Merge pull request #700 from ITfoxtec/pre-master

Pre master

FoxIDs.sln

@@ -37,6 +37,7 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "FoxIDs.SharedBase", "src\Fo
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "docs", "docs", "{CB5D86A0-DD55-49F6-B7AF-8162E9DA4CAF}"
 	ProjectSection(SolutionItems) = preProject
+		docs\bridge.md = docs\bridge.md
 		docs\certificates.md = docs\certificates.md
 		docs\claim-transform-dk-privilege.md = docs\claim-transform-dk-privilege.md
 		docs\claim-transform.md = docs\claim-transform.md
@@ -54,6 +55,8 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "docs", "docs", "{CB5D86A0-D
 		docs\faq.md = docs\faq.md
 		docs\foxids-inside.md = docs\foxids-inside.md
 		docs\get-started.md = docs\get-started.md
+		docs\gs-context-handler.md = docs\gs-context-handler.md
+		docs\gs-nemlogin.md = docs\gs-nemlogin.md
 		docs\howto-connect.md = docs\howto-connect.md
 		docs\howto-oidc-foxids.md = docs\howto-oidc-foxids.md
 		docs\howto-saml-2.0-context-handler.md = docs\howto-saml-2.0-context-handler.md
@@ -91,6 +94,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "docs", "docs", "{CB5D86A0-D
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "images", "images", "{CB88126F-3F28-4511-93E1-2454E239E9C7}"
 	ProjectSection(SolutionItems) = preProject
+		docs\images\bridge.vsdx = docs\images\bridge.vsdx
 		docs\images\configure-authorization-code-flow-pkce.png = docs\images\configure-authorization-code-flow-pkce.png
 		docs\images\configure-authorization-code-flow.png = docs\images\configure-authorization-code-flow.png
 		docs\images\configure-certificate.png = docs\images\configure-certificate.png
@@ -162,6 +166,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "images", "images", "{CB8812
 		docs\images\howto-saml-context-handler-down-base-config.png = docs\images\howto-saml-context-handler-down-base-config.png
 		docs\images\howto-saml-context-handler-down-ct1.png = docs\images\howto-saml-context-handler-down-ct1.png
 		docs\images\howto-saml-context-handler-down-ct2.png = docs\images\howto-saml-context-handler-down-ct2.png
+		docs\images\howto-saml-context-handler-test-user1.png = docs\images\howto-saml-context-handler-test-user1.png
 		docs\images\howto-saml-context-handler-up-attributes.png = docs\images\howto-saml-context-handler-up-attributes.png
 		docs\images\howto-saml-context-handler-up-nameidformat.png = docs\images\howto-saml-context-handler-up-nameidformat.png
 		docs\images\howto-saml-context-handler-up-read-metadata.png = docs\images\howto-saml-context-handler-up-read-metadata.png

README.md

@@ -1,24 +1,28 @@
 # [FoxIDs](https://www.foxids.com)
 
-FoxIDs is an open-source Identity Services (IDS) supporting [login](https://www.foxids.com/docs/login), [OAuth 2.0](https://www.foxids.com/docs/oauth-2.0), [OpenID Connect 1.0](https://www.foxids.com/docs/oidc), [SAML 2.0](https://www.foxids.com/docs/saml-2.0) and convention between [OpenID Connect and SAML 2.0](https://www.foxids.com/docs/parties).  
+FoxIDs is an open-source Identity Services (IDS) supporting [login](https://www.foxids.com/docs/login), [OAuth 2.0](https://www.foxids.com/docs/oauth-2.0), [OpenID Connect 1.0](https://www.foxids.com/docs/oidc), [SAML 2.0](https://www.foxids.com/docs/saml-2.0) and convention between [OpenID Connect and SAML 2.0](https://www.foxids.com/docs/parties).
+
+> Developed in Denmark and hosted in Netherlands, ownership and data is kept in Europe.
+
 FoxIDs handles multi-factor authentication (MFA) / two-factor authentication (2FA) with support for two-factor authenticator app.
 
+FoxIDs is designed as a container with multi-tenant support. 
+
 > For [Get started](https://www.foxids.com/docs/get-started) guide and more documentation please see the [documentation](https://www.foxids.com/docs).
 
-FoxIDs is designed as a container with multi-tenant support. FoxIDs can be deployed and use by e.g. a single company or deployed as a shared cloud container and used by multiple organisations, companies or everyone with the need.  
+FoxIDs can be deployed and use by e.g. a single company or deployed as a shared cloud container and used by multiple organisations, companies or everyone with the need.  
+
+- Use FoxIDs as an Identity as a Service (IDaaS) at [FoxIDs.com](https://foxids.com).
+- Or [deployed](https://www.foxids.com/docs/deployment) FoxIDs as your own private cloud on Microsoft Azure.
+
 Separation is ensured at the tenant level and in each tenant separated by tracks. The tracks in a tenant segmentate environments, e.g. test, QA and production and e.g. trusts to external or internal IdPs.
 
 FoxIDs consist of two services:
 
 - Identity service called FoxIDs handling user login and all other security traffic.
 - Client and API called FoxIDs Control. The FoxIDs Control Client is used to configure FoxIDs, or alternatively by calling the FoxIDs Control API directly.
 
-Deployment or as a service:
-
-- FoxIDs is a cloud service ready to be [deployed](https://www.foxids.com/docs/deployment) in you Azure tenant.
-- Or you can use FoxIDs as an Identity as a Service (IDaaS) at [FoxIDs.com](https://foxids.com).
-
-> FoxIDs is .NET 7.0 and the FoxIDs Control Client is Blazor .NET 7.0.
+> FoxIDs is .NET 8.0 and the FoxIDs Control Client is Blazor .NET 8.0.
 
 ## Deployment
 

azuredeploy.json

@@ -420,7 +420,7 @@
         "[concat('Microsoft.KeyVault/vaults/', variables('foxidsDefaultName'))]"
       ],
       "properties": {
-        "netFrameworkVersion": "v7.0",
+        "netFrameworkVersion": "v8.0",
         "ApplicationInsights:ConnectionString": "[reference(concat('microsoft.insights/components/', variables('foxidsDefaultName'))).ConnectionString]",
         "Settings:FoxIDsEndpoint": "[variables('foxidsSiteEndpoint')]",
         "Settings:CosmosDb:EndpointUri": "[reference(concat('Microsoft.DocumentDb/databaseAccounts/', variables('foxidsDefaultName'))).documentEndpoint]",
@@ -439,7 +439,7 @@
         "[concat('Microsoft.KeyVault/vaults/', variables('foxidsDefaultName'))]"
       ],
       "properties": {
-        "netFrameworkVersion": "v7.0",
+        "netFrameworkVersion": "v8.0",
         "ApplicationInsights:ConnectionString": "[reference(concat('microsoft.insights/components/', variables('foxidsDefaultName'))).ConnectionString]",
         "Settings:FoxIDsEndpoint": "[variables('foxidsSiteEndpoint')]",
         "Settings:FoxIDsControlEndpoint": "[variables('foxidsControlSiteEndpoint')]",
@@ -461,7 +461,7 @@
         "[concat('Microsoft.KeyVault/vaults/', variables('foxidsDefaultName'))]"
       ],
       "properties": {
-        "netFrameworkVersion": "v7.0",
+        "netFrameworkVersion": "v8.0",
         "PROJECT": "src/FoxIDs/FoxIDs.csproj",
         "SCM_BUILD_ARGS": "-p:Configuration=Release",
         "Settings:FoxIDsEndpoint": "[variables('foxidsSiteEndpoint')]",
@@ -483,7 +483,7 @@
         "[concat('Microsoft.KeyVault/vaults/', variables('foxidsDefaultName'))]"
       ],
       "properties": {
-        "netFrameworkVersion": "v7.0",
+        "netFrameworkVersion": "v8.0",
         "PROJECT": "src/FoxIDs.Control/FoxIDs.Control.csproj",
         "SCM_BUILD_ARGS": "-p:Configuration=Release",
         "ApplicationInsights:ConnectionString": "[reference(concat('microsoft.insights/components/', variables('foxidsDefaultName'))).ConnectionString]",

docs/_sidebar.md

@@ -1,8 +1,9 @@
 - [Description](index.md)
 - [Get started](get-started.md)
-- [How to connect](howto-connect.md)
-  - [Connect to IdP](howto-connect.md#up-party---how-to-connect-identity-provider-idp)
-  - [Become an IdP](howto-connect.md#down-party---how-to-become-an-identity-provider-idp)
+- [How to](howto-connect.md)
+  - [Connect to IdP](howto-connect.md#how-to-connect-identity-provider-idp)
+  - [Become an IdP](howto-connect.md#how-to-become-an-identity-provider-idp)
+- [SAML 2.0 bridge](bridge.md)
 - [Parties](parties.md)
   - [Login & HRD & 2FA/MFA](login.md)
   - [OpenID Connect](oidc.md)

docs/bridge.md

@@ -0,0 +1,32 @@
+# SAML 2.0 bridge
+
+By default, FoxIDs is a bridge between [SAML 2.0](saml-2.0.md) and [OpenID Connect](oidc.md) / [OAuth 2.0](oauth-2.0.md) without any additional configuration. 
+
+If you configure a [SAML 2.0 up-party](up-party-saml-2.0.md) to an external Identity Provider (IdP) and connect your app as a [OpenID Connect down-party](down-party-oidc.md) where you select the SAML 2.0 up-party. 
+A log in request from your app is routed as an external SAML 2.0 log in requests. The SAML 2.0 log in response is subsequently mapped to an OpenID Connect response for your app.
+
+![Bridge SAML 2.0 to OpenID Connect](images/bridge-saml-oidc.svg)
+
+The opposite is likewise possible starting the log in request from a [SAML 2.0 down-party](down-party-saml-2.0.md) app and routing to an external OpenID Provider (OP) configured as a [OpenID Connect up-party](up-party-oidc.md).
+Subsequently, the response is mapped to a SAML 2.0 response.
+
+![Bridge OpenID Connect to SAML 2.0](images/bridge-oidc-saml.svg)
+
+FoxIDs support to bridge both log in, logout and single logout between SMAL 2.0 and OpenID Connect.
+
+## One track - one Identity Provider
+All bridge functionality can be combined in the same track. Enables an OpenID Connect app to support log in via both a SAML 2.0 or OpenID Connect up-party at the same time. 
+The OpenID Connect app can either select the up-party grammatically or let the user select on a [home realm discovery (HRD)](login.md#home-realm-discovery-hrd) page.
+
+It is recommended to have an application infrastructure with [OpenID Connect](down-party-oidc.md) enabled clients and [OAuth 2.0](down-party-oauth-2.0.md) enable APIs. Where all applications (clients and APIs) trust the same Identity Provider (IdP) - one IdP is equal to one track FoxIDs.
+By utilized the bridge functionality in FoxIDs SAML 2.0 tokens is mapped to ID tokens and access tokens which can be used to authenticate OpenID Connect apps and to call existing APIs.
+
+## Token exchange
+If a user is granted access to a SAML 2.0 app after successful log in with an external SAML 2.0 Identity Provider (IdP). The user is granted access to the SAML 2.0 app in the context of the user it self. 
+With zero trust (never trust, always verify) you would require to call your APIs in the context of the user. This is possible using [token exchange](token-exchange.md#saml-20-to-access-token-by-trust) where the SAML 2.0 token can be exchanged to an access token with the end users identity. 
+Subsequently, your OAuth 2.0 enable API can be called in the context of the user.
+
+## Claim mappings
+FoxIDs use JWT claims inside and [maps SAML 2.0 claims](saml-2.0.md#claim-mappings) to JWT claims. Default, a set of standard JWT to SAML 2.0 claims is mapped like; `sub` to `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier`, `email` to `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` etc.
+You can possible add additional JWT to SAML 2.0 claim mappings.  
+If no claim mapping exists for a particular claim. The long SAML 2.0 claim name is kept from claims revived in a SAML 2.0 token instead of a shorter equivalent JWT claim name. The same goes in the opposite direction.

docs/control.md

@@ -6,6 +6,8 @@ FoxIDs Control API contain all the configuration functionality. Therefore, it is
 ## FoxIDs Control Client
 FoxIDs Control Client is a Blazor WebAssembly (WASM) app.
 
+> Open your [FoxIDs Control Client on FoxIDs.com](https://www.foxids.com/action/login). 
+
 ### Tenant and master track
 If you use FoxIDs at [FoxIDs.com](https://foxids.com). Your one tenant will be pre created on registration.
 

docs/down-party-howto-saml-2.0-adfs.md

@@ -1,28 +1,28 @@
-# Down-party - Connect AD FS with SAML 2.0
+# Connect AD FS with SAML 2.0 down-party
 
-FoxIDs can be connected to AD FS with a [down-party SAML 2.0](down-party-saml-2.0.md). Where AD FS is a SAML 2.0 Relying Party (RP) and FoxIDs is acting as an SAML 2.0 Identity Provider (IdP).
+FoxIDs can be connected to AD FS with a [SAML 2.0 down-party](down-party-saml-2.0.md). Where AD FS is a SAML 2.0 Relying Party (RP) and FoxIDs is acting as an SAML 2.0 Identity Provider (IdP).
 
 This example do login through the up-party `login`, which can be changed depending on the scenario.
 
 ## Configuring AD FS as Relying Party (RP)
 
-**1 - Start by creating an down-party SAML 2.0 in [FoxIDs Control Client](control.md#foxids-control-client)**
+**1 - Start by creating an SAML 2.0 down-party in [FoxIDs Control Client](control.md#foxids-control-client)**
 
-The down-party SAML 2.0 can either be configured by manually adding the SAML 2.0 details or using the AD FS metadata `https://...adfs-domain.../federationmetadata/2007-06/federationmetadata.xml` *(future support)*.
+The SAML 2.0 down-party can either be configured by manually adding the SAML 2.0 details or using the AD FS metadata `https://...adfs-domain.../federationmetadata/2007-06/federationmetadata.xml` *(future support)*.
 
 **2 - Then go to the AD FS and create the Identity Provider (IdP)**
 
 > An Identity Provider (IdP) is called a Claims Provider in AD FS.
 
-In this part of the configuration you need to use the down-party SAML 2.0 metadata. It is possible to call a fictive down-party SAML 2.0 metadata in FoxIDs and thereby if preferred performing step 2 as the first step.
+In this part of the configuration you need to use the SAML 2.0 down-party metadata. It is possible to call a fictive SAML 2.0 down-party metadata in FoxIDs and thereby if preferred performing step 2 as the first step.
 
-> FoxIDs down-party SAML 2.0 metadata `https://foxids.com/tenant-x/track-y/adfs-saml-rp1/saml/idpmetadata`  
+> FoxIDs SAML 2.0 down-party metadata `https://foxids.com/tenant-x/track-y/adfs-saml-rp1/saml/idpmetadata`  
 > for 'tenant-x' and 'track-y' with the down-party name 'adfs-saml-rp1'.
 
 > A down-party application can possibly support login through multiple [up-parties](parties.md#up-party) by adding the up-party name to the URL.  
 > An up-party name e.g. `login` can possible be added to the metadata URL like this `https://foxids.com/tenant-x/track-y/adfs-saml-rp1(login)/saml/idpmetadata`
 
-Configure the Identity Provider (IdP) on AD FS using the down-party SAML 2.0 metadata.
+Configure the Identity Provider (IdP) on AD FS using the SAML 2.0 down-party metadata.
 
 Alternatively, the Identity Provider (IdP) can be configured manually on the AD FS with the following properties:
 

docs/down-party-oauth-2.0.md

@@ -1,11 +1,11 @@
-# Down-party - OAuth 2.0 
+# OAuth 2.0 down-party
 
-FoxIDs down-party OAuth 2.0 enable you to connect an APIs as [OAuth 2.0 resources](#oauth-20-resource). And connect your backend service using [Client Credentials Grant](#client-credentials-grant).
+FoxIDs OAuth 2.0 down-party enable you to connect an APIs as [OAuth 2.0 resources](#oauth-20-resource). And connect your backend service using [Client Credentials Grant](#client-credentials-grant).
 
-![FoxIDs down-party OAuth 2.0](images/parties-down-party-oauth.svg)
+![FoxIDs OAuth 2.0 down-party](images/parties-down-party-oauth.svg)
 
 ## OAuth 2.0 Resource
-An API is configured as a down-party OAuth 2.0 resource.
+An API is configured as a OAuth 2.0 down-party resource.
 
 - Click Create Down-party and then OAuth 2.0 - Resource (API)
 - Specify resource (API) name in down-party name.

docs/down-party-oidc.md

@@ -1,8 +1,8 @@
-# Down-party - OpenID Connect
+# OpenID Connect down-party
 
-FoxIDs down-party [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html) enable you to connect an OpenID Connect based application. 
+FoxIDs [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html) down-party enable you to connect an OpenID Connect based application. 
 
-![FoxIDs down-party OpenID Connect](images/parties-down-party-oidc.svg)
+![FoxIDs OpenID Connect down-party](images/parties-down-party-oidc.svg)
 
 Your application become a Relying Party (RP) and FoxIDs acts as an OpenID Provider (OP).
 
@@ -45,7 +45,7 @@ The `AcrValues` parameter can be set in the `OnRedirectToIdentityProvider` event
 See more code in the [AspNetCoreOidcAuthorizationCodeSample](samples.md#aspnetcoreoidcauthorizationcodesample) and [Startup.cs line 141](https://github.com/ITfoxtec/FoxIDs.Samples/blob/master/src/AspNetCoreOidcAuthorizationCodeSample/Startup.cs#L141).
 
 ## Configuration
-How to configure your application as a down-party OpenID Connect Relaying Party (RP) / client.
+How to configure your application as a OpenID Connect down-party Relaying Party (RP) / client.
 
 > The clients FoxIDs discovery document is `https://foxids.com/tenant-x/track-y/party-client1/.well-known/openid-configuration`  
 > if the client is configured in tenant `tenant-x` and track `track-y` with the down-party client name `party-client1`.

docs/down-party-saml-2.0.md

@@ -1,8 +1,8 @@
-# Down-party - SAML 2.0
+# SAML 2.0 down-party
 
-FoxIDs down-party [SAML 2.0](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) enable you to connect an SAML 2.0 based application. 
+FoxIDs [SAML 2.0](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) down-party enable you to connect an SAML 2.0 based application. 
 
-![FoxIDs down-party SAML 2.0](images/parties-down-party-saml.svg)
+![FoxIDs SAML 2.0 down-party](images/parties-down-party-saml.svg)
 
 Your application become a SAML 2.0 Relying Party (RP) and FoxIDs acts as an SAML 2.0 Identity Provider (IdP).
 
@@ -50,13 +50,13 @@ See more code in the [AspNetCoreSamlSample](samples.md#aspnetcoresamlsample) and
 ## Configuration
 How to configure your application as an SAML 2.0 Relying Party (RP).
 
-> The FoxIDs down-party SAML 2.0 metadata endpoint is `https://foxids.com/tenant-x/track-y/party-saml-pr1/saml/idpmetadata`  
+> The FoxIDs SAML 2.0 down-party metadata endpoint is `https://foxids.com/tenant-x/track-y/party-saml-pr1/saml/idpmetadata`  
 > if the application is configured in tenant `tenant-x` and track `track-y` with the down-party name `party-saml-pr1`.
 
 > A down-party application can possibly support login through multiple [up-parties](parties.md#up-party) by adding the up-party name to the URL.  
 > An up-party name e.g. `login` can possible be added to the metadata URL like this `https://foxids.com/tenant-x/track-y/party-saml-pr1(login)/saml/idpmetadata`
 
-The following screen shot show the basic FoxIDs down-party SAML 2.0 configuration available in [FoxIDs Control Client](control.md#foxids-control-client).
+The following screen shot show the basic FoxIDs SAML 2.0 down-party configuration available in [FoxIDs Control Client](control.md#foxids-control-client).
 
 > More configuration options become available by clicking `Show advanced settings`.