Merge pull request #675 from ITfoxtec/pre-master

Pre master

FoxIDs.sln

@@ -154,6 +154,8 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "images", "images", "{CB8812
 		docs\images\howto-oidc-foxids-up-party-readredirect.png = docs\images\howto-oidc-foxids-up-party-readredirect.png
 		docs\images\howto-oidc-foxids-up-party.png = docs\images\howto-oidc-foxids-up-party.png
 		docs\images\howto-oidc-identityserver-readredirect.png = docs\images\howto-oidc-identityserver-readredirect.png
+		docs\images\howto-saml-claim-mappings.png = docs\images\howto-saml-claim-mappings.png
+		docs\images\howto-saml-context-handler-certificate.png = docs\images\howto-saml-context-handler-certificate.png
 		docs\images\howto-saml-context-handler-down-base-config.png = docs\images\howto-saml-context-handler-down-base-config.png
 		docs\images\howto-saml-context-handler-down-ct1.png = docs\images\howto-saml-context-handler-down-ct1.png
 		docs\images\howto-saml-context-handler-down-ct2.png = docs\images\howto-saml-context-handler-down-ct2.png
@@ -172,8 +174,8 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "images", "images", "{CB8812
 		docs\images\howto-saml-nemlogin3-up-nameidformat.png = docs\images\howto-saml-nemlogin3-up-nameidformat.png
 		docs\images\howto-saml-nemlogin3-up-read-metadata.png = docs\images\howto-saml-nemlogin3-up-read-metadata.png
 		docs\images\howto-saml-nemlogin3-up-top.png = docs\images\howto-saml-nemlogin3-up-top.png
-		docs\images\howto-tracklink-foxids-down-party.png = docs\images\howto-tracklink-foxids-down-party.png
 		docs\images\howto-saml-privilege-claim-tf.png = docs\images\howto-saml-privilege-claim-tf.png
+		docs\images\howto-tracklink-foxids-down-party.png = docs\images\howto-tracklink-foxids-down-party.png
 		docs\images\howto-tracklink-foxids-up-party.png = docs\images\howto-tracklink-foxids-up-party.png
 		docs\images\master-tenant2.png = docs\images\master-tenant2.png
 		docs\images\parties-down-party-oauth.svg = docs\images\parties-down-party-oauth.svg
@@ -193,16 +195,20 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "images", "images", "{CB8812
 		docs\images\structure.svg = docs\images\structure.svg
 		docs\images\structure.vsdx = docs\images\structure.vsdx
 		docs\images\token-exchange-access-token-by-trust.svg = docs\images\token-exchange-access-token-by-trust.svg
-		docs\images\token-exchange-access-token-same-track.svg = docs\images\token-exchange-access-token-same-track.svg
+		docs\images\token-exchange-access-token-in-api.svg = docs\images\token-exchange-access-token-in-api.svg
+		docs\images\token-exchange-access-token-in-web-app.svg = docs\images\token-exchange-access-token-in-web-app.svg
 		docs\images\token-exchange-config-down-party.png = docs\images\token-exchange-config-down-party.png
 		docs\images\token-exchange-config-up-party.png = docs\images\token-exchange-config-up-party.png
 		docs\images\token-exchange-oauth-by-trust-down-party-client.png = docs\images\token-exchange-oauth-by-trust-down-party-client.png
 		docs\images\token-exchange-oauth-by-trust-up-party.png = docs\images\token-exchange-oauth-by-trust-up-party.png
 		docs\images\token-exchange-oauth-same-track-down-party.png = docs\images\token-exchange-oauth-same-track-down-party.png
+		docs\images\token-exchange-oidc-same-track-down-party.png = docs\images\token-exchange-oidc-same-track-down-party.png
 		docs\images\token-exchange-saml-by-trust-down-party-client.png = docs\images\token-exchange-saml-by-trust-down-party-client.png
 		docs\images\token-exchange-saml-by-trust-up-party.png = docs\images\token-exchange-saml-by-trust-up-party.png
 		docs\images\token-exchange-saml-by-trust.svg = docs\images\token-exchange-saml-by-trust.svg
 		docs\images\token-exchange.vsdx = docs\images\token-exchange.vsdx
+		docs\images\track.svg = docs\images\track.svg
+		docs\images\track.vsdx = docs\images\track.vsdx
 		docs\images\upload-risk-passwords-seed-client.png = docs\images\upload-risk-passwords-seed-client.png
 	EndProjectSection
 EndProject

docs/claim-transform.md

@@ -1,6 +1,6 @@
 # Claim transforms
 
-Each FoxIDs up-party and down-party support configuring claim transforms. This means that two sets of claim transforms can be executed on each user authentication. 
+Each FoxIDs up-party and down-party handle [claims](claim.md) and support configuring claim transforms. This means that two sets of claim transforms can be executed on each user authentication. 
 First executing any claim transforms on the up-party and then any claim transforms on the down-party. 
 
 If you create a new claim in a claim transform the claim is per default not send from the up-party to the down-party or from the down-party to the application / API. 

docs/claim.md

@@ -1,17 +1,29 @@
 # Claims
 
-Claims are processed through each [up-party](#up-party) and [down-party](#down-party), where it is possible to decide, which claims are transferred to the next step and to do [claim transforms](claim-transform.md).
+Claims are processed first in the [up-party](#up-party) and then the [down-party](#down-party), where it is possible to decide, which claims are transferred to the next step and to do [claim transforms](claim-transform.md).
 
 > All claim comparisons are case-sensitive.
 
 The claims process starts in the [up-party](parties.md#up-party) when a user authenticates. There it is possible to do [claim transforms](claim-transform.md) and configure which claims have to be carried forward to the next step.
-Then the claims process continues in the [down-party](parties.md#down-party) where it also is possible do claim transforms and configure which claims have to be issued to the application / API.
+Then the claims process continues in the [down-party](parties.md#down-party) where it is also possible do claim transforms and configure which claims have to be issued to the application / API.
 
 In a [Client Credentials Grant](down-party-oauth-2.0.md#client-credentials-grant) scenario, the claims process is only done in the down-party. The same goes for the claim transforms and the configuration of which claims have to be issued to the application / API.
 
 ## Up-party
 In both an [OpenID Connect](up-party-oidc.md) and [SAML 2.0](up-party-saml-2.0.md) up-party claims are carried forward by adding them to the `Forward claims` list. All claims are carried forward if a wildcard `*` is added to the `Forward claims` list.
 
+An up-party issues two claims which can be read in the down-party and used in [claim transforms](claim-transform.md). The claims always apply to the last up-party.  
+The up-party issued claims (default forward):
+
+- `up_party` contain the the up-party name, the name is unique in a track.
+- `up_party_type` contain the the up-party type: `login`, `oidc` or `saml`.
+
+A `sub` claim and an access token revived from an external Identity Provider is nested with a pipe symbol (|) after the up_party name.  
+Examples: 
+
+ - An external `sub` with the value `afeda2a3-c08b-4bbb-ab77-35138dd2ef2d` gets the nested value `the-up-party|afeda2a3-c08b-4bbb-ab77-35138dd2ef2d`
+ - An external access token with the value `eyJhG.cRwczov...nNjb3B.lIjoi` is added in the `access_token` claim with the nested value `the-up-party|eyJhG.cRwczov...nNjb3B.lIjoi`
+
 ## Down-party
 In both an [OpenID Connect](down-party-oidc.md), [OAuth 2.0](down-party-oauth-2.0.md) and [SAML 2.0](down-party-saml-2.0.md) down-party claims are issued to the application / API by adding them to the `Issue claims` list. All claims are issued to the application / API if a wildcard `*` is added to the `Issue claims` list.
 

docs/control.md

@@ -39,11 +39,11 @@ Configure a number of tracks, one for each of your environments e.g. dev, qa and
 
 Each track contains a user repository and a default created [login](login.md) up-party.
 
-You can add [OAuth 2.0, OpenID Connect](oauth-2.0-oidc.md) and [SAML 2.0](saml-2.0.md) down-parties and up-parties in the Parties tab. 
+You can add [OpenID Connect](oidc.md), [OAuth 2.0](oauth-2.0.md) and [SAML 2.0](saml-2.0.md) down-parties and up-parties in the Parties tab. 
 
 ![Configure down-parties and down-parties](images/configure-parties.png)
 
-A track contains a primary certificate and possible a secondary certificate in the Certificates tab. It is possible to swap between the primary and secondary certificate if both is configured, depending on the [certificate](index.md#certificates) container type.
+A track contains a primary certificate and possible a secondary certificate in the Certificates tab. It is possible to swap between the primary and secondary certificate if both is configured, depending on the [certificate](certificates.md) container type.
 
 ![Configure certificates](images/configure-certificate.png)
 

docs/foxids-inside.md

@@ -1,5 +1,19 @@
 # FoxIDs inside
 
+## Structure
+
+FoxIDs is divided into logical elements.
+
+- **Tenant** contain the company, organization, individual etc. security service. A tenant contains tracks.
+- **Track** is a production, QA, test etc. environment. Each track is an Identity Provider with a [user repository](users.md), a unique [certificate](certificates.md) and a track contains the up-parties and down-parties.  
+In some cases, it can be an advantage to place external connections in a separate tracks to configure connections specific certificates or log levels or just generalize the connections.
+- **Up-party** is a upwards trust / federation with [OpenID Connect 1.0](up-party-oidc.md) and [SAML 2.0](up-party-saml-2.0.md) or [login](login.md) configuration.
+- **Down-party** is a downward application configuration with [OAuth 2.0](down-party-oauth-2.0.md), [OpenID Connect 1.0](down-party-oidc.md) and [SAML 2.0](down-party-saml-2.0.md).
+
+![FoxIDs structure](images/structure.svg)
+
+> FoxIDs support unlimited tenants. Unlimited tracks in a tenant. Unlimited users and unlimited up-parties and down-parties in a track.
+
 ## Limitations
 
 Basically, all strings handled in FoxIDs is limited in one way or the other for performance and security reasons. Strings is either truncated or an exception is thrown if they exceed the maximum allowed length. 
@@ -11,8 +25,7 @@ The URLs maximum allowed length is 10k (10,240) characters. The subsequently que
 
 **Claim**  
 A claim has both at type and a value. The claim types maximum allowed length is 80 characters for JWT (access tokens and ID tokens) and 300 characters for SAML 2.0. 
-The claim values maximum length is 8,000 characters for all token types. 
-The limitation applies for each claim type and value separately.
+When a token and thereby claim values is processed by FoxIDs the maximum length per value and combined length is 50,000 characters.
 
 **Tokens**   
 A JWT (access tokens, ID tokens and refresh token) revived by FoxIDs is a allowed to have a maximum length of 50,000 characters. Claims revived is truncated if they exceed the maximum allowed lengths.  

docs/howto-connect.md

@@ -22,7 +22,7 @@ Configure [OpenID Connect up-party](up-party-oidc.md) which trust an external Op
 How to guides:
 
 - Connect [IdentityServer](up-party-howto-oidc-identityserver.md)
-- Connect [Azure AD (Microsoft Entra ID)](up-party-howto-oidc-azure-ad.md) 
+- Connect [Microsoft Entra ID (Azure AD)](up-party-howto-oidc-azure-ad.md) 
 - Connect [Azure AD B2C](up-party-howto-oidc-azure-ad-b2c.md) 
 - Connect [Signicat](up-party-howto-oidc-signicat.md)
 - Connect [Nets eID Broker](up-party-howto-oidc-nets-eid-broker.md)
@@ -36,7 +36,7 @@ How to guides:
 - Connect [PingIdentity / PingOne](up-party-howto-saml-2.0-pingone.md)
 - Connect [Microsoft AD FS](up-party-howto-saml-2.0-adfs.md)
 - Connect [NemLog-in (Danish IdP)](up-party-howto-saml-2.0-nemlogin.md)
-- Connect [Context Handler (Danish identity broker)](howto-saml-2.0-context-handler.md#configuring-context-handler-as-identity-provider-idp)
+- Connect [Context Handler (Danish identity broker)](howto-saml-2.0-context-handler.md#configuring-context-handler-as-identity-provider)
 
 ## Down-party - How to become an Identity Provider (IdP)
 When you configure a down-party with either OpenID Connect or SAML 2.0, FoxIDs become an OpenID Provider (OP) / Identity Provider (IdP). 
@@ -51,7 +51,7 @@ Configure [SAML 2.0 down-party](down-party-saml-2.0.md) to be an Identity Provid
 
 How to guides:
 
-- Connect test IdP on [Context Handler (Danish identity broker)](howto-saml-2.0-context-handler.md#configuring-context-handler-as-relying-party-rp)
+- Connect test IdP on [Context Handler (Danish identity broker)](howto-saml-2.0-context-handler.md#configuring-context-handler-as-test-relying-party)
 
 
 ## Connect FoxIDs tracks

docs/howto-oidc-foxids.md

@@ -3,7 +3,7 @@
 FoxIDs can be connected to another FoxIDs with OpenID Connect and thereby authenticating end users in another FoxIDs track or an external Identity Provider (IdP) configured as an up-party.  
 FoxIDs tracks can be interconnect in the same FoxIDs tenant or in different FoxIDs tenants. Interconnections can also be configured between FoxIDs tracks in different FoxIDs deployments.
 
-> You can easy connect two tracks in the same tenant with a [track link](howto-tracklink-foxids.md).
+> You can easily connect two tracks in the same tenant with a [track link](howto-tracklink-foxids.md).
 
 The integration between two FoxIDs tracks support [OpenID Connect authentication](https://openid.net/specs/openid-connect-core-1_0.html#Authentication) (login), [RP-initiated logout](https://openid.net/specs/openid-connect-rpinitiated-1_0.html) and [front-channel logout](https://openid.net/specs/openid-connect-frontchannel-1_0.html). A session is established when the user authenticates and the session is invalidated on logout.