Merge pull request #953 from ITfoxtec/test

Test

Kubernetes/k8s-foxids-ingress-deployment.yaml

@@ -3,6 +3,8 @@ kind: Ingress
 metadata:
   name: foxids-ingress-http
   annotations:
+   nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
+   nginx.ingress.kubernetes.io/proxy-buffer-size: "32k"
    cert-manager.io/issuer: "letsencrypt-production" #production    
    #cert-manager.io/issuer: "letsencrypt-staging" #staging
 spec:

docs/auth-method-howto-saml-2.0-nemlogin.md

@@ -92,26 +92,27 @@ It is subsequently possible to add a secondary certificate and to swap between t
 
 ![NemLog-in SAML 2.0 authentication method](images/howto-saml-nemlogin3-auth-claims.png)
 
- 12. In production only! optionally the Certificate validation mode to `Chain trust` if the OCES3 root certificate is trusted on your platform. The OCES3 root certificate is NOT trusted in Azure  
+ 12. Set Login hint in Authn request in Subject NameID to Disabled
+ 13. In production only! optionally the Certificate validation mode to `Chain trust` if the OCES3 root certificate is trusted on your platform. The OCES3 root certificate is NOT trusted in Azure  
      Set the Certificate revocation mode to `Online`
- 13. Select to include the encryption certificate in metadata
- 14. Set the NameID format in metadata to `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`
+ 14. Select to include the encryption certificate in metadata
+ 15. Set the NameID format in metadata to `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`
 
  ![NemLog-in SAML 2.0 authentication method](images/howto-saml-nemlogin3-auth-nameidformat.png)
 
- 15. Add an attribute consuming service in metadata and add the service name.
- 16. Add all the claims configured in step 11 as requested attributes with the format `urn:oasis:names:tc:SAML:2.0:attrname-format:uri`. Optionally set each attribute as required.
+ 16. Add an attribute consuming service in metadata and add the service name.
+ 17. Add all the claims configured in step 11 as requested attributes with the format `urn:oasis:names:tc:SAML:2.0:attrname-format:uri`. Optionally set each attribute as required.
 
 ![NemLog-in SAML 2.0 authentication method](images/howto-saml-nemlogin3-auth-attributes.png)
 
- 17. Add at least one technical contact person
+ 18. Add at least one technical contact person
 
 ![NemLog-in SAML 2.0 authentication method](images/howto-saml-nemlogin3-auth-contact.png)
 
- 18. Click create
- 19. Go to the top of the SAML 2.0 authentication method
- 20. Download the SAML 2.0 authentication method SP-metadata, in this case https://foxids.com/test-corp/nemlogin-test/.nemlogin./saml/spmetadata. 
- 21. The SP-metadata file is used to configure the NemLog-in IT system.
+ 19. Click create
+ 20. Go to the top of the SAML 2.0 authentication method
+ 21. Download the SAML 2.0 authentication method SP-metadata, in this case https://foxids.com/test-corp/nemlogin-test/.nemlogin./saml/spmetadata. 
+ 22. The SP-metadata file is used to configure the NemLog-in IT system.
 
  **2) - Then go to the [NemLog-in adminstration protal](https://administration.nemlog-in.dk/)**
 

src/FoxIDs.Control/FoxIDs.Control.csproj

@@ -2,7 +2,7 @@
 
 	<PropertyGroup>
 		<TargetFramework>net8.0</TargetFramework>
-		<Version>1.10.5</Version>
+		<Version>1.10.6</Version>
 		<RootNamespace>FoxIDs</RootNamespace>
 		<Authors>Anders Revsgaard</Authors>
 		<Company>ITfoxtec</Company>

src/FoxIDs.ControlClient/FoxIDs.ControlClient.csproj

@@ -2,7 +2,7 @@
 
 	<PropertyGroup>
 		<TargetFramework>net8.0</TargetFramework>
-		<Version>1.10.5</Version>
+		<Version>1.10.6</Version>
 		<RootNamespace>FoxIDs.Client</RootNamespace>
 		<Authors>Anders Revsgaard</Authors>
 		<Company>ITfoxtec</Company>

src/FoxIDs.ControlClient/Models/ViewModels/Parties/SamlUpPartyViewModel.cs

@@ -169,6 +169,9 @@ public bool AutomaticUpdate
         [Display(Name = "Optional Authn request extensions XML")]
         public string AuthnRequestExtensionsXml { get; set; }
 
+        [Display(Name = "Login hint in Authn request in Subject NameID")]
+        public bool DisableLoginHint { get; set; }
+
         [Display(Name = "Add logout response location URL in metadata")]
         public bool MetadataAddLogoutResponseLocation { get; set; }
 

src/FoxIDs.ControlClient/Pages/Components/ESamlUpParty.razor

@@ -339,6 +339,8 @@
                         </div>
                         <FInputTextList @bind-ValueList="samlUpParty.Form.Model.AuthnContextClassReferences" For="@(() => samlUpParty.Form.Model.AuthnContextClassReferences)" DynamicFirstRow="true" />
                         <FInputText @bind-Value="samlUpParty.Form.Model.AuthnRequestExtensionsXml" For="@(() => samlUpParty.Form.Model.AuthnRequestExtensionsXml)" />
+
+                        <FInputToggle @bind-Value="samlUpParty.Form.Model.DisableLoginHint" For="@(() => samlUpParty.Form.Model.DisableLoginHint)" Negation="true" TextType="e.d" />
                     }
                     <FInputSelect @bind-Value="samlUpParty.Form.Model.SignatureAlgorithm" For="@(() => samlUpParty.Form.Model.SignatureAlgorithm)">
                         <option value="@Saml2SecurityAlgorithms.RsaSha1Signature">RSA-SHA-1</option>

src/FoxIDs.ControlShared/FoxIDs.ControlShared.csproj

@@ -2,7 +2,7 @@
 
 	<PropertyGroup>
 		<TargetFramework>net8.0</TargetFramework>
-		<Version>1.10.5</Version>
+		<Version>1.10.6</Version>
 		<RootNamespace>FoxIDs</RootNamespace>
 		<Authors>Anders Revsgaard</Authors>
 		<Company>ITfoxtec</Company>

src/FoxIDs.ControlShared/Models/Api/Parties/SamlUpParty.cs

@@ -130,6 +130,8 @@ public class SamlUpParty : INameValue, INewNameValue, IValidatableObject, IClaim
 
         public string AuthnRequestExtensionsXml { get; set; }
 
+        public bool DisableLoginHint { get; set; }
+
         public bool MetadataAddLogoutResponseLocation { get; set; }
 
         public bool SignMetadata { get; set; }

src/FoxIDs.Shared/FoxIDs.Shared.csproj

@@ -2,7 +2,7 @@
 
 	<PropertyGroup>
 		<TargetFramework>net8.0</TargetFramework>
-		<Version>1.10.5</Version>
+		<Version>1.10.6</Version>
 		<RootNamespace>FoxIDs</RootNamespace>
 		<Authors>Anders Revsgaard</Authors>
 		<Company>ITfoxtec</Company>

src/FoxIDs.Shared/Infrastructure/Hosting/ProxyHeadersMiddleware.cs

@@ -77,14 +77,14 @@ protected bool ValidateProxySecret(HttpContext context, Settings settings = null
 
         protected void ReadClientIp(HttpContext context)
         {
-            string ipHeader = context.Request.Headers["CF-Connecting-IP"];
+            string ipHeader = context.Request.Headers["X-Forwarded-For"];
             if (ipHeader.IsNullOrWhiteSpace())
             {
-                ipHeader = context.Request.Headers["X-Azure-ClientIP"];
+                ipHeader = context.Request.Headers["CF-Connecting-IP"]; 
             }
             if (ipHeader.IsNullOrWhiteSpace())
             {
-                ipHeader = context.Request.Headers["X-Forwarded-For"];
+                ipHeader = context.Request.Headers["X-Azure-ClientIP"];
             }
             if (!ipHeader.IsNullOrWhiteSpace())
             {

src/FoxIDs.Shared/Logic/Parties/OidcDiscoveryReadModelLogic.cs

@@ -2,7 +2,6 @@
 using ITfoxtec.Identity;
 using ITfoxtec.Identity.Discovery;
 using System;
-using System.Collections.Generic;
 using System.Linq;
 using System.Net.Http;
 using System.Threading.Tasks;
@@ -21,7 +20,7 @@ public async Task<MParty> PopulateModelAsync(MParty party)
             party.LastUpdated = DateTimeOffset.UtcNow.ToUnixTimeSeconds();
             if (party.EditIssuersInAutomatic != true || string.IsNullOrWhiteSpace(party.Issuers?.FirstOrDefault()))
             {
-                party.Issuers = new List<string> { oidcDiscovery.Issuer };
+                party.Issuers = [oidcDiscovery.Issuer];
             }
             party.Client.AuthorizeUrl = oidcDiscovery.AuthorizationEndpoint;
 

src/FoxIDs.Shared/Logic/Parties/SamlMetadataReadLogic.cs

@@ -67,7 +67,7 @@ private async Task<SamlUpParty> PopulateModelInternalAsync(SamlUpParty party, En
             if (entityDescriptor.IdPSsoDescriptor != null)
             {
                 party.LastUpdated = DateTimeOffset.UtcNow.ToUnixTimeSeconds();
-                party.Issuer = entityDescriptor.EntityId;
+                party.Issuers = [entityDescriptor.EntityId];
                 var singleSignOnServices = entityDescriptor.IdPSsoDescriptor.SingleSignOnServices.FirstOrDefault();
                 if (singleSignOnServices == null)
                 {

src/FoxIDs.Shared/Models/Base/IUpParty.cs

@@ -1,9 +1,11 @@
-using System.Collections.Generic;
+using System;
+using System.Collections.Generic;
 
 namespace FoxIDs.Models
 {
     public interface IUpParty : IParty
     {
+        [Obsolete("Use Issuers instead.")]
         string Issuer { set; }
         List<string> Issuers { get; set; }
         string SpIssuer { get; set; }

src/FoxIDs.Shared/Models/Parties/SamlUpParty.cs

@@ -95,12 +95,15 @@ public SamlUpParty()
         [JsonProperty(PropertyName = "authn_request_extensions_xml")]
         public string AuthnRequestExtensionsXml { get; set; }
 
+        [JsonProperty(PropertyName = "disable_login_hint")]
+        public bool DisableLoginHint { get; set; }
+
         [JsonProperty(PropertyName = "metadata_add_logout_response_location")]
         public bool MetadataAddLogoutResponseLocation { get; set; }
 
         [JsonProperty(PropertyName = "sign_metadata")]
-        public bool SignMetadata { get; set; }
-
+        public bool SignMetadata { get; set; }       
+        
         [JsonProperty(PropertyName = "metadata_include_enc_certs")]
         public bool MetadataIncludeEncryptionCertificates { get; set; }
 

src/FoxIDs.Shared/Models/Parties/UpParty.cs

@@ -35,42 +35,27 @@ public static async Task<string> IdFormatAsync(RouteBinding routeBinding, string
         }
 
         // Support back words capability in CosmosDB - single issuer in SAML 2.0 up-parties
-        private bool hasSingleIssuer;
-        private List<string> issuers;
         [MaxLength(Constants.Models.Party.IssuerLength)]
         [JsonProperty(PropertyName = "issuer")]
+        [Obsolete("Use Issuers instead.")]
         public string Issuer
         {
             get
             {
-                return issuers?.FirstOrDefault();
+                return null;
             }
             set
             {
-                if (!value.IsNullOrWhiteSpace())
+                if (!value.IsNullOrWhiteSpace() && !(Issuers?.Count() > 0))
                 {
-                    hasSingleIssuer = true;
-                    issuers = new List<string> { value };
+                    Issuers = [value];
                 }
             }
         }
 
         [ListLength(Constants.Models.UpParty.IssuersBaseMin, Constants.Models.UpParty.IssuersMax, Constants.Models.Party.IssuerLength)]
         [JsonProperty(PropertyName = "issuers")]
-        public virtual List<string> Issuers
-        {
-            get
-            {
-                return issuers;
-            }
-            set
-            {
-                if (!hasSingleIssuer)
-                {
-                    issuers = value;
-                }
-            }
-        }
+        public virtual List<string> Issuers { get; set; }
 
         /// <summary>
         /// SP issuer / audience

src/FoxIDs.SharedBase/FoxIDs.SharedBase.csproj

@@ -2,7 +2,7 @@
 
 	<PropertyGroup>
 		<TargetFramework>net8.0</TargetFramework>
-		<Version>1.10.5</Version>
+		<Version>1.10.6</Version>
 		<RootNamespace>FoxIDs</RootNamespace>
 		<Authors>Anders Revsgaard</Authors>
 		<Company>ITfoxtec</Company>

src/FoxIDs/FoxIDs.csproj

@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 	<PropertyGroup>
 		<TargetFramework>net8.0</TargetFramework>
-		<Version>1.10.5</Version>
+		<Version>1.10.6</Version>
 		<RootNamespace>FoxIDs</RootNamespace>
 		<Authors>Anders Revsgaard</Authors>
 		<Company>ITfoxtec</Company>

src/FoxIDs/Logic/Saml/SamlAuthnUpLogic.cs

@@ -115,7 +115,7 @@ private async Task<IActionResult> AuthnRequestAsync(SamlUpParty party, Saml2Bind
 
             binding.RelayState = await sequenceLogic.CreateExternalSequenceIdAsync();
             var saml2AuthnRequest = new Saml2AuthnRequest(samlConfig);
-            if (!samlUpSequenceData.LoginEmailHint.IsNullOrWhiteSpace())
+            if (!party.DisableLoginHint && !samlUpSequenceData.LoginEmailHint.IsNullOrWhiteSpace())
             {
                 saml2AuthnRequest.Subject = new Subject { NameID = new NameID { ID = samlUpSequenceData.LoginEmailHint, Format = NameIdentifierFormats.Email.OriginalString } };
             }

src/FoxIDs/Logic/Tracks/SessionUpPartyLogic.cs

@@ -37,7 +37,18 @@ public async Task<string> CreateOrUpdateSessionAsync<T>(T upParty, DownPartySess
                 session.Claims = sessionClaims.ToClaimAndValues(); 
 
                 session.ExternalSessionId = externalSessionId;
-                session.IdToken = idToken;
+                try
+                {
+                    if (idToken?.Count() > Constants.Models.Claim.ValueLength)
+                    {
+                        throw new Exception($"The ID Token exceeds the maximum allowed limit of {Constants.Models.Claim.ValueLength} bytes and is NOT included in the authentication method session. Logout may not work without the ID Token.");
+                    }
+                    session.IdToken = idToken;
+                }
+                catch (Exception ex)
+                {
+                    logger.Warning(ex);
+                }
                 AddDownPartyLink(session, newDownPartyLink);
             };