Merge pull request #1130 from ITfoxtec/test

Test

Author: Revsgaard

FoxIDs.sln

@@ -230,6 +230,9 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "images", "images", "{CB8812
 		docs\images\howto-oidc-google-scopes.png = docs\images\howto-oidc-google-scopes.png
 		docs\images\howto-oidc-google-usertype.png = docs\images\howto-oidc-google-usertype.png
 		docs\images\howto-oidc-identityserver-readredirect.png = docs\images\howto-oidc-identityserver-readredirect.png
+		docs\images\howto-oidc-nets-eid-broker-claim-transform.png = docs\images\howto-oidc-nets-eid-broker-claim-transform.png
+		docs\images\howto-oidc-nets-eid-broker-external-user.png = docs\images\howto-oidc-nets-eid-broker-external-user.png
+		docs\images\howto-oidc-nets-eid-broker-profile.png = docs\images\howto-oidc-nets-eid-broker-profile.png
 		docs\images\howto-saml-claim-mappings.png = docs\images\howto-saml-claim-mappings.png
 		docs\images\howto-saml-context-handler-app-base-config-reg.png = docs\images\howto-saml-context-handler-app-base-config-reg.png
 		docs\images\howto-saml-context-handler-app-base-config.png = docs\images\howto-saml-context-handler-app-base-config.png
@@ -284,11 +287,13 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "images", "images", "{CB8812
 		docs\images\upload-risk-passwords-seed-client.png = docs\images\upload-risk-passwords-seed-client.png
 		docs\images\user-create-new-account-config.png = docs\images\user-create-new-account-config.png
 		docs\images\user-create-new-account.png = docs\images\user-create-new-account.png
+		docs\images\user-email-phone-username-user-identifier.png = docs\images\user-email-phone-username-user-identifier.png
 		docs\images\user-external-auth-method-redemption.png = docs\images\user-external-auth-method-redemption.png
 		docs\images\user-external-create-new-account-config.png = docs\images\user-external-create-new-account-config.png
 		docs\images\user-external-create-new-account.png = docs\images\user-external-create-new-account.png
 		docs\images\user-external-redemption.png = docs\images\user-external-redemption.png
 		docs\images\user-login.png = docs\images\user-login.png
+		docs\images\user-phone-user-identifier.png = docs\images\user-phone-user-identifier.png
 	EndProjectSection
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "FoxIDs.ConvertCertificateTool", "tools\FoxIDs.ConvertCertificateTool\FoxIDs.ConvertCertificateTool.csproj", "{AF16CC91-2EEA-4790-8672-9ACCA430991D}"

docs/auth-method-howto-oidc-nets-eid-broker.md

@@ -3,44 +3,44 @@
 FoxIDs can be connected to Nets eID Broker with OpenID Connect and thereby authenticating end users with MitID and other credentials supported by Nets eID Broker.
 
 How to configure Nets eID Broker in
-- [test environment](#configuring-nets-eid-broker-demotest-as-openid-provider-op) using Nets eID Broker demo
+- [test environment](#configuring-nets-eid-broker-test-as-openid-provider-op) using Nets eID Broker test
 - [production environment](#configuring-nets-eid-broker-as-openid-provider-op) using Nets eID Broker admin portal
 
-> You can test the Nets eID Broker demo login with the [online web app sample](https://aspnetoidcsample.itfoxtec.com) ([sample docs](samples.md#aspnetcoreoidcauthcodealluppartiessample)) by clicking `Log in` and then `Nets eID Broker TEST`.  
+It is possible to [only request CPR number](#only-request-cpr-number-once) on the first login and not subsequently logins.
+
+> You can test the Nets eID Broker test login with the [online web app sample](https://aspnetoidcsample.itfoxtec.com) ([sample docs](samples.md#aspnetcoreoidcauthcodealluppartiessample)) by clicking `Log in` and then `Nets eID Broker TEST`.  
 > Take a look at the Nets eID Broker sample configuration in FoxIDs Control: [https://control.foxids.com/test-corp](https://control.foxids.com/test-corp)  
 > Get read access with the user `[email protected]` and password `TestAccess!` then select the `Production` environment and the `Authentication` tab.
 
-## Configuring Nets eID Broker demo/test as OpenID Provider (OP)
-
-This guide describes how to connect a FoxIDs authentication method to Nets eID Broker demo in the test environment.
+## Configuring Nets eID Broker test as OpenID Provider (OP)
 
-Nets eID Broker has a [MitID demo](https://broker.signaturgruppen.dk/en/technical-documentation/open-oidc-clients) where all clients can connect without prior registration. All redirect URIs are accepted. 
-Her you can find all needed to register a client with Nets eID Broker. 
+This guide describes how to connect a FoxIDs authentication method to Nets eID Broker test in the test environment.  
+All redirect URIs are accepted and therefor all clients can connect without prior registration.
 
 This connection use OpenID Connect Authorization Code flow with PKCE, which is the recommended OpenID Connect flow.
 
 **Create an OpenID Connect authentication method in [FoxIDs Control Client](control.md#foxids-control-client)**
 
-1. Add the name
-2. Add the Nets eID Broker demo authority `https://pp.netseidbroker.dk/op` in the Authority field
-3. In the scopes list add `mitid` (to support MitID) and optionally `nemid` (to support the old NemID)
-4. Select show advanced
-5. Optionally add an additionally parameter with the name `idp_values` and e.g. the value `mitid` to show the MitID IdP or e.g. the value `mitid_erhverv` to show the MitID Erhverv IdP.
-6. Add the Nets eID Broker demo secret `rnlguc7CM/wmGSti4KCgCkWBQnfslYr0lMDZeIFsCJweROTROy2ajEigEaPQFl76Py6AVWnhYofl/0oiSAgdtg==` in the Client secret field
-7. Add the Nets eID Broker demo client id `0a775a87-878c-4b83-abe3-ee29c720c3e7` in the Optional customer SP client ID field
-8. Select to read claims from the UserInfo Endpoint instead of the access token or ID token
-9. Click create
+1. Add the **Name**
+2. Add the Nets eID Broker test authority `https://pp.netseidbroker.dk/op` in the **Authority** field
+3. In the **Scopes** list add `mitid` to use MitID and optionally the `ssn` scope to request the CPR number (consider [only request CPR number once](#only-request-cpr-number-once))
+4. Select **Show advanced**
+5. Optionally add an **Additionally parameter** with the name `idp_values` and e.g. the value `mitid` to show the MitID IdP or e.g. the value `mitid_erhverv` to show the MitID Erhverv IdP.
+6. Add the Nets eID Broker test secret `rnlguc7CM/wmGSti4KCgCkWBQnfslYr0lMDZeIFsCJweROTROy2ajEigEaPQFl76Py6AVWnhYofl/0oiSAgdtg==` in the **Client secret** field
+7. Add the Nets eID Broker test client id `0a775a87-878c-4b83-abe3-ee29c720c3e7` in the **Optional customer SP client ID** field
+8. Select to **Read claims from the UserInfo Endpoint instead of the access token or ID token**
+9. Click **Create**
 
 That's it, you are done. 
 
 > The new authentication method can now be selected as an allowed authentication method in a application registration.  
-> The application registration can read the claims from the authentication method. You can optionally add a `*` in the application registration Issue claims list to issue all the claims to your application. Or optionally define a [scope to issue claims](#scope-and-claims).
+> The application can read the claims from the authentication method. You can optionally add a `*` in the application registration Issue claims list to issue all the claims to your application. Or define a [scope to issue claims](#scope-and-claims).
 
 ## Configuring Nets eID Broker as OpenID Provider (OP)
 
 This guide describes how to connect a FoxIDs authentication method to the Nets eID Broker in the production environment.
 
-You are granted access to the [Nets eID Broker admin portal](https://netseidbroker.dk/admin) by Nets. The Nets eID Broker [documentation](https://broker.signaturgruppen.dk/en/technical-documentation).  
+You are granted access to the [Nets eID Broker admin portal](https://netseidbroker.dk/admin) by Nets. The Nets eID Broker [documentation](https://broker.signaturgruppen.dk/).  
 
 This connection use OpenID Connect Authorization Code flow with PKCE, which is the recommended OpenID Connect flow.
 
@@ -66,16 +66,16 @@ This connection use OpenID Connect Authorization Code flow with PKCE, which is t
 
 **2 - Then create an OpenID Connect authentication method in [FoxIDs Control Client](control.md#foxids-control-client)**
 
-1. Add the name
-2. Add the Nets eID Broker demo authority `https://netseidbroker.dk/op` in the Authority field
+1. Add the **Name**
+2. Add the Nets eID Broker authority `https://netseidbroker.dk/op` in the **Authority** field
 3. Copy the two URLs: `Redirect URL` and `Post logout redirect URL`
-4. In the scopes list add `mitid` (to support MitID) and optionally other scopes like e.g, `nemid.pid` to request the NemID PID and/or `ssn` to request the CPR number
-5. Select show advanced
-6. Optionally add an additionally parameter with the name `idp_values` and e.g. the value `mitid` to show the MitID IdP or e.g. the value `mitid_erhverv` to show the MitID Erhverv IdP.
-7. Add the Nets eID Broker secret in the Client secret field
-8. Add the Nets eID Broker client id in the Optional customer SP client ID field
-9. Select to read claims from the UserInfo Endpoint instead of the access token or ID token
-10. Click create
+4. In the **Scopes** list add `mitid` to use MitID and optionally the `ssn` scope to request the CPR number (consider [only request CPR number once](#only-request-cpr-number-once))
+5. Select **Show advanced**
+6. Optionally add an **Additionally parameter** with the name `idp_values` and e.g. the value `mitid` to show the MitID IdP or e.g. the value `mitid_erhverv` to show the MitID Erhverv IdP.
+7. Add the Nets eID Broker secret in the **Client secret** field
+8. Add the Nets eID Broker client id in the **Optional customer SP client ID** field
+9. Select to **Read claims from the UserInfo Endpoint instead of the access token or ID token**
+10. Click **Create**
 
  **3 - Go back to [Nets eID Broker admin portal](https://netseidbroker.dk/admin)**
 
@@ -85,7 +85,67 @@ This connection use OpenID Connect Authorization Code flow with PKCE, which is t
 That's it, you are done. 
 
 > The new authentication method can now be selected as an allowed authentication method in a application registration.  
-> The application registration can read the claims from the authentication method. You can optionally add a `*` in the application registration Issue claims list to issue all the claims to your application. Or optionally define a [scope to issue claims](#scope-and-claims).
+> The application can read the claims from the authentication method. You can optionally add a `*` in the application registration Issue claims list to issue all the claims to your application. Or define a [scope to issue claims](#scope-and-claims).
+
+## Only request CPR number once
+It is possible to let FoxIDs save the uses CPR number in external users. Then the users are only requested for there CPR the first time they login. 
+
+To make this happen we will configure the Nets eID Broker authentication method to login without requesting a CPR number and create a profile which do request the CPR number. 
+On the first login FoxIDs subsequently initiate authentication with the profile to get the CPR number and save the users `sub` to CPR number relation in a claim on an external user.
+
+In the Nets eID Broker authentication method.
+
+*A) First create a profile*
+
+ 
+1. Only include the `mitid` scope in the **Scopes** list
+2. Select **Show advanced**
+3. Select the **Profiles** tab
+4. Click **Add Profile**
+5. Add a **Name** e.g., `Request CPR`
+6. Add `ssn` in the **Scopes** list 
+7. Click **Update** - *Imported before you continue!*    
+
+![Authentication method profile](images/howto-oidc-nets-eid-broker-profile.png)
+    
+*b) Then start to create external users*
+
+1. Select the **Create External Users** tab
+2. Add `sub` in the **Link claim type** field
+3. Select **Yes** in **Optional create/provision external users automatically**
+4. Select **Yes** in **Overwrite received claims**
+
+![Authentication method external user](images/howto-oidc-nets-eid-broker-external-user.png)
+
+*c) Setup claim transforms*
+
+1. In the **Create user claim transforms** section in the **Create External Users** tab
+2. Add the claims `mitid.has_cpr` and `dk.cpr` in **Include claims from authentication method**
+3. Click **Add claim transform** and click **Match claim**
+    1. In the claim transformation 
+    2. Add `_local:cpr_exist` in the **New claim** field
+    3. Select **Add claim, if not match** in **Action** 
+    4. Add `dk.cpr` in the **Select claim** field
+    5. Add `false` in the **New value** field
+4. Click **Add claim transform** and click **Concatenate**
+    1. In the claim transformation 
+    2. Add `_local:request_cpr` in the **New claim** field
+    3. Select **Add claim** in **Action** 
+    4. Add `mitid.has_cpr` and `_local:cpr_exist` in the **Concatenate claims** list
+    5. Add `[{0},{1}]` in the **Concatenate format string** field
+5. Click **Add claim task** and click **Match claim and value and start authentication**
+    1. In the claim transformation 
+    2. Select **If match** in **Action** 
+    3. Add `_local:request_cpr` in the **Select claim** field
+    4. Add `[true,false]` in the **Match value** field
+    6. Select this authentication methods `Request CPR` profile in the **Authentication method**
+6. Click **Add claim transform** and click **Match claim**
+    1. In the claim transformation 
+    2. Select **Remove claim** in **Action** 
+    3. Add `mitid.has_cpr` in the **Remove claim** field
+7. Click **Update**
+
+![Authentication method claim transform](images/howto-oidc-nets-eid-broker-claim-transform.png)
 
 ## Scope and claims
 You can optionally create a scope on the application registration with the Nets eID Broker claims as `Voluntary claims`. The scope can then be used by a OpenID Connect client or another FoxIDs authentication method acting as a OpenID Connect client.
@@ -100,8 +160,6 @@ The most used Nets eID Broker claims:
 - `mitid.uuid`
 - `mitid.has_cpr`
 - `dk.cpr`
-- `nemid.pid`
-- `nemid.pid_status`
 - `mitid.age`
 - `mitid.date_of_birth`
 - `mitid.identity_name`

docs/images/howto-oidc-nets-eid-broker-claim-transform.png

@@ -2,7 +2,7 @@
 
 	<PropertyGroup>
 		<TargetFramework>net9.0</TargetFramework>
-		<Version>1.15.10</Version>
+		<Version>1.15.11</Version>
 		<RootNamespace>FoxIDs</RootNamespace>
 		<Authors>Anders Revsgaard</Authors>
 		<Company>ITfoxtec</Company>

docs/images/howto-oidc-nets-eid-broker-external-user.png

@@ -2,7 +2,7 @@
 
 	<PropertyGroup>
 		<TargetFramework>net9.0</TargetFramework>
-		<Version>1.15.10</Version>
+		<Version>1.15.11</Version>
 		<RootNamespace>FoxIDs.Client</RootNamespace>
 		<Authors>Anders Revsgaard</Authors>
 		<Company>ITfoxtec</Company>

docs/images/howto-oidc-nets-eid-broker-profile.png

@@ -9,11 +9,13 @@ public abstract class UpPartyProfileViewModel
         [Required]
         [MaxLength(Constants.Models.Party.ProfileNameLength)]
         [RegularExpression(Constants.Models.Party.NameRegExPattern)]
+        [Display(Name = "Technical name")]
         public string Name { get; set; }
 
         [Required]
         [MaxLength(Constants.Models.Party.DisplayNameLength)]
         [RegularExpression(Constants.Models.Party.DisplayNameRegExPattern)]
+        [Display(Name = "Name")]
         public string DisplayName { get; set; }
     }
 }

src/FoxIDs.Control/FoxIDs.Control.csproj

@@ -83,7 +83,7 @@ public TrackSettingsViewModel()
         public bool? CheckPasswordComplexity { get; set; }
 
         [Required]
-        [Display(Name = "Check password risk")]
+        [Display(Name = "Check password risk based on global password breaches")]
         public bool? CheckPasswordRisk { get; set; } 
 
         [ValidateComplexType]

src/FoxIDs.ControlClient/FoxIDs.ControlClient.csproj

@@ -255,7 +255,7 @@
                 }
                 else
                 {
-                    <button type="button" class="btn btn-link mr-auto" @onclick="@(async () => await ShowUpdateUsageAsync(used))">
+                    <button type="button" class="btn btn-link mr-auto btn-wrap" @onclick="@(async () => await ShowUpdateUsageAsync(used))">
                         Tenant: @used.TenantName@UsageInfoAndPriceText(used)
                         <br />
                         @{