81bd987455a8e1ee044ccf_authStatesFile/epd_idp.xml
View File

@ -60,9 +60,15 @@
<property name="out.authnContextClassRef" value="${sess:contextClassRefToSet}"/>
<property name="out.audienceRestriction" value="${var.idp_agov_epd-audience}"/>
<!-- SAML Attributes -->
<!-- Epd standart Attributes -->
<property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" value="${sess:ch.nevis.idm.User.firstName}"/>
<property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" value="${sess:ch.nevis.idm.User.lastName}"/>
<property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/sex" value="${sess:ch.nevis.idm.User.gender}"/>
<property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/dateOfBirth" value="${sess:ch.nevis.idm.User.birthDate:^(\d\d\d\d-\d\d-\d\d).*$}"/>
<!-- extra Attributes -->
<property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" value="${sess:ch.nevis.idm.User.email}"/>
<property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/socialSecurityNumber" value="#{ (sess['agov.appSvnrAllowed'] == 'true') ? sess['ch.nevis.idm.User.prop.svnr'] : ''}"/>
<property name="out.attribute.http://schemas.agov.ch/ws/2025/07/identity/claims/op/conversationId" value="${inctx:connection.HttpHeader.traceparent:^([0-9a-f]+)-([0-9a-f]+)-([0-9a-f]+)-([0-9a-f]+)$:$2}"/>
</AuthState>

BIN
patterns/1f0702aaabef60a615abf41f_resources/resources.zip
View File

Binary file not shown.

BIN
patterns/204c22beaccdfd22727af378_labels/labels.zip
View File

Binary file not shown.

BIN
patterns/204c22beaccdfd22727af378_template/webdata.zip
View File

Binary file not shown.

8
patterns/2cdd910036aa06b102863a4f_scriptFile/checkLoa.groovy
View File

@ -140,7 +140,7 @@ try {
s.setAttribute('ch.nevis.idm.User.gender', '2')
}
if(s.get('ch.nevis.idm.User.gender') == 'OTHER'){
session.setAttribute('ch.nevis.idm.User.gender', '3')
s.setAttribute('ch.nevis.idm.User.gender', '3')
}
@ -223,7 +223,7 @@ try {
if (recoveryRoleList.contains('mustRecover')) {
s.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:mustRecover')
s.setAttribute('agov.recovery.authenticatedWith', session.getAttribute('authenticatedWith') ?: 'unknown' )
s.setAttribute('agov.recovery.authenticatedWith', session.get('authenticatedWith') ?: 'unknown' )
def origIdVerification = getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString()) ?: 'None'
def idVerification = getUserIdVerificationForRecovery() ?: origIdVerification
@ -247,8 +247,8 @@ try {
} else {
s.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:recovery')
}
s.setAttribute('agov.recovery.authenticatedWith', session.getAttribute('authenticatedWith') ?: 'unknown')
s.setAttribute('agov.recovery.currentAgovAq', session.getAttribute('contextClassRefToSet') ?: 'urn:qa.agov.ch:names:tc:ac:classes:100' )
s.setAttribute('agov.recovery.authenticatedWith', session.get('authenticatedWith') ?: 'unknown')
s.setAttribute('agov.recovery.currentAgovAq', session.get('contextClassRefToSet') ?: 'urn:qa.agov.ch:names:tc:ac:classes:100' )
LOG.debug('CheckLoa: idVerification2= '+ getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString()))
def idVerification = getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString())
s.setAttribute('agov.recovery.currentIdVerification', (idVerification.isEmpty() ? 'None' : idVerification.first()))

16
patterns/328e529ed345d17cacb4ec66_authStatesFile/eid_start_agov_account_linking.xml Normal file
View File

@ -0,0 +1,16 @@
<AuthState name="${state.entry}" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
<ResultCond name="link" next="${state.exit.1}"/>
<ResultCond name="register" next="${state.exit.2}"/>
<ResultCond name="cancel" next="${state.failed}"/>
<Response value="AUTH_CONTINUE">
<Gui name="eid_linking_account">
<GuiElem name="authRequestId" type="hidden" value="${sess:ch.nevis.auth.saml.request.id}" optional="true"/>
<GuiElem name="app_name" type="hidden" value="${sess:agov.appDisplayNameEN}" optional="true"/>
<GuiElem name="firstname" type="hidden" value="${sess:agov.eid.User.firstName}" optional="true"/>
<GuiElem name="lastname" type="hidden" value="${sess:agov.eid.User.lastName}" optional="true"/>
</Gui>
</Response>
<property name="script" value="file:///var/opt/nevisauth/default/conf/eid_start_account_linking.groovy"/>
</AuthState>

27
patterns/328e529ed345d17cacb4ec66_resources/eid_start_account_linking.groovy Normal file
View File

@ -0,0 +1,27 @@
import ch.nevis.esauth.auth.engine.AuthResponse
def sess = request.getAuthSession(true)
if(inargs['cancelEid']){
LOG.debug("Account registration canceled: Send response with error")
response.setResult('cancel')
return
}
if(inargs['continue'] == 'link_account'){
LOG.debug("AGOV account linking")
//sess.setAttribute("eid.placeholder.text", "EId: Implicit account linking not implemented yet")
response.setResult('link')
return
}
if(inargs['continue'] == 'register_account'){
LOG.debug("AGOV account registration was selected")
sess.setAttribute("eid.placeholder.text", "EId: Account registration with implicit linking not implemented yet")
response.setResult('register')
return
}
LOG.debug("Show GUI")
response.setStatus(AuthResponse.AUTH_CONTINUE)
return

61
patterns/359792ce61c28c723ab7d354_authStatesFile/eid_account_linking_redirect_to_agovme.xml Normal file
View File

@ -0,0 +1,61 @@
<AuthState name="${state.entry}" class="ch.nevis.esauth.auth.states.saml.IdentityProviderState" final="false" resumeState="false">
<ResultCond name="ok" next="${state.entry}_Handle_Redirect"/>
<!-- Change to AUTH_CONTINUE when we redirect back from agov me -->
<Response value="AUTH_ERROR">
<Gui name="internal_error">
<GuiElem name="transferId" type="hidden" value="${request:traceId}" optional="true"/>
</Gui>
</Response>
<property name="in.binding" value="none"/>
<property name="out.binding" value="internal"/>
<property name="out.sign" value="Response Assertion"/>
<property name="out.signatureKeyInfo" value="Certificate"/>
<!-- assertion validity time -->
<property name="out.ttl" value="${param.assertionValidityTime}"/>
<!-- subject confirmation: Bearer -->
<property name="out.extension.Bearer" value="ch.nevis.esauth.auth.states.saml.extensions.SubjectConfirmationExtender"/>
<property name="Bearer.ttl" value="${param.assertionValidityTime}"/>
<property name="out.keystoreref" value="Store_IDP_AGOV"/>
<property name="out.keyobjectref" value="Signer_IDP_AGOV"/>
<property name="spURL" value="${param.agovmedirecturl}"/>
<property name="acsUrlWhitelist.uris" value="not used"/>
<!-- attributes -->
<property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/authenticatedWith" value="${sess:agov.authenticatedWith}"/>
<property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/requestedRoleLevel" value="${sess:agov.requestedRoleLevel}"/>
<property name="out.attribute.http://schemas.agov.ch/ws/2023/09/identity/claim/rpEntityId" value="${sess:agov.rpEntityId}"/>
<property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" value="${sess:agov.eid.User.firstName}"/>
<property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" value="${sess:agov.eid.User.lastName}"/>
<property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/socialSecurityNumber" value="${sess:agov.eid.User.svnr}"/>
<property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/placeOfBirth" value="${sess:agov.eid.User.placeOfBirth}"/>
<property name="out.attribute.http://schemas.agov.ch/ws/2025/07/identity/claims/placeOfOrigin" value="${sess:agov.eid.User.placeOfOrigin}"/>
<property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/dateOfBirth" value="${sess:agov.eid.User.birthDate}"/>
<property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/nationality" value="${sess:agov.eid.User.nationality}"/>
<property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/eIdNumber" value="${sess:agov.eid.User.eIdNumber}"/>
<property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/sex" value="${sess:agov.eid.User.gender}"/>
<property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/qa/dateOfVerification" value="${sess:ValidFrom}"/>
<property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/qa/validTillDate" value="${sess:ValidTo}"/>
<property name="out.attribute.http://schemas.agov.ch/ws/2025/07/identity/claims/op/conversationId" value="${inctx:connection.HttpHeader.traceparent:^([0-9a-f]+)-([0-9a-f]+)-([0-9a-f]+)-([0-9a-f]+)$:$2}"/>
<property name="out.authnContextClassRef" value="${sess:agov.authnContextClassRef}"/>
<property name="out.subject" value="${sess:ch.adnovum.nevisidm.user.extId}"/> <!-- extId of the account to be linked -->
<property name="out.subject.format" value="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
<property name="out.issuer" value="${param.issuer}"/>
<property name="out.attributeDelimiter" value=",\s*" />
<property name="out.audienceRestriction" value="${param.directAudience}"/>
</AuthState>
<AuthState name="${state.entry}_Handle_Redirect" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
<ResultCond name="ok" next="${state.done}"/>
<Response value="AUTH_CONTINUE">
<Gui name="not_used"/>
</Response>
<property name="scriptTraceGroup" value="AGOV-ACCT"/>
<property name="parameter.agovmedirecturl" value="${param.agovmedirecturl}"/>
<property name="script" value="file:///var/opt/nevisauth/default/conf/eid_account_linking_redirect_to_agovme.groovy"/>
</AuthState>

23
patterns/359792ce61c28c723ab7d354_resources/eid_account_linking_redirect_to_agovme.groovy Normal file
View File

@ -0,0 +1,23 @@
if(outargs.containsKey('saml.SAMLResponse')) {
// Accounting
def requester = session['ch.nevis.auth.saml.request.scoping.requesterId'] ?: 'unknown'
def requestId = session['ch.nevis.auth.saml.request.id'] ?: 'unknown'
def requestedAq = session['agov.requestedRoleLevel'] ?: 'unknown'
def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
def credentialType = session['agov.authenticatedWith'] ?: 'unknown'
def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
LOG.info("Event='GOTOEIDLINKING', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}'")
// Redirect
response.addOutArg('nevis.transfer.destination', parameters.get('agovmedirecturl'))
response.addOutArg('nevis.transfer.field.SAMLResponse', outargs.getProperty('saml.SAMLResponse').bytes.encodeBase64().toString())
response.setStatus(ch.nevis.esauth.auth.engine.AuthResponse.AUTH_CONTINUE)
response.setIsRedirectTransfer(false)
response.removeOutArg('saml.SAMLResponse')
}
else {
response.setResult('ok')
}

2
patterns/3a982aa242ff4f8ebd823693_script/countries_security_filter.lua
View File

@ -6,7 +6,7 @@ validLanguages["DE"]=true
validLanguages["FR"]=true
validLanguages["IT"]=true
validLanguages["EN"]=true
validLanguages["RS"]=true
validLanguages["RM"]=true
function inputHeader(req, resp)
local trace = req:getTracer()

15
patterns/4f15bae09cbda04a7a515158_resources/eid_fetch_linked_accounts.groovy
View File

@ -6,8 +6,6 @@ import ch.nevis.idm.client.HTTPRequestWrapper
import groovy.json.JsonSlurper
import groovy.json.JsonBuilder
def getHeader(String name) {
def inctx = request.getLoginContext()
// case-insensitive lookup of HTTP headers
@ -34,6 +32,7 @@ def clearEidSession(){
}
def getAccounts(json, String svnr) {
String svnrWithPrefix = "urn:ch-agov-eid:$svnr"
def idm_users_dto = json["Resources"]
def accounts = [:]
def frontend_dto = []
@ -50,8 +49,8 @@ def getAccounts(json, String svnr) {
def extId = user["externalId"]
//TODO/aca/2025/06/11: Can we have multiple email adresses? -> if yes search for primary
String email = user["emails"][0]["value"]
if(cred["type"] == "SAMLFEDERATION" && cred["issuerNameId"] == svnr){
// we found a second federation credential in one AGOV account -> Throw data error
if(cred["type"] == "SAMLFEDERATION" && ( cred["issuerNameId"] == svnr || cred["issuerNameId"] == svnrWithPrefix )){
// we found more than one federation credential in one AGOV account -> Throw data error
if(foundCredential){
LOG.error("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${extId}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='Multiple EId linking credentials found in one AGOV account'")
return [null,null]
@ -140,7 +139,7 @@ LOG.debug("search for accounts with SVNR: $svnr")
// Pepare GET request
String attributes = "externalId,emails,urn:nevis:idm:scim:schemas:v1:extension:User.credentials.type,urn:nevis:idm:scim:schemas:v1:extension:User.credentials.issuerNameId,urn:nevis:idm:scim:schemas:v1:extension:User.credentials.subjectNameId,urn:nevis:idm:scim:schemas:v1:extension:User.credentials.extId,urn:nevis:idm:scim:schemas:v1:extension:User.credentials.credentialLoginInfo.lastLogin"
String filter = "urn:nevis:idm:scim:schemas:v1:extension:User.credentials.type=='SAMLFEDERATION'%20AND%20urn:nevis:idm:scim:schemas:v1:extension:User.credentials.issuerNameId=='$svnr'"
String filter = "urn:nevis:idm:scim:schemas:v1:extension:User.credentials.type=='SAMLFEDERATION'%20AND%20%28%20urn:nevis:idm:scim:schemas:v1:extension:User.credentials.issuerNameId%20==%20'$svnr'%20OR%20urn:nevis:idm:scim:schemas:v1:extension:User.credentials.issuerNameId%20==%20'urn:ch-agov-eid:$svnr'%29"
String requestUrl = "$endPoint?count=20&attributes=$attributes&filter=$filter"
@ -157,7 +156,7 @@ try {
def (accounts, frontend_dto) = getAccounts(json, svnr)
// unrecoverable DATA ERROR happend
if(!accounts){
if(accounts == null){
response.setResult('error')
return
}
@ -167,9 +166,7 @@ try {
LOG.debug("Linked accounts found: " + frontend_dto.toString())
if(numAccounts == 0){
//TODO/aca/2025-06-10: Implement next step
// Redirect to an error page or linking page when that's ready and decided
sess.setAttribute("eid.placeholder.text", "EId: No AGOV Account found case not implemented yet")
// No account found => show account linking dialog options
response.setResult('noAccount')
return
}else if(numAccounts == 1){

17
patterns/4f6692a69e4f33c8ed4c145f_script/responseHeaderPostProcessing.lua
View File

@ -2,11 +2,20 @@ function outputHeader(request, response)
trace = request:getTracer()
-- rename Set-Cookie2 header
local setCookieHeader = response:getHeader("Set-Cookie2")
if (setCookieHeader ~= nil) then
trace:debug("Set a new cookie: " .. setCookieHeader)
response:addHeader("Set-Cookie", setCookieHeader)
local setCookieHeader2 = response:getHeader("Set-Cookie2")
if (setCookieHeader2 ~= nil) then
trace:debug("Set a new cookie: " .. setCookieHeader2)
response:addHeader("Set-Cookie", setCookieHeader2)
response:removeHeader("Set-Cookie2")
end
-- BUNDBITBK-5688: We need to somtimes set 3 cookies with the new LOGINMETHOD cookie
-- rename Set-Cookie3 header
local setCookieHeader3 = response:getHeader("Set-Cookie3")
if (setCookieHeader3 ~= nil) then
trace:debug("Set a new cookie: " .. setCookieHeader3)
response:addHeader("Set-Cookie", setCookieHeader3)
response:removeHeader("Set-Cookie3")
end
end

BIN
patterns/4fcfadb4a5c946ead7e6e995_labels/labels.zip
View File

Binary file not shown.

BIN
patterns/4fcfadb4a5c946ead7e6e995_template/webdata.zip
View File

Binary file not shown.

9
patterns/5a75ffc73b91b88cfab6168e_authStatesFile/epd_artifact_idp.xml
View File

@ -64,11 +64,16 @@
<property name="out.authnContextClassRef" value="${sess:contextClassRefToSet}"/>
<property name="out.audienceRestriction" value="${var.idp_agov_epd-audience}"/>
<!-- SAML Attributes -->
<!-- EPD standard Attributes -->
<property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" value="${sess:ch.nevis.idm.User.firstName}"/>
<property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" value="${sess:ch.nevis.idm.User.lastName}"/>
<property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/sex" value="${sess:ch.nevis.idm.User.gender}"/>
<!--<property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/socialSecurityNumber" value="#{ (sess['agov.appSvnrAllowed'] == 'true') ? sess['ch.nevis.idm.User.prop.svnr'] : ''}"/> -->
<property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/dateOfBirth" value="${sess:ch.nevis.idm.User.birthDate:^(\d\d\d\d-\d\d-\d\d).*$}"/>
<!-- extra Attributes -->
<property name="out.attribute.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" value="${sess:ch.nevis.idm.User.email}"/>
<property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/socialSecurityNumber" value="#{ (sess['agov.appSvnrAllowed'] == 'true') ? sess['ch.nevis.idm.User.prop.svnr'] : ''}"/>
<property name="out.attribute.http://schemas.agov.ch/ws/2025/07/identity/claims/op/conversationId" value="${inctx:connection.HttpHeader.traceparent:^([0-9a-f]+)-([0-9a-f]+)-([0-9a-f]+)-([0-9a-f]+)$:$2}"/>
</AuthState>

3
patterns/68665057549fd887ea09fb86_scriptFile/requestedRoleLevel.groovy
View File

@ -105,7 +105,8 @@ try {
session.setAttribute('agov.appDisplayNameFR', '' + json.displayNameFr)
session.setAttribute('agov.appDisplayNameIT', '' + json.displayNameIt)
session.setAttribute('agov.appDisplayNameEN', '' + json.displayNameEn)
session.setAttribute('agov.appDisplayNameRM', '' + ((json.appDisplayNameRM) ? json.appDisplayNameRM : json.appDisplayNameDE))
session.setAttribute('agov.appDisplayNameRM', '' + json.displayNameRm)
//session.setAttribute('agov.appDisplayNameRM', '' + ( (json.displayNameRm) ? json.displayNameDe : json.displayNameRm))
// if aq500 or 600 is requested -> the only available login method is eid -> continue directly there
// if eid is disabled -> show an error page

55
patterns/7702342f21437f3de530e10c_authStatesFile/eid_account_linking_check_account_state.xml Normal file
View File

@ -0,0 +1,55 @@
<AuthState name="${state.entry}" class="ch.nevis.idm.authstate.IdmUserVerifyState" final="false" resumeState="false">
<ResultCond name="prospect" next="${state.entry}_getProperties"/>
<ResultCond name="default" next="${state.failed}"/>
<ResultCond name="failed" next="${state.failed}"/>
<ResultCond name="clientNotFound" next="${state.failed}"/>
<Response value="AUTH_CONTINUE">
<Gui name="internal_error">
<GuiElem name="transferId" type="hidden" value="${request:traceId}" optional="true"/>
</Gui>
</Response>
<propertyRef name="nevisIDM_Connector"/>
<property name="userExtId" value="${sess:ch.nevis.session.userid}"/>
<property name="clientExtId" value="${var.eid.idm.rest.clientExtId}"/>
<property name="presetNoteValues" value="false"/>
<property name="detaillevel.user" value="HIGH"/>
<property name="detaillevel.profile" value="HIGH"/>
<property name="detaillevel.role" value="MEDIUM"/>
<property name="detaillevel.authorization" value="HIGH"/>
<property name="detaillevel.dataroom" value="LOW"/>
<property name="detaillevel.credential" value="HIGH"/>
<property name="detaillevel.property" value="HIGH"/>
<property name="detaillevel.unit" value="LOW"/>
<property name="detaillevel.default" value="EXCLUDE"/>
</AuthState>
<!-- TODO/aca/2025/07/22 Adjust Detail Levels -->
<AuthState name="${state.entry}_getProperties" final="false" class="ch.nevis.idm.authstate.IdmGetPropertiesState" resumeState="false">
<ResultCond name="ok" next="${state.done}"/>
<ResultCond name="default" next="${state.failed}"/>
<ResultCond name="clientNotFound" next="${state.failed}"/>
<Response value="AUTH_CONTINUE">
<Gui name="internal_error">
<GuiElem name="transferId" type="hidden" value="${request:traceId}" optional="true"/>
</Gui>
</Response>
<propertyRef name="nevisIDM_Connector"/>
<property name="clientExtId" value="${var.eid.idm.rest.clientExtId}"/>
<property name="user.attributes" value="loginId,extId,firstName,name,email,mobile,birthDate, gender, language, street, houseNumber, postalCode, city, country"/>
<property name="user.properties" value="eIdNumber,nationality,placeOfBirth,svnr"/>
<property name="chooseDefaultProfile" value="true"/>
<property name="forceDataReload" value="false"/>
<property name="userExtId" value="${sess:ch.nevis.session.userid}"/>
<property name="detaillevel.user" value="HIGH"/>
<property name="detaillevel.profile" value="HIGH"/>
<property name="detaillevel.role" value="HIGH"/>
<property name="detaillevel.authorization" value="HIGH"/>
<property name="detaillevel.dataroom" value="HIGH"/>
<property name="detaillevel.credential" value="HIGH"/>
<property name="detaillevel.property" value="HIGH"/>
<property name="detaillevel.unit" value="LOW"/>
<property name="detaillevel.default" value="EXCLUDE"/>
</AuthState>

40
patterns/7702342f21437f3de530e10c_resources/eid_account_linking_check_account_state.groovy Normal file
View File

@ -0,0 +1,40 @@
import ch.nevis.idm.client.IdmRestClient
import ch.nevis.idm.client.IdmRestClientFactory
// TODO/aca/2025/08/15
String user_notification_dto = '''
{
"clientExtId": "{{clientExtId}}",
"userExtId": "{{userExtId}}",
"notificationType": "userNotification3",
"sendingMethod": [
"Email"
],
"async": false
}
'''
IdmRestClient idmRestClient = IdmRestClientFactory.get(parameters)
def sess = request.getAuthSession(true)
String baseUrl = parameters.get("baseUrl")
String clientExtId = parameters.get("clientExtId")
String endPoint = "$baseUrl/api/notification/v1/"
String userExtId = sess.getAttribute("ch.nevis.idm.User.extId")
String restRequest = user_notification_dto.replaceAll("\\{\\{clientExtId}}", clientExtId).replaceAll("\\{\\{userExtId}}", userExtId)
try {
idmRestClient.post(endPoint, restRequest)
}catch(Exception e) {
LOG.error("Failed to send User Notification: Idm Update with EId data: ${e}")
response.setResult('error')
return
}
response.setResult('ok')
return

3
patterns/92cb6d5256008a32f12ceb93_authStatesFile/agov_idp.xml
View File

@ -71,6 +71,7 @@
<property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/sex" value="${sess:ch.nevis.idm.User.gender}"/>
<property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/socialSecurityNumber" value="#{ (sess['agov.appSvnrAllowed'] == 'true') ? sess['ch.nevis.idm.User.prop.svnr'] : ''}"/>
<property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/placeOfBirth" value="#{ (sess['agov.appSvnrAllowed'] == 'true') ? sess['ch.nevis.idm.User.prop.placeOfBirth'] : ''}"/>
<property name="out.attribute.http://schemas.agov.ch/ws/2025/07/identity/claims/placeOfOrigin" value="#{ (sess['agov.appSvnrAllowed'] == 'true') ? sess['agov.eid.User.placeOfOrigin'] : ''}"/>
<property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/eIdNumber" value="${sess:ch.nevis.idm.User.prop.eIdNumber}"/>
<property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/qa/dateOfVerification" value="${sess:ValidFrom}"/>
<property name="out.attribute.http://schemas.agov.ch/ws/2023/05/identity/claims/qa/validTillDate" value="${sess:ValidTo}"/>
@ -85,5 +86,5 @@
<property name="out.attribute.http://schemas.agov.ch/ws/2024/02/identity/claims/address/country" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['ch.nevis.idm.User.country'].toUpperCase() : '' }"/>
<property name="out.attribute.http://schemas.agov.ch/ws/2024/02/identity/claims/address/qa/verificationMethod" value="#{ (sess['agov.appAddressRequired'] == 'true') ? ''.concat(sess.get('agov.adressVerification')).replace('Location', 'Domicile') : '' }"/>
<property name="out.attribute.http://schemas.agov.ch/ws/2024/02/identity/claims/address/countryName" value="#{ (sess['agov.appAddressRequired'] == 'true') ? sess['agov.countryName'] : ''}"/>
<property name="out.attribute.http://schemas.agov.ch/ws/2025/07/identity/claims/op/conversationId" value="${inctx:connection.HttpHeader.traceparent:^([0-9a-f]+)-([0-9a-f]+)-([0-9a-f]+)-([0-9a-f]+)$:$2}"/>
</AuthState>

88
patterns/DefaultErrorPages_ecf4381f4653b0aa9a69b417.yml
View File

@ -5,34 +5,66 @@ pattern:
name: "DefaultErrorPages"
label: "UTILS"
properties:
filters: "<filter>\n <filter-name>DefaultErrorFilter</filter-name>\n <filter-class>ch::nevis::isiweb4::filter::error::ErrorFilter</filter-class>\n\
\ <init-param>\n <param-name>StatusCode</param-name>\n <param-value>\n\
\ 400:NevisLogrendConnector_${param.logrendInstancePatternName}:/nevislogrend/errorPages/404.vm?logrendresourcepath=/nevislogrend:keep-status-code\n\
\ 403:NevisLogrendConnector_${param.logrendInstancePatternName}:/nevislogrend/errorPages/403.vm?logrendresourcepath=/nevislogrend:keep-status-code\n\
\ 404:NevisLogrendConnector_${param.logrendInstancePatternName}:/nevislogrend/errorPages/404.vm?logrendresourcepath=/nevislogrend:keep-status-code\n\
\ 408:NevisLogrendConnector_${param.logrendInstancePatternName}:/nevislogrend/errorPages/timeout.vm?logrendresourcepath=/nevislogrend:keep-status-code\n\
\ 500:NevisLogrendConnector_${param.logrendInstancePatternName}:/nevislogrend/errorPages/500.vm?logrendresourcepath=/nevislogrend:keep-status-code\n\
\ 502:NevisLogrendConnector_${param.logrendInstancePatternName}:/nevislogrend/errorPages/502.vm?logrendresourcepath=/nevislogrend:keep-status-code\n\
\ </param-value>\n </init-param>\n <init-param>\n <param-name>CheckAcceptHeader</param-name>\n\
\ <param-value>true</param-value>\n </init-param>\n <init-param>\n\
\ <param-name>PlaceHolders</param-name>\n <param-value>\n \
\ TransferIdHolder:TRANSFER_ID\n TimestampHolder:TIMESTAMP\n\
\ </param-value>\n </init-param>\n</filter>\n<filter>\n <filter-name>FallbackErrorFilter</filter-name>\n\
\ <filter-class>ch::nevis::isiweb4::filter::error::ErrorFilter</filter-class>\n\
\ <init-param>\n <param-name>StatusCode</param-name>\n <param-value>\n\
\ 500:file:/resources/errorPages/500.html:reset-header:reset-status-code\n\
\ 502:file:/resources/errorPages/502.html:reset-header:reset-status-code\n\
\ 503:file:/resources/errorPages/500.html:reset-header:reset-status-code\n\
\ 504:file:/resources/errorPages/500.html:reset-header:reset-status-code\n\
\ </param-value>\n </init-param>\n <init-param>\n <param-name>CheckAcceptHeader</param-name>\n\
\ <param-value>true</param-value>\n </init-param>\n <init-param>\n\
\ <param-name>PlaceHolders</param-name>\n <param-value>\n \
\ TransferIdHolder:TRANSFER_ID\n TimestampHolder:TIMESTAMP\n\
\ </param-value>\n </init-param>\n</filter>\n<filter-mapping>\n\
\ <filter-name>DefaultErrorFilter</filter-name>\n <url-pattern>/*</url-pattern>\n\
</filter-mapping>\n<filter-mapping>\n <filter-name>FallbackErrorFilter</filter-name>\n\
\ <servlet-name>NevisLogrendConnector_${param.logrendInstancePatternName}</servlet-name>\n\
</filter-mapping>"
filters: |-
<filter>
<filter-name>DefaultErrorFilter</filter-name>
<filter-class>ch::nevis::isiweb4::filter::error::ErrorFilter</filter-class>
<init-param>
<param-name>StatusCode</param-name>
<param-value>
400:NevisLogrendConnector_${param.logrendInstancePatternName}:/nevislogrend/webdata/template/404.vm?logrendresourcepath=/nevislogrend:keep-status-code
403:NevisLogrendConnector_${param.logrendInstancePatternName}:/nevislogrend/webdata/template/403.vm?logrendresourcepath=/nevislogrend:keep-status-code
404:NevisLogrendConnector_${param.logrendInstancePatternName}:/nevislogrend/webdata/template/404.vm?logrendresourcepath=/nevislogrend:keep-status-code
408:NevisLogrendConnector_${param.logrendInstancePatternName}:/nevislogrend/webdata/template/timeout.vm?logrendresourcepath=/nevislogrend:keep-status-code
500:NevisLogrendConnector_${param.logrendInstancePatternName}:/nevislogrend/webdata/template/500.vm?logrendresourcepath=/nevislogrend:keep-status-code
502:NevisLogrendConnector_${param.logrendInstancePatternName}:/nevislogrend/webdata/template/502.vm?logrendresourcepath=/nevislogrend:keep-status-code
</param-value>
</init-param>
<init-param>
<param-name>CheckAcceptHeader</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>PlaceHolders</param-name>
<param-value>
TransferIdHolder:TRANSFER_ID
TimestampHolder:TIMESTAMP
</param-value>
</init-param>
</filter>
<filter>
<filter-name>FallbackErrorFilter</filter-name>
<filter-class>ch::nevis::isiweb4::filter::error::ErrorFilter</filter-class>
<init-param>
<param-name>StatusCode</param-name>
<param-value>
500:file:/resources/errorPages/500.html:reset-header:reset-status-code
502:file:/resources/errorPages/502.html:reset-header:reset-status-code
503:file:/resources/errorPages/500.html:reset-header:reset-status-code
504:file:/resources/errorPages/500.html:reset-header:reset-status-code
</param-value>
</init-param>
<init-param>
<param-name>CheckAcceptHeader</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>PlaceHolders</param-name>
<param-value>
TransferIdHolder:TRANSFER_ID
TimestampHolder:TIMESTAMP
</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>DefaultErrorFilter</filter-name>
<url-pattern>/*</url-pattern>
<exclude-url-regex>^/oidc4vp/.*$|^/resource/utility/.*$</exclude-url-regex>
</filter-mapping>
<filter-mapping>
<filter-name>FallbackErrorFilter</filter-name>
<servlet-name>NevisLogrendConnector_${param.logrendInstancePatternName}</servlet-name>
</filter-mapping>
filterMappings: "manual"
phase: "START"
parameters: "logrendInstancePatternName: nevisLogrend"

16
patterns/EId_Account_Linking_Mobile_NLess_Auth_da38e049a1ff97663fb30a45.yml Normal file
View File

@ -0,0 +1,16 @@
schemaVersion: "1.0"
pattern:
id: "da38e049a1ff97663fb30a45"
className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.GenericAuthenticationStep"
name: "EId_Account_Linking_Mobile_NLess_Auth"
label: "EID LINKING"
properties:
authStatesFile: "res://da38e049a1ff97663fb30a45#authStatesFile"
onSuccess:
- "pattern://359792ce61c28c723ab7d354"
nextSteps:
- "pattern://47f8f6ef24f62431fbe1b530"
- "pattern://4c65de021d362462324a3a5f"
resources: "res://da38e049a1ff97663fb30a45#resources"
keyObjects:
- "pattern://95220b3005deb118adeb01aa"

2
patterns/EId_Select_AGOV_Account_4f15bae09cbda04a7a515158.yml
View File

@ -11,7 +11,7 @@ pattern:
onFailure:
- "pattern://4c65de021d362462324a3a5f"
nextSteps:
- "pattern://47f8f6ef24f62431fbe1b530"
- "pattern://328e529ed345d17cacb4ec66"
- "pattern://e335f57d4c64dfc97223697a"
resources: "res://4f15bae09cbda04a7a515158#resources"
keyObjects:

9
patterns/IDP_OIDC4VP_Service_450d8070d6c0b395c98a013f.yml → patterns/IDP_OID4VP_Service_450d8070d6c0b395c98a013f.yml
View File

@ -2,9 +2,12 @@ schemaVersion: "1.0"
pattern:
id: "450d8070d6c0b395c98a013f"
className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.RESTServiceAccess"
name: "IDP_OIDC4VP_Service"
name: "IDP_OID4VP_Service"
properties:
host:
- "pattern://1f0702aaabef60a615abf41f"
path: "/oidc4vp/"
backends: "var://eid-oidc4vp-service-url"
path: "/oid4vp/"
backends: "var://eid-oid4vp-service-url"
hostHeader: "backend"
responseRewrite: "header"
jsonValidation: "disabled"

13
patterns/IDP_SP_Connector_27cefc3861bce987f6766342.yml
View File

@ -4,11 +4,11 @@ pattern:
className: "ch.nevis.admin.v4.plugin.nevisauth.patterns.SamlSpConnector"
name: "IDP_SP_Connector"
label: "IDP"
notes: "- Subject NameID Format -> urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified\n\
- dateOfBirth: to have a date suitable for SAML and OIDC, we remove the TimeZone\
\ charachter ('1993-03-03Z' --> '1993-03-03')\n- verificationMethod: BUNDBITBK-2892\
\ SelfPaid is only for internal use, we remove this from the public assertion\n\
- address.verificationMethod: BUNDBITBK-2921 avoid interface change for hotfix"
notes: |-
- Subject NameID Format -> urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
- dateOfBirth: to have a date suitable for SAML and OIDC, we remove the TimeZone charachter ('1993-03-03Z' --> '1993-03-03')
- verificationMethod: BUNDBITBK-2892 SelfPaid is only for internal use, we remove this from the public assertion
- address.verificationMethod: BUNDBITBK-2921 avoid interface change for hotfix
link:
sourceProjectKey: "DEFAULT-IAM-JAKOB"
sourcePatternId: "27cefc3861bce987f6766342"
@ -58,6 +58,9 @@ pattern:
\ 'Domicile') : '' }"
- http://schemas.agov.ch/ws/2024/02/identity/claims/address/countryName: "#{ (sess['agov.appAddressRequired']\
\ == 'true') ? sess['agov.countryName'] : ''}"
- http://schemas.agov.ch/ws/2025/07/identity/claims/placeOfOrigin: "#{ (sess['agov.appSvnrAllowed']\\\
\ \\ == 'true') ? sess['agov.eid.User.placeOfOrigin'] : ''}"
- http://schemas.agov.ch/ws/2025/07/identity/claims/op/conversationId: "${inctx:connection.HttpHeader.traceparent:^([0-9a-f]+)-([0-9a-f]+)-([0-9a-f]+)-([0-9a-f]+)$:$2}"
context: "PasswordProtectedTransport"
assertionLifetime: "30s"
sign:

9
patterns/_EId_Account_Linking_Check_Account_State_7702342f21437f3de530e10c.yml Normal file
View File

@ -0,0 +1,9 @@
schemaVersion: "1.0"
pattern:
id: "7702342f21437f3de530e10c"
className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.GenericAuthenticationStep"
name: " EId_Account_Linking_Check_Account_State"
label: "EID LINKING"
properties:
authStatesFile: "res://7702342f21437f3de530e10c#authStatesFile"
resources: "res://7702342f21437f3de530e10c#resources"

10
patterns/_EId_Account_Linking_Redirect_To_Agovme_359792ce61c28c723ab7d354.yml Normal file
View File

@ -0,0 +1,10 @@
schemaVersion: "1.0"
pattern:
id: "359792ce61c28c723ab7d354"
className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.GenericAuthenticationStep"
name: " EId_Account_Linking_Redirect_To_Agovme"
label: "EID LINKING"
properties:
authStatesFile: "res://359792ce61c28c723ab7d354#authStatesFile"
parameters: "var://service_provider_state-template-parameters"
resources: "res://359792ce61c28c723ab7d354#resources"

14
patterns/_EId_Start_AGOV_Account_Linking_328e529ed345d17cacb4ec66.yml Normal file
View File

@ -0,0 +1,14 @@
schemaVersion: "1.0"
pattern:
id: "328e529ed345d17cacb4ec66"
className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.GenericAuthenticationStep"
name: " EId_Start_AGOV_Account_Linking"
label: "EID"
properties:
authStatesFile: "res://328e529ed345d17cacb4ec66#authStatesFile"
onFailure:
- "pattern://4c65de021d362462324a3a5f"
nextSteps:
- "pattern://da38e049a1ff97663fb30a45"
- "pattern://47f8f6ef24f62431fbe1b530"
resources: "res://328e529ed345d17cacb4ec66#resources"

2
patterns/b87d0d2b640e8e545ad70234_resources/SendSamlResponseWithAssertion.groovy
View File

@ -40,7 +40,7 @@ if(loa_str){
// BUNDBITBK-5005: Set cookie to remember the last authentication method
def agovAuthMethodCookie = "LOGINMETHOD=${AUTHENTICATON_URN_TO_COOKIE_MAPPER[session.getAttribute('authenticatedWith')]}; Domain=${parameters.get('cookie.domain')}; Path=/; Max-Age=1800; SameSite=Strict; Secure; HttpOnly"
response.setHeader('Set-Cookie2', agovAuthMethodCookie)
response.setHeader('Set-Cookie3', agovAuthMethodCookie)
// delete the login cookie
def agovLoginCookie = "agovLogin=deleted; Domain=${parameters.get('cookie.domain')}; Path=/; Max-Age=0; SameSite=Strict; Secure; HttpOnly"

37
patterns/da38e049a1ff97663fb30a45_authStatesFile/eid_account_linking_mobile_nless_auth.xml Normal file
View File

@ -0,0 +1,37 @@
<AuthState name="${state.entry}" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
<ResultCond name="registration" next="${state.exit.1}"/>
<ResultCond name="fido2" next="${state.exit.1}"/>
<ResultCond name="ok" next="${state.entry}_Processing"/>
<ResultCond name="back" next="${state.exit.2}"/>
<ResultCond name="default" next="${state.entry}"/>
<Response value="AUTH_CONTINUE">
<Gui name="eid_linking_mauth_usernameless">
<GuiElem name="authRequestId" type="hidden" value="${sess:ch.nevis.auth.saml.request.id}" optional="true"/>
<GuiElem name="fallback" type="button" label="mobile_auth.cancel.button.label" value="true" optional="true"/>
<GuiElem name="accessApp" type="hidden" value="${sess:agov.recovery.accessapp}" optional="true"/>
</Gui>
</Response>
<property name="scriptTraceGroup" value="AGOV-ACCT"/>
<property name="script" value="file:///var/opt/nevisauth/default/conf/eid_account_linking_mobile_nless_auth.groovy"/>
<property name="parameter.agovmeregistrationurl" value="${var.agovmeregistrationurl}"/>
<property name="parameter.recoveryurl" value="${var.recoveryurl}"/>
</AuthState>
<AuthState name="${state.entry}_Processing" class="ch.nevis.auth.fido.uaf.authstate.OutOfBandFidoUafAuthState" final="false" resumeState="false">
<ResultCond name="error" next="${state.entry}_Processing"/>
<ResultCond name="failed" next="${state.entry}"/>
<ResultCond name="dispatchFailed" next="${state.entry}_Processing"/>
<ResultCond name="ok" next="${state.entry}_PostProcessing" authLevel="2"/>
<Response value="AUTH_ERROR">
<Arg name="ch.nevis.isiweb4.response.status" value="403"/>
</Response>
<property name="fidoUafServerUrl" value="https://fido-uaf:9443/nevisfido"/>
<property name="dispatcher" value="link"/>
<property name="httpclient.tls.trustStoreRef" value="${keystore}"/>
</AuthState>
<AuthState name="${state.entry}_PostProcessing" class="ch.nevis.esauth.auth.states.standard.TransformAttributes" final="false" resumeState="false">
<ResultCond name="default" next="${state.done}"/>
<Response value="AUTH_CONTINUE"/>
<property name="sess:eid.placeholder.text" value="EId: Redirection to AGOV me not implemented yet"/>
</AuthState>

100
patterns/da38e049a1ff97663fb30a45_resources/eid_account_linking_mobile_nless_auth.groovy Normal file
View File

@ -0,0 +1,100 @@
import groovy.json.JsonBuilder
import ch.nevis.esauth.auth.engine.AuthResponse
def getHeader(String name) {
def inctx = request.getLoginContext()
// case-insensitive lookup of HTTP headers
def map = new TreeMap<>(String.CASE_INSENSITIVE_ORDER)
map.putAll(inctx)
return map['connection.HttpHeader.' + name]
}
def clearFidoUAFSession() {
LOG.debug("start new FIDO UAF session (skipping ${session['ch.nevis.auth.fido.uaf.fidouafsessionid']}")
def s = request.getAuthSession(true)
s.removeAttribute('ch.nevis.auth.fido.uaf.fidouafsessionid')
inargs.remove('fallback')
}
def clearIdmSessionAttributes() {
def s = request.getAuthSession(true)
def sessionKeySet = new HashSet(session.keySet())
sessionKeySet.each { key ->
if ( key ==~ /ch.nevis.idm.*/ || key ==~ /ch.adnovum.nevisidm.*/ ) {
s.removeAttribute(key)
}
}
}
def sess = request.getAuthSession(true)
// dispatch AJAX calls and form POST when operation is done
if (inargs['fidoUafDone'] == 'true' ||
inargs.containsKey('o.fidoUafSessionId.v') ||
getHeader('Content-Type') == 'application/json') {
if (inargs.containsKey('o.fidoUafSessionId.v') && (inargs['o.fidoUafSessionId.v'] != session['ch.nevis.auth.fido.uaf.fidouafsessionid'])) {
// received polling for wrong fido session; make sure, that stops
LOG.debug("received polling for wrong fido session ${inargs['o.fidoUafSessionId.v']} (correct: ${session['ch.nevis.auth.fido.uaf.fidouafsessionid']})")
def json = new JsonBuilder()
json {
"status" "unknown"
"timestamp" org.joda.time.DateTime.now().toString()
}
String body = json.toString()
response.setContent(body)
response.setContentType('application/json')
response.setHttpStatusCode(200)
response.setIsDirectResponse(true)
response.setStatus(AuthResponse.AUTH_CONTINUE)
return
}
if (inargs['fidoUafDone'] == 'true') {
// get clean state, before validating user in IDM
LOG.debug("clear IDM session attributes")
clearIdmSessionAttributes()
}
// continue with OutOfBandFidoUafAuthState
response.setResult('ok')
}
// dispatch form post with fallback input field : transition to FIDO Token authentication
if (inargs['fallback'] == 'fallback') {
sess.setAttribute("eid.placeholder.text", "Fido2 login not implemented yet")
response.setResult('fido2')
}
// dispatch to recovery
if (inargs['fallback'] == 'recovery') {
response.addOutArg('nevis.transfer.destination', parameters.get('recoveryurl'))
response.setStatus(ch.nevis.esauth.auth.engine.AuthResponse.AUTH_CONTINUE)
response.setIsRedirectTransfer(true)
// Remove existing cookies before redirecting to RECOVERY
def agovRecoveryCookie = "agovRecovery=deleted; Path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT; SameSite=Strict; Secure; HttpOnly"
response.setHeader('Set-Cookie', agovRecoveryCookie)
return
}
// dispatch form post with fallback input field : go to registration with right loa
if (inargs['fallback'] == 'register') {
sess.setAttribute("eid.placeholder.text", "Registration should not be called here?")
response.setResult('registration')
}
// cancel and go back to login
if (inargs['fallback'] == 'back') {
response.setResult('back')
}
// dispatch form post with onReload input field : refresh QR-code FIDO UAF
if (inargs.containsKey('onReload')) {
clearFidoUAFSession()
response.setResult('default')
}

1
patterns/e335f57d4c64dfc97223697a_resources/eid_verification_auth.groovy
View File

@ -355,6 +355,7 @@ if (getHeader('Content-Type') == 'application/json' && inargs.containsKey('o.id.
sess.setAttribute('agov.eid.User.gender', claims.sex)
sess.setAttribute('agov.eid.User.svnr', claims.personal_administrative_number.replace('.',''))
sess.setAttribute('agov.eid.User.placeOfBirth', claims.birth_place)
sess.setAttribute('agov.eid.User.placeOfOrigin', claims.place_of_origin)
sess.setAttribute('agov.eid.User.eIdNumber', claims.document_number)
// Simpler for later comparison -> Is converted again to upper case in the saml assertion
sess.setAttribute('agov.eid.User.nationality', claims.nationality.toString().toLowerCase())

1
patterns/f63c475c35b616b7c6c1901c_authStatesFile/Mobile_NLess_Auth.xml
View File

@ -10,6 +10,7 @@
<GuiElem name="agov.appDisplayNameFR" type="hidden" value="${sess:agov.appDisplayNameFR}" optional="true"/>
<GuiElem name="agov.appDisplayNameIT" type="hidden" value="${sess:agov.appDisplayNameIT}" optional="true"/>
<GuiElem name="agov.appDisplayNameEN" type="hidden" value="${sess:agov.appDisplayNameEN}" optional="true"/>
<GuiElem name="agov.appDisplayNameRM" type="hidden" value="${sess:agov.appDisplayNameRM}" optional="true"/>
<GuiElem name="agov.appSamlRpEntityId" type="hidden" value="${var.appIconUrl}${sess:ch.nevis.auth.saml.request.scoping.requesterId}" optional="true"/>
<GuiElem name="authRequestId" type="hidden" value="${sess:ch.nevis.auth.saml.request.id}" optional="true"/>
<GuiElem name="lastLoginMethod" type="hidden" value="${sess:agov.lastLoginMethod}" optional="true"/>

54
variables.yml
View File

@ -90,11 +90,14 @@ variables:
parameters:
required: false
syntax: "YAML"
value: "cert.source: \"#{request:actorCertAsString}\"\ntechuser.client.name: Default\n\
accounts.client.name: agov\nshadow-accounts.client.name: AGOV-S\nsaml.assertion.audience:\
\ \"https://me.agov-d.azure.adnovum.net/account/api/saml2/service-provider-metadata/agovidpdirect\"\
\nsaml.assertion.acsurl: \"https://me.agov-d.azure.adnovum.net/login/saml2/sso/agovidp\"\
\nsaml.assertion.max_age: 30"
value: |-
cert.source: "#{request:actorCertAsString}"
techuser.client.name: Default
accounts.client.name: agov
shadow-accounts.client.name: AGOV-S
saml.assertion.audience: "https://me.agov-d.azure.adnovum.net/account/api/saml2/service-provider-metadata/agovidpdirect"
saml.assertion.acsurl: "https://me.agov-d.azure.adnovum.net/login/saml2/sso/agovidp"
saml.assertion.max_age: 30
requireOverloading: true
auth_soap-backend-addresses:
className: "ch.nevis.admin.v4.plugin.base.generation.property.URLProperty"
@ -112,7 +115,9 @@ variables:
parameters:
required: false
syntax: "YAML"
value: "fido2.serviceAndPort: fido2:9443\nrpId: auth.agov.admin.ch"
value: |-
fido2.serviceAndPort: fido2:9443
rpId: auth.agov.admin.ch
requireOverloading: true
backendAppIconUrl:
className: "ch.nevis.admin.v4.plugin.base.generation.property.URLProperty"
@ -159,7 +164,7 @@ variables:
\ font-src 'self';"
- param_report_only_csp: "none"
requireOverloading: true
eid-oidc4vp-service-url:
eid-oid4vp-service-url:
className: "ch.nevis.admin.v4.plugin.base.generation.property.URLProperty"
parameters:
minRequired: 1
@ -168,16 +173,19 @@ variables:
hostNameInputMode: "REQUIRED"
portInputMode: "OPTIONAL"
pathInputMode: "OPTIONAL"
value: "http://eid-verifier-oid4vp.adn-agov-eid-01-dev:8081/api"
value: "http://eid-verifier-oid4vp.adn-agov-eid-01-dev:8081/oid4vp/"
requireOverloading: true
ensure_recovery_code-parameters:
className: "ch.nevis.admin.v4.plugin.base.generation.property.TextProperty"
parameters:
required: false
syntax: "YAML"
value: "utility-service.baseUrl: http://me-application-me-be.adn-agov-me-01-dev:8081/utility\n\
token.algorithm: RS512\ntoken.time_to_live: 600\ntoken.keystoreref: DefaultKeyStore\n\
token.keyobjectref: DefaultSigner"
value: |-
utility-service.baseUrl: http://me-application-me-be.adn-agov-me-01-dev:8081/utility
token.algorithm: RS512
token.time_to_live: 600
token.keystoreref: DefaultKeyStore
token.keyobjectref: DefaultSigner
requireOverloading: true
env_ca-trusted-certificates:
className: "ch.nevis.admin.v4.plugin.base.generation.property.AttachmentProperty"
@ -224,9 +232,12 @@ variables:
parameters:
required: false
syntax: "YAML"
value: "client.name: agov\nattributes: loginId,extId,firstName,name,email,gender,birthDate,language,sex,addressLine1,postalCode,city,country,street,houseNumber,locality,mobile\n\
properties: eIdNumber,placeOfBirth,svnr,nationality\nagov.unitExtId: 1000\n\
agov.level100.roleExtid: aee52e9f-7084-4e55-9aea-9383ac7757f7\n"
value: |
client.name: agov
attributes: loginId,extId,firstName,name,email,gender,birthDate,language,sex,addressLine1,postalCode,city,country,street,houseNumber,locality,mobile
properties: eIdNumber,placeOfBirth,svnr,nationality
agov.unitExtId: 1000
agov.level100.roleExtid: aee52e9f-7084-4e55-9aea-9383ac7757f7
requireOverloading: false
fido-session-store-database-host:
className: "ch.nevis.admin.v4.plugin.base.generation.property.HostPortProperty"
@ -811,11 +822,12 @@ variables:
parameters:
required: false
syntax: "YAML"
value: "issuer: https://me.agov-d.azure.adnovum.net/saml2/service-provider-metadata/agovidp\n\
agovmedirecturl: https://me.agov-d.azure.adnovum.net/account/api/login/saml2/sso/agovidpdirect\n\
directAudience: https://me.agov-d.azure.adnovum.net/account/api/saml2/service-provider-metadata/agovidpdirect\n\
consumerURL: https://me.agov-d.azure.adnovum.net/login/saml2/sso/agovidp\nassertionValidityTime:\
\ 20"
value: |-
issuer: https://me.agov-d.azure.adnovum.net/saml2/service-provider-metadata/agovidp
agovmedirecturl: https://me.agov-d.azure.adnovum.net/account/api/login/saml2/sso/agovidpdirect
directAudience: https://me.agov-d.azure.adnovum.net/account/api/saml2/service-provider-metadata/agovidpdirect
consumerURL: https://me.agov-d.azure.adnovum.net/login/saml2/sso/agovidp
assertionValidityTime: 20
requireOverloading: true
sts_saml-template-parameters:
className: "ch.nevis.admin.v4.plugin.base.generation.property.TextProperty"
@ -853,7 +865,9 @@ variables:
parameters:
required: false
syntax: "YAML"
value: "client.name: AGOV-S\nattributes: loginId,extId\n"
value: |
client.name: AGOV-S
attributes: loginId,extId
requireOverloading: true
virtual_host-frontend-addresses:
className: "ch.nevis.admin.v4.plugin.base.generation.property.URLProperty"