nevis
/
adn-agov-iam-project
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
adn-agov-iam-project/patterns/5d7dc3d51416356293a239f7_au.../Auth_Realm_main_STS.xml

226 lines
12 KiB
XML
Raw Permalink Blame History

<Domain inactiveInterval="30" reauthInterval="0" statelessAuth="true">
<Entry method="authenticate" state="Check_Trusted_Caller"/>
<Entry method="stepup" state="STS_Audit_Failure"/>
</Domain>
<!-- ***** Authenticate Caller ***** -->
<AuthState name="Check_Trusted_Caller" class="ch.nevis.esauth.auth.states.cache.ReadFromCacheState" final="false">
<ResultCond name="ok" next="Dispatcher_TokenType"/>
<ResultCond name="miss" next="Validation_Client_Cert"/>
<Response value="AUTH_ERROR" />
<property name="cacheSpace" value="TechAuthCache"/>
<property name="hashAlgorithm" value="SHA-512"/>
<property name="sess:agov.techuser.extId" value="${param.cert.source}"/>
</AuthState>
<AuthState name="Validation_Client_Cert" class="ch.nevis.idm.authstate.IdmX509State" final="false" resumeState="true">
<ResultCond name="default" next="STS_Audit_Failure"/>
<ResultCond name="ok" next="Validation_Client_Cert_PostProcessing"/>
<Response value="AUTH_ERROR">
<Gui name="AuthErrorDialog">
<GuiElem name="lasterror" type="error" label="#{notes.containsKey('lasterror') ? 'error.login.cert.' : ''}#{notes['lasterror']}"/>
</Gui>
</Response>
<propertyRef name="nevisIDM_Connector"/>
<property name="user.certificate" value="${param.cert.source}"/>
<property name="client.name" value="${param.techuser.client.name}"/>
</AuthState>
<AuthState name="Validation_Client_Cert_PostProcessing" class="ch.nevis.idm.authstate.IdmGetPropertiesState" final="false" resumeState="true">
<ResultCond name="default" next="STS_Audit_Failure"/>
<ResultCond name="ok" next="Check_Impersonator"/>
<propertyRef name="nevisIDM_Connector"/>
<property name="detaillevel.default" value="EXCLUDE"/>
<property name="chooseDefaultProfile" value="true"/>
</AuthState>
<AuthState name="Check_Impersonator" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false">
<ResultCond name="isImpersonator" next="Clear_Session"/>
<ResultCond name="default" next="STS_Audit_Failure"/>
<Response value="AUTH_ERROR">
<Arg name="ch.nevis.isiweb4.response.status" value="403"/>
</Response>
<property name="condition:isImpersonator" value="${response/actualRoles/^.*(nevisIdm\.Impersonator).*$}"/>
</AuthState>
<AuthState name="Clear_Session" class="ch.nevis.esauth.auth.states.standard.TransformAttributes" final="false">
<ResultCond name="ok" next="Cache_Trusted_Caller"/>
<Response value="AUTH_ERROR">
<Arg name="ch.nevis.isiweb4.response.status" value="403"/>
</Response>
<property name="sess:agov.techuser.extId" value="${sess:ch.adnovum.nevisidm.user.extId}"/>
<property name="sess:ch.adnovum.nevisidm.clientExtId" value=""/>
<property name="sess:ch.adnovum.nevisidm.clientId" value=""/>
<property name="sess:ch.adnovum.nevisidm.clientName" value=""/>
<property name="sess:ch.adnovum.nevisidm.profileExtId" value=""/>
<property name="sess:ch.adnovum.nevisidm.profileId" value=""/>
<property name="sess:ch.adnovum.nevisidm.profileName" value=""/>
<property name="sess:ch.adnovum.nevisidm.user.clientExtId" value=""/>
<property name="sess:ch.adnovum.nevisidm.user.extId" value=""/>
<property name="sess:ch.adnovum.nevisidm.user.loginId" value=""/>
<property name="sess:ch.adnovum.nevisidm.userDto" value=""/>
<property name="sess:ch.adnovum.nevisidm.userExtId" value=""/>
<property name="sess:ch.nevis.idm.User.extId" value=""/>
<property name="removeOnEmptyValue" value="true"/>
</AuthState>
<AuthState name="Cache_Trusted_Caller" class="ch.nevis.esauth.auth.states.cache.WriteToCacheState" final="false">
<ResultCond name="ok" next="Dispatcher_TokenType"/>
<ResultCond name="failed" next="STS_Audit_Failure"/>
<Response value="AUTH_ERROR" />
<property name="cacheSpace" value="TechAuthCache"/>
<property name="hashAlgorithm" value="SHA-512"/>
<!-- maxAge: 1 hour -->
<property name="maxAge" value="3600"/>
<!-- maxEntries: 2 as we have only 1 tech user, which should use that service -->
<property name="maxEntries" value="2"/>
<property name="overwriteOldEntries" value="false"/>
<property name="${param.cert.source}" value="${sess:agov.techuser.extId}"/>
</AuthState>
<!-- ***** Dispatch Requests ***** -->
<AuthState name="Dispatcher_TokenType" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false">
<ResultCond name="SamlAssertion" next="Service_Provider_State"/>
<ResultCond name="checkOblCode" next="Verify_Shadow_User"/>
<ResultCond name="usernameToken" next="Verify_User_extID"/>
<ResultCond name="default" next="STS_Audit_Failure"/>
<Response value="AUTH_ERROR">
<Arg name="ch.nevis.isiweb4.response.status" value="403"/>
</Response>
<property name="condition:SamlAssertion" value="${request:currentResource:/nevisauth/services/sts/saml:true}"/>
<property name="condition:checkOblCode" value="${request:currentResource:/nevisauth/services/sts/check:true}"/>
<property name="condition:usernameToken" value="${request:currentResource:/nevisauth/services/sts/username:true}"/>
</AuthState>
<!-- ***** SAML Assertion to Token, and usernameToken ***** -->
<AuthState name="Service_Provider_State" class="ch.nevis.esauth.auth.states.saml.ServiceProviderState" final="false" resumeState="true">
<ResultCond name="default" next="STS_Audit_Failure"/>
<ResultCond name="ok" next="Verify_User_extID" authLevel="auth.weak"/>
<property name="consumerURL" value="${param.saml.assertion.acsurl}"/>
<property name="in.verify" value="Assertion"/>
<property name="in.internalBindingSource" value="${inargs:SAMLAssertion}"/>
<property name="in.binding" value="internal-assertion"/>
<property name="in.max_age" value="${param.saml.assertion.max_age}"/>
<property name="in.audience" value="${param.saml.assertion.audience}"/>
<property name="in.keystoreref" value="${keystore}"/>
<property name="in.prospectVerification" value="SubjectConfirmation"/>
<property name="out.sign" value="none"/>
<property name="out.binding" value="none"/>
<property name="out.ttl" value="30"/>
<property name="out.issuer" value="not-used"/>
</AuthState>
<AuthState name="Verify_User_extID" class="ch.nevis.idm.authstate.IdmUserVerifyState" final="false" resumeState="true">
<ResultCond name="clientNotFound" next="STS_Audit_Failure"/>
<ResultCond name="failed" next="STS_Audit_Failure"/>
<ResultCond name="prospect" next="Verify_User_extID_IdmGetPropertiesState"/>
<Response value="AUTH_ERROR">
<Gui name="AuthFailDialog"/>
</Response>
<propertyRef name="nevisIDM_Connector"/>
<property name="userExtId" value="${inargs:UserID}"/>
<property name="client.name" value="${param.accounts.client.name}"/>
</AuthState>
<AuthState name="Verify_User_extID_IdmGetPropertiesState" class="ch.nevis.idm.authstate.IdmGetPropertiesState" final="false" resumeState="true">
<ResultCond name="SOAP:showGui" next="STS_Audit_Success"/>
<ResultCond name="default" next="STS_Audit_Failure"/>
<ResultCond name="ok" next="STS_Audit_Success"/>
<Response value="AUTH_CONTINUE">
<Gui name="AuthProfileSelectionDialog">
<GuiElem name="lasterror" type="error" label="${notes:lasterrorinfo}" value="${notes:lasterror}"/>
</Gui>
</Response>
<propertyRef name="nevisIDM_Connector"/>
<property name="user.attributes" value="loginId,extId,firstName,name,email,gender,birthDate,language,sex,addressLine1,postalCode,city,country,street,houseNumber,locality"/>
<property name="chooseDefaultProfile" value="true"/>
</AuthState>
<!-- ***** Ceck Obl Code ***** -->
<AuthState name="Verify_Shadow_User" class="ch.nevis.idm.authstate.IdmPasswordVerifyState" final="false" resumeState="false">
<ResultCond name="cancel" next="Verify_Shadow_User_Error"/>
<ResultCond name="clientNotFound" next="Verify_Shadow_User_Error"/>
<ResultCond name="disabled" next="Verify_Shadow_User_Error"/>
<ResultCond name="failed" next="Verify_Shadow_User_Error"/>
<ResultCond name="lockWarn" next="Verify_Shadow_User_Error"/>
<ResultCond name="locked" next="Verify_Shadow_User_Error"/>
<ResultCond name="nowLocked" next="Verify_Shadow_User_Error"/>
<ResultCond name="ok" next="Verify_Shadow_User_DeleteCredential" authLevel="auth.weak"/>
<ResultCond name="pwChange" next="Verify_Shadow_User_Error"/>
<ResultCond name="tmpLocked" next="Verify_Shadow_User_Error"/>
<Response value="AUTH_ERROR">
<Gui name="ErrorDialog" label="error">
<GuiElem name="lasterror" type="error" label="${notes:lasterrorinfo}" value="${notes:lasterror}"/>
<GuiElem name="isiwebpasswd" type="pw-text" label="not-used" value="just-ot-hide-it-in-logs" optional="true" />
</Gui>
</Response>
<propertyRef name="nevisIDM_Connector"/>
<property name="user.loginType" value="LOGINID"/>
<property name="credential.type" value="contextPassword"/>
<property name="credential.context" value="AGOV"/>
<property name="client.name" value="${param.shadow-accounts.client.name}"/>
<property name="user.loginId" value="${inargs:isiwebuserid}"/>
<property name="user.password" value="${inargs:isiwebpasswd}"/>
<property name="detaillevel.user" value="MEDIUM"/>
<property name="detaillevel.profile" value="LOW"/>
<property name="detaillevel.property" value="MEDIUM"/>
<property name="detaillevel.credential" value="MEDIUM"/>
<property name="detaillevel.certificate" value="MEDIUM"/>
<property name="detaillevel.default" value="EXCLUDE"/>
</AuthState>
<AuthState name="Verify_Shadow_User_Error" class="ch.nevis.esauth.auth.states.standard.AuthLogout" final="true" resumeState="true">
<Response value="AUTH_ERROR">
<Gui name="ErrorDialog" label="error">
<GuiElem name="lasterror" type="error" label="${notes:lasterrorinfo}" value="${notes:lasterror}"/>
</Gui>
</Response>
</AuthState>
<AuthState name="Verify_Shadow_User_DeleteCredential" class="ch.nevis.idm.authstate.IdmDeleteCredentialState" final="false" resumeState="true">
<ResultCond name="failed" next="STS_Audit_Success"/>
<ResultCond name="noCredential" next="STS_Audit_Success"/>
<ResultCond name="ok" next="STS_Audit_Success"/>
<Response value="AUTH_ERROR"/>
<propertyRef name="${realm}_Verify_Shadow_User"/>
<property name="cred.context" value="AGOV"/>
<property name="cred.type" value="CONTEXT_PASSWORD"/>
</AuthState>
<!-- ***** Terminal States ***** -->
<AuthState name="STS_Audit_Success" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
<ResultCond name="error" next="Authentication_Failed"/>
<ResultCond name="ok" next="Auth_Done"/>
<Response value="AUTH_ERROR">
<Arg name="ch.nevis.isiweb4.response.status" value="403"/>
</Response>
<property name="scriptTraceGroup" value="AGOV-ACCT"/>
<property name="script" value="file:///var/opt/nevisauth/default/conf/sts_audit_success.groovy"/>
</AuthState>
<AuthState name="Auth_Done" class="ch.nevis.esauth.auth.states.standard.AuthDone" final="false">
<Response value="AUTH_DONE">
<Gui name="ContinueResponse"/>
</Response>
</AuthState>
<AuthState name="STS_Audit_Failure" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
<ResultCond name="error" next="Authentication_Failed"/>
<ResultCond name="ok" next="Authentication_Failed"/>
<Response value="AUTH_ERROR">
<Arg name="ch.nevis.isiweb4.response.status" value="403"/>
</Response>
<property name="scriptTraceGroup" value="AGOV-ACCT"/>
<property name="script" value="file:///var/opt/nevisauth/default/conf/sts_audit_failure.groovy"/>
</AuthState>
<AuthState name="Authentication_Failed" class="ch.nevis.esauth.auth.states.standard.AuthError" final="false">
<Response value="AUTH_ERROR">
<Gui name="Error">
<GuiElem name="info" type="error" label="error_99"/>
<GuiElem name="submit" type="button" label="continue.button.label"/>
</Gui>
</Response>
</AuthState>
Reference in New Issue View Git Blame Copy Permalink