2024-11-04 15:46:00 +00:00
|
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
|
|
|
<!DOCTYPE esauth-server SYSTEM "/opt/nevisauth/dtd/esauth4.dtd">
|
|
|
|
|
<esauth-server instance="nai">
|
2024-11-12 13:04:30 +00:00
|
|
|
<!-- source: pattern://6ec6739e824c8e56d9633622, pattern://8523f0587aa8cfa7008f8171 -->
|
2024-11-04 15:46:00 +00:00
|
|
|
<SessionCoordinator sessionInitialInactivityTimeout="600" sessionInactivityTimeout="28800" sessionMaxLifetime="28800" sessionIdPreGenerate="true">
|
|
|
|
|
<!-- source: pattern://6ec6739e824c8e56d9633622 -->
|
|
|
|
|
<LocalSessionStore maxSessions="100000"/>
|
|
|
|
|
<!-- source: pattern://6ec6739e824c8e56d9633622 -->
|
|
|
|
|
<TokenAssembler name="DefaultTokenAssembler">
|
|
|
|
|
<Selector default="true"/>
|
2024-11-12 13:04:30 +00:00
|
|
|
<!-- source: pattern://b67f81a971e4c08aa79040a2, pattern://8523f0587aa8cfa7008f8171 -->
|
2024-11-04 15:46:00 +00:00
|
|
|
<TokenSpec ttl="28800">
|
|
|
|
|
<!-- source: pattern://6ec6739e824c8e56d9633622 -->
|
|
|
|
|
<field src="session" key="ch.nevis.session.sessid" as="sessid"/>
|
|
|
|
|
<!-- source: pattern://6ec6739e824c8e56d9633622 -->
|
|
|
|
|
<field src="session" key="ch.nevis.session.userid" as="userid"/>
|
|
|
|
|
<!-- source: pattern://6ec6739e824c8e56d9633622 -->
|
|
|
|
|
<field src="session" key="ch.nevis.session.authlevel" as="authLevel"/>
|
|
|
|
|
<!-- source: pattern://6ec6739e824c8e56d9633622 -->
|
|
|
|
|
<field src="session" key="ch.nevis.session.esauthid" as="esauthid"/>
|
|
|
|
|
<!-- source: pattern://6ec6739e824c8e56d9633622 -->
|
|
|
|
|
<field src="session" key="ch.nevis.session.entryid" as="entryid"/>
|
|
|
|
|
<!-- source: pattern://6ec6739e824c8e56d9633622 -->
|
|
|
|
|
<field src="session" key="ch.nevis.session.loginid" as="loginId"/>
|
|
|
|
|
<!-- source: pattern://6ec6739e824c8e56d9633622 -->
|
|
|
|
|
<field src="session" key="ch.nevis.session.domain" as="domain"/>
|
|
|
|
|
<!-- source: pattern://6ec6739e824c8e56d9633622 -->
|
|
|
|
|
<field src="session" key="ch.nevis.session.secroles" as="roles"/>
|
|
|
|
|
</TokenSpec>
|
|
|
|
|
<!-- source: pattern://6ec6739e824c8e56d9633622 -->
|
|
|
|
|
<Signer key="DefaultSigner"/>
|
|
|
|
|
</TokenAssembler>
|
2024-11-11 09:31:45 +00:00
|
|
|
<!-- source: pattern://6ec6739e824c8e56d9633622 -->
|
2024-11-04 15:46:00 +00:00
|
|
|
<KeyStore name="DefaultKeyStore">
|
|
|
|
|
<!-- source: pattern://6ec6739e824c8e56d9633622 -->
|
|
|
|
|
<KeyObject name="DefaultSigner" certificate="/var/opt/keys/own/nai-sh4r3d-default-default-signer/cert.pem" privateKey="/var/opt/keys/own/nai-sh4r3d-default-default-signer/keystore.jks" passPhrase="pipe:///var/opt/keys/own/nai-sh4r3d-default-default-signer/keypass"/>
|
|
|
|
|
<!-- source: pattern://6ec6739e824c8e56d9633622 -->
|
|
|
|
|
<KeyObject name="DefaultSignerTrust" certificate="/var/opt/keys/trust/nai-default-default-signer-trust/truststore.jks"/>
|
|
|
|
|
</KeyStore>
|
2024-11-15 18:29:17 +00:00
|
|
|
<!-- source: pattern://d9ea344685ab4a9bb0e1e3e7 -->
|
|
|
|
|
<KeyStore name="JwtToken">
|
|
|
|
|
<!-- source: pattern://d9ea344685ab4a9bb0e1e3e7 -->
|
|
|
|
|
<KeyObject name="tokensigner" certificate="/var/opt/keys/own/tokensigner/cert.pem" privateKey="/var/opt/keys/own/tokensigner/keystore.jks" passPhrase="pipe:///var/opt/keys/own/tokensigner/keypass"/>
|
|
|
|
|
</KeyStore>
|
2024-11-04 15:46:00 +00:00
|
|
|
</SessionCoordinator>
|
|
|
|
|
<!-- source: pattern://6ec6739e824c8e56d9633622 -->
|
|
|
|
|
<LocalOutOfContextDataStore reaperPeriod="60"/>
|
2024-11-12 13:04:30 +00:00
|
|
|
<!-- source: pattern://6ec6739e824c8e56d9633622, pattern://8523f0587aa8cfa7008f8171, pattern://6ec6739e824c8e56d9633622 -->
|
2024-11-07 06:53:12 +00:00
|
|
|
<AuthEngine useLiteralDictionary="true" literalDictionaryLanguages="en,de,fr,it" inputLanguageCookie="LANG" compatLevel="none" addAutheLevelToSecRoles="true" classPath="/var/opt/nevisauth/default/plugin:/opt/nevisauth/plugin" propagateSession="false">
|
2024-11-12 13:04:30 +00:00
|
|
|
<!-- source: pattern://8523f0587aa8cfa7008f8171 -->
|
2024-11-18 08:47:13 +00:00
|
|
|
<Domain name="MockRelam" default="false" inactiveInterval="7200" reauthInterval="0" resetAuthenticationCondition="${inargs:cancel}">
|
|
|
|
|
<Entry method="authenticate" state="MockRelam_DispatchMockRequests"/>
|
|
|
|
|
<Entry method="stepup" state="MockRelam_Selector"/>
|
2024-11-12 13:04:30 +00:00
|
|
|
</Domain>
|
2024-11-04 15:46:00 +00:00
|
|
|
<!-- source: pattern://b67f81a971e4c08aa79040a2 -->
|
|
|
|
|
<Domain name="cossa_realm" default="false" inactiveInterval="7200" reauthInterval="0" resetAuthenticationCondition="${inargs:cancel}">
|
2024-11-22 08:14:35 +00:00
|
|
|
<Entry method="authenticate" state="cossa_realm_New_Dispatcher_Step"/>
|
|
|
|
|
<Entry method="authenticate" state="cossa_realm_New_Dispatcher_Step" selector="${request:currentResource:^http[s]?\u003A//[^/]+/token/.*$:true}"/>
|
2024-11-22 08:27:46 +00:00
|
|
|
<Entry method="logout" state="cossa_realm_AuthorizationServer"/>
|
|
|
|
|
<Entry method="logout" state="cossa_realm_AuthorizationServer" selector="${request:currentResource:^http[s]?\u003A//[^/]+/token/.*$:true}"/>
|
2024-11-04 15:46:00 +00:00
|
|
|
<Entry method="stepup" state="cossa_realm_Selector"/>
|
2024-11-22 08:14:35 +00:00
|
|
|
<Entry method="stepup" state="cossa_realm_New_Dispatcher_Step" selector="${request:currentResource:^http[s]?\u003A//[^/]+/token/.*$:true}"/>
|
2024-11-04 15:46:00 +00:00
|
|
|
</Domain>
|
2024-11-18 08:47:13 +00:00
|
|
|
<AuthState name="MockRelam_DispatchMockRequests" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false">
|
|
|
|
|
<!-- source: pattern://1641a38402138546573b7e71 -->
|
|
|
|
|
<ResultCond name="metadata" next="MockRelam_MetadataMock"/>
|
|
|
|
|
<!-- source: pattern://1641a38402138546573b7e71 -->
|
|
|
|
|
<ResultCond name="nomatch" next="MockRelam_KlpApiMock"/>
|
|
|
|
|
<!-- source: pattern://1641a38402138546573b7e71 -->
|
|
|
|
|
<Response value="AUTH_ERROR">
|
|
|
|
|
<!-- source: pattern://1641a38402138546573b7e71 -->
|
|
|
|
|
<Arg name="ch.nevis.isiweb4.response.status" value="403"/>
|
|
|
|
|
</Response>
|
|
|
|
|
<!-- source: pattern://1641a38402138546573b7e71 -->
|
|
|
|
|
<property name="condition:metadata" value="${request:currentResource:/metadata:true}"/>
|
|
|
|
|
</AuthState>
|
|
|
|
|
<AuthState name="MockRelam_MetadataMock" class="ch.nevis.esauth.auth.states.directResponse.DirectResponseState" final="true" resumeState="false">
|
|
|
|
|
<!-- source: pattern://0600a4bbdea68c3aaa2fd10f -->
|
|
|
|
|
<Response value="AUTH_ERROR">
|
|
|
|
|
<!-- source: pattern://0600a4bbdea68c3aaa2fd10f -->
|
|
|
|
|
<Gui name="none"/>
|
|
|
|
|
</Response>
|
|
|
|
|
<!-- source: pattern://0600a4bbdea68c3aaa2fd10f -->
|
|
|
|
|
<property name="content" value="file:///var/opt/nevisauth/default/conf/mockrelam_metadatamock.json"/>
|
|
|
|
|
<!-- source: pattern://0600a4bbdea68c3aaa2fd10f -->
|
|
|
|
|
<property name="contentType" value="application/json"/>
|
|
|
|
|
<!-- source: pattern://0600a4bbdea68c3aaa2fd10f -->
|
|
|
|
|
<property name="statusCode" value="200"/>
|
|
|
|
|
</AuthState>
|
|
|
|
|
<AuthState name="MockRelam_KlpApiMock" class="ch.nevis.esauth.auth.states.directResponse.DirectResponseState" final="true" resumeState="false">
|
2024-11-12 13:04:30 +00:00
|
|
|
<!-- source: pattern://3f7b857b6d35114fcd8c4984 -->
|
2024-11-12 19:49:38 +00:00
|
|
|
<Response value="AUTH_ERROR">
|
|
|
|
|
<!-- source: pattern://3f7b857b6d35114fcd8c4984 -->
|
|
|
|
|
<Gui name="none"/>
|
|
|
|
|
</Response>
|
2024-11-12 13:04:30 +00:00
|
|
|
<!-- source: pattern://3f7b857b6d35114fcd8c4984 -->
|
2024-11-18 08:47:13 +00:00
|
|
|
<property name="content" value="file:///var/opt/nevisauth/default/conf/mockrelam_klpapimock.json"/>
|
2024-11-12 13:04:30 +00:00
|
|
|
<!-- source: pattern://3f7b857b6d35114fcd8c4984 -->
|
|
|
|
|
<property name="contentType" value="application/json"/>
|
|
|
|
|
<!-- source: pattern://3f7b857b6d35114fcd8c4984 -->
|
|
|
|
|
<property name="statusCode" value="200"/>
|
|
|
|
|
</AuthState>
|
2024-11-18 08:47:13 +00:00
|
|
|
<AuthState name="MockRelam_Selector" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false">
|
2024-11-12 13:04:30 +00:00
|
|
|
<!-- source: pattern://8523f0587aa8cfa7008f8171 -->
|
2024-11-18 08:47:13 +00:00
|
|
|
<ResultCond name="nomatch" next="MockRelam_Prepare_Done"/>
|
2024-11-12 13:04:30 +00:00
|
|
|
<!-- source: pattern://8523f0587aa8cfa7008f8171 -->
|
|
|
|
|
<Response value="AUTH_ERROR">
|
|
|
|
|
<!-- source: pattern://8523f0587aa8cfa7008f8171 -->
|
|
|
|
|
<Arg name="ch.nevis.isiweb4.response.status" value="403"/>
|
|
|
|
|
</Response>
|
|
|
|
|
</AuthState>
|
2024-11-18 08:47:13 +00:00
|
|
|
<AuthState name="MockRelam_Prepare_Done" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
|
2024-11-12 13:04:30 +00:00
|
|
|
<!-- source: pattern://8523f0587aa8cfa7008f8171 -->
|
2024-11-18 14:52:24 +00:00
|
|
|
<ResultCond name="default" next="MockRelam_Auth_Done"/>
|
2024-11-12 13:04:30 +00:00
|
|
|
<!-- source: pattern://8523f0587aa8cfa7008f8171 -->
|
|
|
|
|
<Response value="AUTH_DONE">
|
|
|
|
|
<!-- source: pattern://8523f0587aa8cfa7008f8171 -->
|
|
|
|
|
<Gui name="ContinueResponse"/>
|
|
|
|
|
</Response>
|
|
|
|
|
<!-- source: pattern://8523f0587aa8cfa7008f8171 -->
|
|
|
|
|
<property name="script" value="file:///var/opt/nevisauth/default/conf/prepare_done.groovy"/>
|
|
|
|
|
</AuthState>
|
2024-11-18 08:47:13 +00:00
|
|
|
<AuthState name="MockRelam_Auth_Done" class="ch.nevis.esauth.auth.states.standard.AuthDone" final="false">
|
2024-11-12 13:04:30 +00:00
|
|
|
<!-- source: pattern://8523f0587aa8cfa7008f8171 -->
|
|
|
|
|
<Response value="AUTH_DONE">
|
|
|
|
|
<!-- source: pattern://8523f0587aa8cfa7008f8171 -->
|
|
|
|
|
<Gui name="ContinueResponse"/>
|
|
|
|
|
</Response>
|
|
|
|
|
</AuthState>
|
2024-11-22 08:14:35 +00:00
|
|
|
<AuthState name="cossa_realm_New_Dispatcher_Step" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false">
|
|
|
|
|
<!-- source: pattern://9d599416f43a2414f36426a2 -->
|
|
|
|
|
<ResultCond name="idtoken" next="cossa_realm_TokenExchangeEndpoint"/>
|
|
|
|
|
<!-- source: pattern://9d599416f43a2414f36426a2 -->
|
2024-11-22 08:44:40 +00:00
|
|
|
<ResultCond name="nomatch" next="cossa_realm_New_Transform_Variables_Step"/>
|
2024-11-22 08:14:35 +00:00
|
|
|
<!-- source: pattern://9d599416f43a2414f36426a2 -->
|
|
|
|
|
<Response value="AUTH_ERROR">
|
|
|
|
|
<!-- source: pattern://9d599416f43a2414f36426a2 -->
|
|
|
|
|
<Arg name="ch.nevis.isiweb4.response.status" value="403"/>
|
|
|
|
|
</Response>
|
|
|
|
|
<!-- source: pattern://9d599416f43a2414f36426a2 -->
|
|
|
|
|
<property name="condition:idtoken" value="#{inargs.getOrDefault("subject_token_type","").equals("urn:ietf:params:oauth:token-type:id_token")}"/>
|
|
|
|
|
</AuthState>
|
2024-11-18 12:49:05 +00:00
|
|
|
<AuthState name="cossa_realm_TokenExchangeEndpoint" class="ch.adnovum.cossa.TokenExchangeEndpoint" authLevel="auth.weak" final="false" resumeState="true">
|
|
|
|
|
<!-- source: pattern://89578db79d2bc15d55e11141 -->
|
|
|
|
|
<ResultCond name="failed" next="cossa_realm_auth_failed"/>
|
|
|
|
|
<!-- source: pattern://89578db79d2bc15d55e11141 -->
|
2024-11-22 13:47:53 +00:00
|
|
|
<ResultCond name="invalid_client" next="cossa_realm_auth_failed"/>
|
|
|
|
|
<!-- source: pattern://89578db79d2bc15d55e11141 -->
|
2024-11-20 09:39:39 +00:00
|
|
|
<ResultCond name="invalid_grant" next="cossa_realm_auth_failed"/>
|
|
|
|
|
<!-- source: pattern://89578db79d2bc15d55e11141 -->
|
2024-11-22 13:47:53 +00:00
|
|
|
<ResultCond name="invalid_request" next="cossa_realm_auth_failed"/>
|
|
|
|
|
<!-- source: pattern://89578db79d2bc15d55e11141 -->
|
|
|
|
|
<ResultCond name="invalid_scope" next="cossa_realm_auth_failed"/>
|
|
|
|
|
<!-- source: pattern://89578db79d2bc15d55e11141 -->
|
2024-11-18 12:49:05 +00:00
|
|
|
<ResultCond name="ok" next="cossa_realm_IdTokenVerification"/>
|
|
|
|
|
<!-- source: pattern://89578db79d2bc15d55e11141 -->
|
2024-11-22 13:47:53 +00:00
|
|
|
<ResultCond name="unauthorized_client" next="cossa_realm_auth_failed"/>
|
|
|
|
|
<!-- source: pattern://89578db79d2bc15d55e11141 -->
|
|
|
|
|
<ResultCond name="unsupported_grant_type" next="cossa_realm_auth_failed"/>
|
|
|
|
|
<!-- source: pattern://89578db79d2bc15d55e11141 -->
|
2024-11-18 12:49:05 +00:00
|
|
|
<Response value="AUTH_CONTINUE">
|
|
|
|
|
<!-- source: pattern://89578db79d2bc15d55e11141 -->
|
|
|
|
|
<Gui name="Default"/>
|
|
|
|
|
</Response>
|
|
|
|
|
<!-- source: pattern://89578db79d2bc15d55e11141 -->
|
2024-11-18 14:42:12 +00:00
|
|
|
<property name="dataSource" value="nevismeta"/>
|
2024-11-18 12:49:05 +00:00
|
|
|
<!-- source: pattern://89578db79d2bc15d55e11141 -->
|
2024-11-21 11:40:07 +00:00
|
|
|
<property name="nevismeta.location" value="https://hans.agov-d.azure.adnovum.net/nevismeta/rest/modules/oauthv2/setups/Setup_00000000000000000000000000000000/entities/"/>
|
2024-11-18 12:49:05 +00:00
|
|
|
</AuthState>
|
2024-11-22 08:44:40 +00:00
|
|
|
<AuthState name="cossa_realm_New_Transform_Variables_Step" class="ch.nevis.esauth.auth.states.standard.TransformAttributes" final="false">
|
|
|
|
|
<!-- source: pattern://b6cbd53b8eee023b6d65f62d -->
|
|
|
|
|
<ResultCond name="ok" next="cossa_realm_AuthorizationServer"/>
|
|
|
|
|
<!-- source: pattern://b6cbd53b8eee023b6d65f62d -->
|
|
|
|
|
<Response value="AUTH_ERROR">
|
|
|
|
|
<!-- source: pattern://b6cbd53b8eee023b6d65f62d -->
|
|
|
|
|
<Arg name="ch.nevis.isiweb4.response.status" value="403"/>
|
|
|
|
|
</Response>
|
|
|
|
|
<!-- source: pattern://b6cbd53b8eee023b6d65f62d -->
|
|
|
|
|
<property name="inargs:grant_type" value="refresh_token"/>
|
2024-11-22 08:46:43 +00:00
|
|
|
<!-- source: pattern://b6cbd53b8eee023b6d65f62d -->
|
|
|
|
|
<property name="inargs:refresh_token" value="${inargs:subject_token}"/>
|
2024-11-22 08:44:40 +00:00
|
|
|
</AuthState>
|
|
|
|
|
<AuthState name="cossa_realm_auth_failed" class="ch.nevis.esauth.auth.states.standard.AuthError" final="false">
|
|
|
|
|
<!-- source: pattern://72e29eb80a951e518ce123e4 -->
|
|
|
|
|
<Response value="AUTH_ERROR">
|
|
|
|
|
<!-- source: pattern://72e29eb80a951e518ce123e4 -->
|
|
|
|
|
<Gui name="Error">
|
|
|
|
|
<!-- source: pattern://72e29eb80a951e518ce123e4 -->
|
|
|
|
|
<GuiElem name="info" type="error" label="error_99"/>
|
|
|
|
|
<!-- source: pattern://72e29eb80a951e518ce123e4 -->
|
|
|
|
|
<GuiElem name="submit" type="button" label="continue.button.label"/>
|
|
|
|
|
</Gui>
|
|
|
|
|
</Response>
|
|
|
|
|
</AuthState>
|
|
|
|
|
<AuthState name="cossa_realm_IdTokenVerification" class="ch.adnovum.cossa.IdTokenVerification" final="false" resumeState="false">
|
|
|
|
|
<!-- source: pattern://a976546c6a56dc04c0d34592 -->
|
2024-11-26 13:25:05 +00:00
|
|
|
<ResultCond name="failed" next="cossa_realm_auth_failed"/>
|
|
|
|
|
<!-- source: pattern://a976546c6a56dc04c0d34592 -->
|
|
|
|
|
<ResultCond name="invalid_grant" next="cossa_realm_auth_failed"/>
|
2024-11-22 08:44:40 +00:00
|
|
|
<!-- source: pattern://a976546c6a56dc04c0d34592 -->
|
|
|
|
|
<ResultCond name="ok" next="cossa_realm_CallRestApi"/>
|
|
|
|
|
<!-- source: pattern://a976546c6a56dc04c0d34592 -->
|
|
|
|
|
<Response value="AUTH_CONTINUE">
|
|
|
|
|
<!-- source: pattern://a976546c6a56dc04c0d34592 -->
|
|
|
|
|
<Gui name="Default"/>
|
|
|
|
|
</Response>
|
|
|
|
|
<!-- source: pattern://a976546c6a56dc04c0d34592 -->
|
|
|
|
|
<property name="issuer" value="https://login.sandbox.pre.swissid.ch:443/idp/oauth2"/>
|
|
|
|
|
<!-- source: pattern://a976546c6a56dc04c0d34592 -->
|
|
|
|
|
<property name="clientId" value="klp-client"/>
|
|
|
|
|
<!-- source: pattern://a976546c6a56dc04c0d34592 -->
|
2024-11-28 12:16:37 +00:00
|
|
|
<property name="well_known_url" value="https://login.sandbox.pre.swissid.ch:443/idp/oauth2"/>
|
2024-11-22 08:44:40 +00:00
|
|
|
<!-- source: pattern://a976546c6a56dc04c0d34592 -->
|
|
|
|
|
<property name="httpclient.tls.trustAll" value="true"/>
|
|
|
|
|
</AuthState>
|
2024-11-22 08:27:46 +00:00
|
|
|
<AuthState name="cossa_realm_AuthorizationServer" class="ch.nevis.esauth.auth.states.oauth2.AuthorizationServer" final="false" resumeState="true">
|
2024-11-11 11:49:22 +00:00
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
2024-11-15 18:04:08 +00:00
|
|
|
<ResultCond name="authenticate:valid-authorization-request" next="cossa_realm_New_Test_Login"/>
|
2024-11-11 11:49:22 +00:00
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
2024-11-15 18:27:03 +00:00
|
|
|
<ResultCond name="invalid-authorization-request" next="cossa_realm_auth_failed"/>
|
2024-11-11 11:49:22 +00:00
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
2024-11-15 18:29:17 +00:00
|
|
|
<ResultCond name="invalid-client" next="cossa_realm_JwtToken"/>
|
2024-11-11 11:49:22 +00:00
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
2024-11-15 18:27:03 +00:00
|
|
|
<ResultCond name="invalid-redirect-uri" next="cossa_realm_auth_failed"/>
|
2024-11-11 11:49:22 +00:00
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
2024-11-15 18:27:03 +00:00
|
|
|
<ResultCond name="invalid-token-request" next="cossa_realm_auth_failed"/>
|
2024-11-11 11:49:22 +00:00
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
2024-11-15 18:04:08 +00:00
|
|
|
<ResultCond name="stepup:valid-authorization-request" next="cossa_realm_New_Test_Login"/>
|
2024-11-11 11:49:22 +00:00
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
2024-11-12 14:48:39 +00:00
|
|
|
<property name="keystoreref" value="JwtToken"/>
|
2024-11-11 11:49:22 +00:00
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
2024-11-12 14:48:39 +00:00
|
|
|
<property name="keyobjectref" value="tokensigner"/>
|
2024-11-11 11:49:22 +00:00
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
2024-11-12 14:48:39 +00:00
|
|
|
<property name="keyID" value="tokensigner"/>
|
2024-11-11 11:49:22 +00:00
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
|
|
|
|
<property name="openid.idTokenLifetime" value="600"/>
|
|
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
|
|
|
|
<property name="authCodeLifetime" value="60"/>
|
|
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
|
|
|
|
<property name="propagationScope" value="session"/>
|
|
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
2024-11-22 08:27:46 +00:00
|
|
|
<property name="dataSource" value="nevisMeta"/>
|
|
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
|
|
|
|
<property name="nevismeta.location" value="https://hans.agov-d.azure.adnovum.net/nevismeta/rest/modules/oauthv2/setups/Setup_00000000000000000000000000000000/entities/"/>
|
2024-11-11 11:49:22 +00:00
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
|
|
|
|
<property name="openid.support" value="true"/>
|
|
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
|
|
|
|
<property name="openid.issuerId" value="https://cossa.agov-w.azure.adnovum.net"/>
|
|
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
|
|
|
|
<property name="scope.openid" value=""/>
|
|
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
|
|
|
|
<property name="scope.openid.authorizationCodeFlowPolicy" value="NO_CONSENT_REQUIRED"/>
|
|
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
|
|
|
|
<property name="scope.openid.refreshTokenRequestPolicy" value="NO_CONSENT_REQUIRED"/>
|
|
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
|
|
|
|
<property name="scope.openid.implicitFlowPolicy" value="NO_CONSENT_REQUIRED"/>
|
|
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
|
|
|
|
<property name="scope.openid.clientCredentialsFlowPolicy" value="true"/>
|
|
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
|
|
|
|
<property name="scope.offline_access" value=""/>
|
|
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
|
|
|
|
<property name="scope.offline_access.authorizationCodeFlowPolicy" value="NO_CONSENT_REQUIRED"/>
|
|
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
|
|
|
|
<property name="scope.offline_access.refreshTokenRequestPolicy" value="NO_CONSENT_REQUIRED"/>
|
|
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
|
|
|
|
<property name="scope.offline_access.implicitFlowPolicy" value="NO_CONSENT_REQUIRED"/>
|
|
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
|
|
|
|
<property name="scope.offline_access.clientCredentialsFlowPolicy" value="true"/>
|
|
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
|
|
|
|
<property name="scope.address" value=""/>
|
|
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
|
|
|
|
<property name="scope.address.authorizationCodeFlowPolicy" value="NO_CONSENT_REQUIRED"/>
|
|
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
|
|
|
|
<property name="scope.address.refreshTokenRequestPolicy" value="NO_CONSENT_REQUIRED"/>
|
|
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
|
|
|
|
<property name="scope.address.implicitFlowPolicy" value="NO_CONSENT_REQUIRED"/>
|
|
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
|
|
|
|
<property name="scope.address.clientCredentialsFlowPolicy" value="true"/>
|
|
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
|
|
|
|
<property name="scope.profile" value=""/>
|
|
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
|
|
|
|
<property name="scope.profile.authorizationCodeFlowPolicy" value="NO_CONSENT_REQUIRED"/>
|
|
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
|
|
|
|
<property name="scope.profile.refreshTokenRequestPolicy" value="NO_CONSENT_REQUIRED"/>
|
|
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
|
|
|
|
<property name="scope.profile.implicitFlowPolicy" value="NO_CONSENT_REQUIRED"/>
|
|
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
|
|
|
|
<property name="scope.profile.clientCredentialsFlowPolicy" value="true"/>
|
|
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
|
|
|
|
<property name="scope.email" value=""/>
|
|
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
|
|
|
|
<property name="scope.email.authorizationCodeFlowPolicy" value="NO_CONSENT_REQUIRED"/>
|
|
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
|
|
|
|
<property name="scope.email.refreshTokenRequestPolicy" value="NO_CONSENT_REQUIRED"/>
|
|
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
|
|
|
|
<property name="scope.email.implicitFlowPolicy" value="NO_CONSENT_REQUIRED"/>
|
|
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
|
|
|
|
<property name="scope.email.clientCredentialsFlowPolicy" value="true"/>
|
|
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
|
|
|
|
<property name="scope.phone" value=""/>
|
|
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
|
|
|
|
<property name="scope.phone.authorizationCodeFlowPolicy" value="NO_CONSENT_REQUIRED"/>
|
|
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
|
|
|
|
<property name="scope.phone.refreshTokenRequestPolicy" value="NO_CONSENT_REQUIRED"/>
|
|
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
|
|
|
|
<property name="scope.phone.implicitFlowPolicy" value="NO_CONSENT_REQUIRED"/>
|
|
|
|
|
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
|
|
|
|
<property name="scope.phone.clientCredentialsFlowPolicy" value="true"/>
|
2024-11-15 17:58:01 +00:00
|
|
|
</AuthState>
|
2024-11-22 08:44:40 +00:00
|
|
|
<AuthState name="cossa_realm_CallRestApi" class="ch.adnovum.cossa.CallPolicyVerificationAPI" final="false" resumeState="false">
|
|
|
|
|
<!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
|
2024-11-22 08:14:35 +00:00
|
|
|
<ResultCond name="failed" next="cossa_realm_Authentication_Failed"/>
|
2024-11-22 08:44:40 +00:00
|
|
|
<!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
|
2024-11-27 13:52:23 +00:00
|
|
|
<ResultCond name="invalid_grant" next="cossa_realm_Authentication_Failed"/>
|
|
|
|
|
<!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
|
2024-11-22 08:44:40 +00:00
|
|
|
<ResultCond name="ok" next="cossa_realm_Prepare_Done"/>
|
|
|
|
|
<!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
|
2024-11-22 08:14:35 +00:00
|
|
|
<Response value="AUTH_CONTINUE">
|
2024-11-22 08:44:40 +00:00
|
|
|
<!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
|
2024-11-22 08:14:35 +00:00
|
|
|
<Gui name="Default"/>
|
|
|
|
|
</Response>
|
2024-11-22 08:44:40 +00:00
|
|
|
<!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
|
|
|
|
|
<property name="Issuer" value="https://login.sandbox.pre.swissid.ch:443/idp/oauth2"/>
|
|
|
|
|
<!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
|
2024-11-22 08:14:35 +00:00
|
|
|
<property name="clientId" value="klp-client"/>
|
2024-11-22 08:44:40 +00:00
|
|
|
<!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
|
|
|
|
|
<property name="jwkSetURL" value="https://klp.agov-w.azure.adnovum.net/api/endpoint"/>
|
|
|
|
|
<!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
|
2024-11-22 08:14:35 +00:00
|
|
|
<property name="httpclient.tls.trustAll" value="true"/>
|
2024-11-22 08:44:40 +00:00
|
|
|
<!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
|
|
|
|
|
<property name="evaluatePoliciesForAllProfiles" value="false"/>
|
|
|
|
|
<!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
|
|
|
|
|
<property name="klpURL" value="https://klp.agov-w.azure.adnovum.net/api/endpoint"/>
|
2024-11-22 08:14:35 +00:00
|
|
|
</AuthState>
|
2024-11-15 18:04:08 +00:00
|
|
|
<AuthState name="cossa_realm_New_Test_Login" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
|
|
|
|
|
<!-- source: pattern://635e4d617af6818edc9ae7c9 -->
|
|
|
|
|
<ResultCond name="ok" next="cossa_realm_Prepare_Done" authLevel="1"/>
|
|
|
|
|
<!-- source: pattern://635e4d617af6818edc9ae7c9 -->
|
|
|
|
|
<Response value="AUTH_CONTINUE">
|
|
|
|
|
<!-- source: pattern://635e4d617af6818edc9ae7c9 -->
|
|
|
|
|
<Gui name="Login" label="title.login.test">
|
|
|
|
|
<!-- source: pattern://635e4d617af6818edc9ae7c9 -->
|
|
|
|
|
<GuiElem name="lasterror" type="error" label="${notes:lasterrorinfo}" value="${notes:lasterror}"/>
|
|
|
|
|
<!-- source: pattern://635e4d617af6818edc9ae7c9 -->
|
|
|
|
|
<GuiElem name="info" type="info" label="info.login.test"/>
|
|
|
|
|
<!-- source: pattern://635e4d617af6818edc9ae7c9 -->
|
|
|
|
|
<GuiElem name="isiwebuserid" type="text" label="prompt.userid" value="${notes:loginid}" optional="true"/>
|
|
|
|
|
<!-- source: pattern://635e4d617af6818edc9ae7c9 -->
|
|
|
|
|
<GuiElem name="isiwebpasswd" type="pw-text" label="prompt.password" optional="true"/>
|
|
|
|
|
<!-- source: pattern://635e4d617af6818edc9ae7c9 -->
|
|
|
|
|
<GuiElem name="submit" type="submit" label="submit.button.label" value="submit"/>
|
|
|
|
|
</Gui>
|
|
|
|
|
</Response>
|
|
|
|
|
<!-- source: pattern://635e4d617af6818edc9ae7c9 -->
|
|
|
|
|
<property name="script" value="file:///var/opt/nevisauth/default/conf/new_test_login.groovy"/>
|
|
|
|
|
</AuthState>
|
2024-11-21 14:26:57 +00:00
|
|
|
<AuthState name="cossa_realm_JwtToken" class="ch.nevis.esauth.auth.states.jwt.JWTToken" final="false" resumeState="true">
|
|
|
|
|
<!-- source: pattern://a1e5d0192e082e689465a0c9 -->
|
|
|
|
|
<ResultCond name="ok" next="cossa_realm_Prepare_Done"/>
|
|
|
|
|
<!-- source: pattern://a1e5d0192e082e689465a0c9 -->
|
|
|
|
|
<Response value="AUTH_ERROR"/>
|
|
|
|
|
<!-- source: pattern://a1e5d0192e082e689465a0c9 -->
|
|
|
|
|
<property name="out.audience" value="https://www.adnovum.ch"/>
|
|
|
|
|
<!-- source: pattern://a1e5d0192e082e689465a0c9 -->
|
|
|
|
|
<property name="out.issuer" value="https://my.nevis.server"/>
|
|
|
|
|
<!-- source: pattern://a1e5d0192e082e689465a0c9 -->
|
|
|
|
|
<property name="out.time_to_live" value="86400"/>
|
|
|
|
|
<!-- source: pattern://a1e5d0192e082e689465a0c9 -->
|
|
|
|
|
<property name="token.algorithm" value="RS256"/>
|
|
|
|
|
<!-- source: pattern://a1e5d0192e082e689465a0c9 -->
|
|
|
|
|
<property name="keystoreref" value="JwtToken"/>
|
|
|
|
|
<!-- source: pattern://a1e5d0192e082e689465a0c9 -->
|
|
|
|
|
<property name="keyobjectref" value="tokensigner"/>
|
2024-11-26 13:25:05 +00:00
|
|
|
</AuthState>
|
|
|
|
|
<AuthState name="cossa_realm_Authentication_Failed" class="ch.nevis.esauth.auth.states.standard.AuthError" final="false">
|
|
|
|
|
<!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
|
|
|
|
|
<Response value="AUTH_ERROR">
|
|
|
|
|
<!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
|
|
|
|
|
<Gui name="Error">
|
|
|
|
|
<!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
|
|
|
|
|
<GuiElem name="info" type="error" label="error_99"/>
|
|
|
|
|
<!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
|
|
|
|
|
<GuiElem name="submit" type="button" label="continue.button.label"/>
|
|
|
|
|
</Gui>
|
|
|
|
|
</Response>
|
2024-11-22 08:14:35 +00:00
|
|
|
</AuthState>
|
|
|
|
|
<AuthState name="cossa_realm_Prepare_Done" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
|
|
|
|
|
<!-- source: pattern://b67f81a971e4c08aa79040a2 -->
|
|
|
|
|
<ResultCond name="default" next="cossa_realm_Auth_Done"/>
|
|
|
|
|
<!-- source: pattern://b67f81a971e4c08aa79040a2 -->
|
|
|
|
|
<Response value="AUTH_DONE">
|
|
|
|
|
<!-- source: pattern://b67f81a971e4c08aa79040a2 -->
|
|
|
|
|
<Gui name="ContinueResponse"/>
|
|
|
|
|
</Response>
|
|
|
|
|
<!-- source: pattern://b67f81a971e4c08aa79040a2 -->
|
|
|
|
|
<property name="script" value="file:///var/opt/nevisauth/default/conf/prepare_done.groovy"/>
|
|
|
|
|
</AuthState>
|
|
|
|
|
<AuthState name="cossa_realm_Auth_Done" class="ch.nevis.esauth.auth.states.standard.AuthDone" final="false">
|
|
|
|
|
<!-- source: pattern://b67f81a971e4c08aa79040a2 -->
|
|
|
|
|
<Response value="AUTH_DONE">
|
|
|
|
|
<!-- source: pattern://b67f81a971e4c08aa79040a2 -->
|
|
|
|
|
<Gui name="ContinueResponse"/>
|
|
|
|
|
</Response>
|
|
|
|
|
</AuthState>
|
2024-11-12 13:04:30 +00:00
|
|
|
<AuthState name="cossa_realm_Selector" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false">
|
|
|
|
|
<!-- source: pattern://b67f81a971e4c08aa79040a2 -->
|
|
|
|
|
<ResultCond name="nomatch" next="cossa_realm_Prepare_Done"/>
|
|
|
|
|
<!-- source: pattern://b67f81a971e4c08aa79040a2 -->
|
|
|
|
|
<Response value="AUTH_ERROR">
|
|
|
|
|
<!-- source: pattern://b67f81a971e4c08aa79040a2 -->
|
|
|
|
|
<Arg name="ch.nevis.isiweb4.response.status" value="403"/>
|
|
|
|
|
</Response>
|
|
|
|
|
</AuthState>
|
2024-11-04 15:46:00 +00:00
|
|
|
</AuthEngine>
|
2024-11-11 10:39:25 +00:00
|
|
|
<!-- source: pattern://b0fedec4607e1e69103b8497 -->
|
2024-11-11 10:43:10 +00:00
|
|
|
<RESTService name="rest" class="ch.nevis.esauth.rest.service.tokenintrospection.TokenIntrospectionService" path="/oauth/introspect2/">
|
2024-11-11 10:39:25 +00:00
|
|
|
<!-- source: pattern://b0fedec4607e1e69103b8497 -->
|
2024-11-11 11:59:26 +00:00
|
|
|
<property name="authstates" value="cossa_realm_AuthorizationServer"/>
|
2024-11-11 10:39:25 +00:00
|
|
|
</RESTService>
|
2024-11-04 15:46:00 +00:00
|
|
|
</esauth-server>
|
