Merge pull request #660 from ITfoxtec/pre-master

Pre master

FoxIDs.sln

@@ -53,8 +53,8 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "docs", "docs", "{CB5D86A0-D
 		docs\email.md = docs\email.md
 		docs\faq.md = docs\faq.md
 		docs\foxids-inside.md = docs\foxids-inside.md
-		docs\howto-connect.md = docs\howto-connect.md
 		docs\get-started.md = docs\get-started.md
+		docs\howto-connect.md = docs\howto-connect.md
 		docs\howto-oidc-foxids.md = docs\howto-oidc-foxids.md
 		docs\howto-saml-2.0-context-handler.md = docs\howto-saml-2.0-context-handler.md
 		docs\howto-tracklink-foxids.md = docs\howto-tracklink-foxids.md
@@ -159,7 +159,6 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "images", "images", "{CB8812
 		docs\images\howto-saml-context-handler-down-ct2.png = docs\images\howto-saml-context-handler-down-ct2.png
 		docs\images\howto-saml-context-handler-up-attributes.png = docs\images\howto-saml-context-handler-up-attributes.png
 		docs\images\howto-saml-context-handler-up-nameidformat.png = docs\images\howto-saml-context-handler-up-nameidformat.png
-		docs\images\howto-saml-context-handler-up-privilege-claim-tf.png = docs\images\howto-saml-context-handler-up-privilege-claim-tf.png
 		docs\images\howto-saml-context-handler-up-read-metadata.png = docs\images\howto-saml-context-handler-up-read-metadata.png
 		docs\images\howto-saml-nemlogin3-certificate-container-type.png = docs\images\howto-saml-nemlogin3-certificate-container-type.png
 		docs\images\howto-saml-nemlogin3-certificate.png = docs\images\howto-saml-nemlogin3-certificate.png
@@ -171,10 +170,10 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "images", "images", "{CB8812
 		docs\images\howto-saml-nemlogin3-up-claims.png = docs\images\howto-saml-nemlogin3-up-claims.png
 		docs\images\howto-saml-nemlogin3-up-contact.png = docs\images\howto-saml-nemlogin3-up-contact.png
 		docs\images\howto-saml-nemlogin3-up-nameidformat.png = docs\images\howto-saml-nemlogin3-up-nameidformat.png
-		docs\images\howto-saml-nemlogin3-up-privilege-claim-tf.png = docs\images\howto-saml-nemlogin3-up-privilege-claim-tf.png
 		docs\images\howto-saml-nemlogin3-up-read-metadata.png = docs\images\howto-saml-nemlogin3-up-read-metadata.png
 		docs\images\howto-saml-nemlogin3-up-top.png = docs\images\howto-saml-nemlogin3-up-top.png
 		docs\images\howto-tracklink-foxids-down-party.png = docs\images\howto-tracklink-foxids-down-party.png
+		docs\images\howto-saml-privilege-claim-tf.png = docs\images\howto-saml-privilege-claim-tf.png
 		docs\images\howto-tracklink-foxids-up-party.png = docs\images\howto-tracklink-foxids-up-party.png
 		docs\images\master-tenant2.png = docs\images\master-tenant2.png
 		docs\images\parties-down-party-oauth.svg = docs\images\parties-down-party-oauth.svg

docs/claim-transform-dk-privilege.md

@@ -1,6 +1,6 @@
 # DK privilege - claim transforms
 
-FoxIDs support claim transforms of DK privilege used in Danish IdPs like [NemLog-in](up-party-howto-saml-2.0-nemlogin.md) and [Context Handler](howto-saml-2.0-context-Handler.md).
+FoxIDs support claim transforms of DK privilege used in Danish [NemLog-in](up-party-howto-saml-2.0-nemlogin.md) and [Context Handler](howto-saml-2.0-context-Handler.md) IdPs.
 
 Supported privilege standard: 
 
@@ -9,14 +9,23 @@ Supported privilege standard:
 - FoxIDs support both to read the base64-encoded privilege string from the standard claim `https://data.gov.dk/model/core/eid/privilegesIntermediate` and a custom defined claim.
 
 ## Configuring DK privilege - claim transforms
-The DK privilege can both be configured in a SAML 2.0 up-party and down-party and furthermore in a OpenID Connect up-party and down-party.
+The DK privilege can both be configured in a SAML 2.0 up-party and down-party and likewise in a OpenID Connect up-party and down-party.
 
-DK privilege claim transforms in [FoxIDs Control Client](control.md#foxids-control-client):
+- In SAML 2.0 the DK privilege claim transformer default read the standard claim `https://data.gov.dk/model/core/eid/privilegesIntermediate` and issue the transformed claim `http://schemas.foxids.com/identity/claims/privilege`.
+- In OpenID Connect the DK privilege claim transformer default read the standard claim `privileges_intermediate` and issue the transformed claim `privilege`.
 
-- SAML 2.0 up-party and down-party default read the standard claim `https://data.gov.dk/model/core/eid/privilegesIntermediate` and issues transformed claims in `http://schemas.foxids.com/identity/claims/privilege`.
-- OpenID Connect up-party and down-party default read the claim `privileges_intermediate` and issues transformed claims in `privilege`.
+Configure the DK privilege claim transformer on SAML 2.0 up-party in [FoxIDs Control Client](control.md#foxids-control-client):
 
-> Remember to add a [claim mapping](saml-2.0.md#claim-mappings) from SAML `http://schemas.foxids.com/identity/claims/privilege` to JWT `privilege` in the settings section. If you use a [SAML 2.0 up-party](up-party-saml-2.0.md) and a [OpenID Connect down-party](down-party-oidc.md).
+1. Select the Claim transform tab
+1. Click Add claim transform and click DK XML privilege to JSON. 
+1. Then again, click Add claim transform and click Match claim. 
+2. Select to remove the original privilege claim `https://data.gov.dk/model/core/eid/privilegesIntermediate` from the claims pipeline.
+3. Click update
+
+![Context Handler SAML 2.0 up-party privilege claim transformation](images/howto-saml-privilege-claim-tf.png)
+
+
+> Remember to add a [claim mapping](saml-2.0.md#claim-mappings) from SAML `http://schemas.foxids.com/identity/claims/privilege` to JWT `privilege` in the settings section. If you e.g. use a [SAML 2.0 up-party](up-party-saml-2.0.md) and a [OpenID Connect down-party](down-party-oidc.md).
 
 ## Model 2
 The DK privilege claim is transformed into a list of claims, one claim for each group. The XML PrivilegeGroup element is transformed into a JSON object and serialized as a string.

docs/howto-saml-2.0-context-handler.md

@@ -110,7 +110,9 @@ Furthermore, it makes the tokens readable.
 2. Remove the original privilege claim from the claims pipeline.
 3. Click update
 
-![Context Handler SAML 2.0 up-party privilege claim transformation](images/howto-saml-context-handler-up-privilege-claim-tf.png)
+![Context Handler SAML 2.0 up-party privilege claim transformation](images/howto-saml-privilege-claim-tf.png)
+
+> Remember to add a claim mapping from SAML `http://schemas.foxids.com/identity/claims/privilege` to JWT `privilege` please see next section 4).
 
  **4 - Add SAML 2.0 claim to JWT claim mappings in [FoxIDs Control Client](control.md#foxids-control-client)**
 

docs/up-party-howto-saml-2.0-nemlogin.md

@@ -1,39 +1,45 @@
 # Up-party - Connect NemLog-in with SAML 2.0
 
-FoxIDs can be connected to NemLog-in (Danish IdP) with a [up-party SAML 2.0](up-party-saml-2.0.md). Where NemLog-in is a SAML 2.0 Identity Provider and FoxIDs is acting as an SAML 2.0 Relying Party (RP) / Service Provider (SP).
+You can connect FoxIDs to NemLog-in (Danish IdP) with a [up-party SAML 2.0](up-party-saml-2.0.md) and let the users authenticate with MitID. NemLog-in is connected as a SAML 2.0 Identity Provider (IdP).
 
-> NemLog-in give your users access to authenticate with MitID.
+By configuring an [SAML 2.0 up-party](up-party-saml-2.0.md) and a [OpenID Conect down-party](down-party-oidc.md) FoxIDs become a bridge between SAML 2.0 and OpenID Connect. 
+FoxIDs will then handle the SAML 2.0 connection as a Relying Party (RP) / Service Provider (SP) and you only need to care about OpenID Connect in your application. If needed, you can possibly select multiple up-parties from the same OpenID Connect down-party.
 
-NemLog-in (currently called NemLog-in3) is a Danish Identity Provider (IdP) which uses the SAML 2.0 based OIOSAML 3. FoxIDs support NemLog-in / OIOSAML 3 including logging, issuer naming, required certificates and it is possible to support NSIS.
+![Connect to NemLog-in](images/how-to-nemlogin.svg)    
 
-> Transforms the [DK privilege XML claim](claim-transform-dk-privilege.md) to a JSON claim.
+FoxIDs support NemLog-in and the SAML 2.0 based OIOSAML3 including single logout (SLO), logging, issuer naming, required OCES3 certificates and it is possible to support NSIS.
 
-NemLog-in documentation and configuration:
+> You can test NemLog-in login with the [online web app sample](https://aspnetcoreoidcallupsample.itfoxtec.com) ([sample docs](samples.md#aspnetcoreoidcauthcodealluppartiessample)) by clicking `Log in` and then `Danish NemLog-in TEST` for the test environment or `Danish NemLog-in` for production.  
+> The sample is configured with a separate track for the NemLog-in SAML 2.0 integration and another track for the OpenId Connect based sample application.  
+
+NemLog-in documentation:
 - The [NemLog-in development portal](https://tu.nemlog-in.dk/oprettelse-og-administration-af-tjenester/) with documentation
-  - [test](https://tu.nemlog-in.dk/oprettelse-og-administration-af-tjenester/log-in/dokumentation-og-guides/integrationstestmiljo/), where you can find the NemLog-in IdP-metadata for test and OCES3 test certificates
+  - [test](https://tu.nemlog-in.dk/oprettelse-og-administration-af-tjenester/log-in/dokumentation-og-guides/integrationstestmiljo/), where you can find the NemLog-in IdP-metadata for test and OCES3 test certificate (everyone can use the same test certificate in NemLog-ins test environment)
   - [production](https://tu.nemlog-in.dk/oprettelse-og-administration-af-tjenester/log-in/dokumentation-og-guides/produktionsmiljo/), where you can find the NemLog-in IdP-metadata for production
+- Create OCES3 production certificate in the [certificate administration](https://erhvervsadministration.nemlog-in.dk/certificates) 
 - The [NemLog-in administration portal](https://administration.nemlog-in.dk/) where you configure IT-systems
 - Test environment
   - Create citizens test users in [MitID emulator](https://pp.mitid.dk/test-tool/frontend/#/create-identity) 
   - Create citizens and employee test users in [MitID simulator](https://mitidsimulator.test-nemlog-in.dk/Home/Create) (login with username and password)
-  - OCES3 certificate - [create an organization](https://testportal.test-devtest4-nemlog-in.dk/TU) and [create OCES3 certificates](https://erhvervsadministration.devtest4-nemlog-in.dk/certificates)
 
-> A sample showing the NemLog-in integrations is configured in the FoxIDs `test-corp` with the up-party name `nemlogin_oidc`. The configuration uses a separate track where the NemLog-in integrations is configured and converted from SAMl 2.0 to OpenId Connect.  
-> You can test NemLog-in login with the `AspNetCoreOidcAuthorizationCodeSample` [sample](samples.md#aspnetcoreoidcauthorizationcodesample) application by clicking `OIDC NemLog-in Log in` or by clicking `Log in` and then `Danish NemLog-in`.
+> Transform the [DK privilege XML claim](claim-transform-dk-privilege.md) to a JSON claim.
 
 ## Consider separate track
 
-NemLog-in requires the Relying Party (RP) to use a OSES certificate and a high level of logging. Therefore, consider connecting NemLog-in in a separate track where the OCES3 certificate and log level can be configured without affecting any other configuration.
+NemLog-in requires the Relying Party (RP) to use a OSES3 certificate and [extensive logging](#logging). Therefore, consider connecting NemLog-in in a separate track where the OCES3 certificate and log level can be configured without affecting anything else.
+
+![Connect to NemLog-in and use track link](images/how-to-nemlogin-track-link.svg)    
 
-You can easy connect two tracks in the same tenant with a [track link](howto-tracklink-foxids.md).
+You can connect two tracks in the same tenant with a [track link](howto-tracklink-foxids.md).
 
 ## Certificate
 
 NemLog-in requires all requests (authn and logout) from the Relying Party (RP) to be signed. Furthermore, NemLog-in requires the RP to sign with a OCES3 certificate. It is not possible to use a certificate issued by another certificate authority, a self-signed certificate or a certificate issued by FoxIDs.
 
-An OCES3 certificate is valid for three years. After that, it must be updated manually.
+OCES3 test certificates are use in the test environment and OCES3 production certificates are used in production. An OCES3 certificate is valid for three years. After that, it must be updated manually.  
+You will need separate FoxIDs tracks to handle the test and production environments respectively. The tracks can optionally be combined in an app track with [track links](howto-tracklink-foxids.md).
 
-> If the `.P12` file fails to load, you can convert it to a `.PFX` file with the [FoxIDs.ConvertCertificateTool](https://github.com/ITfoxtec/FoxIDs/tree/master/tools/FoxIDs.ConvertCertificateTool).
+> If the `.P12` file fails to load in FoxIDs, you can convert it to a `.PFX` file with the [FoxIDs.ConvertCertificateTool](https://github.com/ITfoxtec/FoxIDs/tree/master/tools/FoxIDs.ConvertCertificateTool).
 
 Add the `.P12` OCES3 certificate in [FoxIDs Control Client](control.md#foxids-control-client):
 1. Select (or create) the track to be used for NemLog-in
@@ -42,7 +48,7 @@ Add the `.P12` OCES3 certificate in [FoxIDs Control Client](control.md#foxids-co
 
 ![Change container type](images/howto-saml-nemlogin3-certificate-container-type.png)
 
-4. Then click on the primary certificate, then write the password and upload the `.P12` OCES3 certificate 
+4. Then click on the primary certificate, then write the password and upload the `.P12` / `.PFX`  OCES3 certificate 
 
 ![Add OCES3 certificate](images/howto-saml-nemlogin3-certificate.png)
 
@@ -52,7 +58,7 @@ It is subsequently possible to add a secondary certificate and to swap between t
 
 > You need to [configure the OCES3 certificate](#certificate) before following this configuration.
 
-**1 - Start by creating an SAML 2.0 up-party in [FoxIDs Control Client](control.md#foxids-control-client)**
+**1) - Start by creating an SAML 2.0 up-party in [FoxIDs Control Client](control.md#foxids-control-client)**
 
 1. Select the Parties tab and then the Up-parties
 2. Click Create up-party and then SAML 2.0
@@ -69,10 +75,11 @@ It is subsequently possible to add a secondary certificate and to swap between t
 
 ![NemLog-in SAML 2.0 up-party](images/howto-saml-nemlogin3-up-read-metadata.png)
 
-10. Configure a custom SP issuer, the issuer is required to start with `https://saml.`
-    - The issuer in this example `https://saml.foxids.com/test-corp/nemlogin-test/`
+10. Configure a custom SP issuer, the issuer can start with `https://saml.`
+    - The issuer in this example is `https://saml.foxids.com/test-corp/nemlogin-test/`
 11. Remove the `*` and configure claims, the following claims is most often used:
     - `https://data.gov.dk/concept/core/nsis/loa`
+    - `https://data.gov.dk/model/core/eid/cprNumber`
     - `https://data.gov.dk/model/core/eid/cprUuid`
     - `https://data.gov.dk/model/core/eid/email`
     - `https://data.gov.dk/model/core/eid/firstName`
@@ -81,6 +88,7 @@ It is subsequently possible to add a secondary certificate and to swap between t
     - `https://data.gov.dk/model/core/eid/professional/orgName`
     - `https://data.gov.dk/model/core/eid/professional/rid`
     - `https://data.gov.dk/model/core/specVersion`
+    - optionally include the privilege claim, see step 3)
 
 ![NemLog-in SAML 2.0 up-party](images/howto-saml-nemlogin3-up-claims.png)
 
@@ -104,51 +112,48 @@ It is subsequently possible to add a secondary certificate and to swap between t
  20. Download the SAML 2.0 up-party SP-metadata, in this case https://foxids.com/test-corp/nemlogin-test/.nemlogin./saml/spmetadata. 
  21. The SP-metadata file is used to configure the NemLog-in IT system.
 
- **2 - Then go to the [NemLog-in adminstration protal](https://administration.nemlog-in.dk/)**
+ **2) - Then go to the [NemLog-in adminstration protal](https://administration.nemlog-in.dk/)**
 
- > You need to create an NemLog-in IT-system or have someone else creating an NemLog-in IT-system and assign you access.
+First you need to create an NemLog-in IT-system or have someone else creating an NemLog-in IT-system and assign you access.
 
 1. Select the IT-system
 2. Click upload metadata file and upload the SAML 2.0 up-party SP-metadata file
 3. Go back to the IT-system
 4. Click the button Save the technical details
 5. Click Provision to integrationtest and then click Apply for integration test
 
- **3 - Optionally - add privilege claim transformation in [FoxIDs Control Client](control.md#foxids-control-client)**
+> To configure production you need to upload a test report, have it approved and then repeat the FoxIDs and NemLog-in configuration.
+
+ **3) - Optionally - add privilege claim transformation in [FoxIDs Control Client](control.md#foxids-control-client)**
 
 *Optionally, if you are using the privilege claim.*
 
-FoxIDs can transforms the [DK privilege XML claim](claim-transform-dk-privilege.md) to a JSON claim. It is recommended to add the transformation in order to obtain smaller claims and tokens.  
+FoxIDs can transforms the [DK privilege XML claim](claim-transform-dk-privilege.md) to a JSON claim. It is recommended to add the transformation in order to obtain smaller claims and tokens. 
 Furthermore, it makes the tokens readable.
 
-1. Set the privilege claim depending of the Context Handler version. 
+1. Add the DK privilege claim transformer. 
 2. Remove the original privilege claim from the claims pipeline.
 
-![NemLog-in SAML 2.0 up-party privilege claim transformation](images/howto-saml-nemlogin3-up-privilege-claim-tf.png)
+![NemLog-in SAML 2.0 up-party privilege claim transformation](images/howto-saml-privilege-claim-tf.png)
 
  **4 - Add SAML 2.0 claim to JWT claim mappings in [FoxIDs Control Client](control.md#foxids-control-client)**
 
- FoxIDs internally converts SAML 2.0 clams to JWT claims. NemLog-in / OIOSAML 3 defines a set of SAML 2.0 claims where JWT mappings need to be added.
+ FoxIDs internally converts SAML 2.0 clams to JWT claims. NemLog-in / OIOSAML3 defines a set of SAML 2.0 claims where JWT mappings need to be added.
 
- 1. Go to Settings tab and Claim mappings
- 2. Add mappings for all the claims configured in step 1.11, you can create you own short JWT claim names if no standard name exist
+ 1. Go to the Settings tab and Claim mappings
+ 2. Add mappings for all the claims configured in step 1.11, optionally also include mapping for the privilege claim, you can create you own short JWT claim names
  3. Click update
 
 ![Claim mappings](images/howto-saml-nemlogin3-claim-mappings.png)
 
-You are done. The SAML 2.0 up-party can now be used as an up-party for down-parties in the track.
-
-> A down-party will only issue added claims.  
-> Therefore, remember to add the JWT claims to OpenID Connect down-parties.
-
-See [Consider separate track](#consider-separate-track) on how to connect the NemLog-in track.
+The SAML 2.0 up-party can now be used as an up-party for down-parties in the track.
 
 ## Logging
 
-NemLog-in requires requests and responses to be logged including the signature proof and stored for half a year (180 days). It is also required to log which identity have done login and logout of which session, at what time and the IP address.  
+NemLog-in requires requests and responses to be logged including the signature proof and stored for half a year (180 days). It is also required to log which identity has login and logout of which session, at what time and the IP address.  
 [FoxIDs default log](logging.md) errors and events including the time and the IP address.
 
-> FoxIDs.com stores log data between 90 days to 180 days depending on the selected plan.
+> [FoxIDs.com](https://www.foxids.com) stores log data between 90 days to 180 days depending on the selected plan.
 
 It can be configured which logs should be logged to the Application Insights which is part of the FoxIDs installation or to an external repository with a [log stream](logging.md#log-stream).
 

src/FoxIDs.Control/FoxIDs.Control.csproj

@@ -2,7 +2,7 @@
 
 	<PropertyGroup>
 		<TargetFramework>net7.0</TargetFramework>
-		<Version>1.1.4.0</Version>
+		<Version>1.1.5.0</Version>
 		<RootNamespace>FoxIDs</RootNamespace>
 		<Authors>Anders Revsgaard</Authors>
 		<Company>ITfoxtec</Company>

src/FoxIDs.ControlClient/FoxIDs.ControlClient.csproj

@@ -2,7 +2,7 @@
 
 	<PropertyGroup>
 		<TargetFramework>net7.0</TargetFramework>
-		<Version>1.1.4.0</Version>
+		<Version>1.1.5.0</Version>
 		<RootNamespace>FoxIDs.Client</RootNamespace>
 		<Authors>Anders Revsgaard</Authors>
 		<Company>ITfoxtec</Company>