Merge pull request #562 from ITfoxtec/test

Test

FoxIDs.sln

@@ -54,6 +54,9 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "docs", "docs", "{CB5D86A0-D
 		docs\faq.md = docs\faq.md
 		docs\getting-started.md = docs\getting-started.md
 		docs\howto-saml-2.0-context-handler.md = docs\howto-saml-2.0-context-handler.md
+		docs\howto-oidc-foxids.md = docs\howto-oidc-foxids.md
+		docs\howto-connect.md = docs\howto-connect.md
+		docs\howto-tracklink-foxids.md = docs\howto-tracklink-foxids.md
 		docs\index.md = docs\index.md
 		docs\language.md = docs\language.md
 		docs\logging.md = docs\logging.md
@@ -71,14 +74,12 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "docs", "docs", "{CB5D86A0-D
 		docs\standard-support.md = docs\standard-support.md
 		docs\up-party-howto-oidc-azure-ad-b2c.md = docs\up-party-howto-oidc-azure-ad-b2c.md
 		docs\up-party-howto-oidc-azure-ad.md = docs\up-party-howto-oidc-azure-ad.md
-		docs\up-party-howto-oidc-foxids.md = docs\up-party-howto-oidc-foxids.md
 		docs\up-party-howto-oidc-identityserver.md = docs\up-party-howto-oidc-identityserver.md
 		docs\up-party-howto-oidc-nets-eid-broker.md = docs\up-party-howto-oidc-nets-eid-broker.md
 		docs\up-party-howto-oidc-signicat.md = docs\up-party-howto-oidc-signicat.md
 		docs\up-party-howto-saml-2.0-adfs.md = docs\up-party-howto-saml-2.0-adfs.md
 		docs\up-party-howto-saml-2.0-nemlogin.md = docs\up-party-howto-saml-2.0-nemlogin.md
 		docs\up-party-howto-saml-2.0-pingone.md = docs\up-party-howto-saml-2.0-pingone.md
-		docs\up-party-howto.md = docs\up-party-howto.md
 		docs\up-party-oidc.md = docs\up-party-oidc.md
 		docs\up-party-saml-2.0.md = docs\up-party-saml-2.0.md
 		docs\update.md = docs\update.md
@@ -166,6 +167,8 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "images", "images", "{CB8812
 		docs\images\howto-saml-nemlogin3-up-privilege-claim-tf.png = docs\images\howto-saml-nemlogin3-up-privilege-claim-tf.png
 		docs\images\howto-saml-nemlogin3-up-read-metadata.png = docs\images\howto-saml-nemlogin3-up-read-metadata.png
 		docs\images\howto-saml-nemlogin3-up-top.png = docs\images\howto-saml-nemlogin3-up-top.png
+		docs\images\howto-tracklink-foxids-down-party.png = docs\images\howto-tracklink-foxids-down-party.png
+		docs\images\howto-tracklink-foxids-up-party.png = docs\images\howto-tracklink-foxids-up-party.png
 		docs\images\master-tenant2.png = docs\images\master-tenant2.png
 		docs\images\parties-down-party-oauth.svg = docs\images\parties-down-party-oauth.svg
 		docs\images\parties-down-party-oidc.svg = docs\images\parties-down-party-oidc.svg

docs/_sidebar.md

@@ -2,7 +2,7 @@
 - [Getting Started](getting-started.md)
 - [Parties](parties.md)
   - [Login & HRD & 2FA/MFA](login.md)
-  - [How to connect IdP](up-party-howto.md)
+  - [How to connect](howto-connect.md)
   - [OpenID Connect](oidc.md)
   - [OAuth 2.0](oauth-2.0.md)
   - [SAML 2.0](saml-2.0.md)

docs/deployment.md

@@ -51,11 +51,11 @@ You can increment the password security level by uploading risk passwords.
 
 You can upload risk passwords with the FoxIDs seed tool console application. The seed tool code is [downloaded](https://github.com/ITfoxtec/FoxIDs/tree/master/tools/FoxIDs.SeedTool) and need to be compiled and [configured](#configure-the-seed-tool) to run.
 
-Download the `SHA-1` pwned passwords `ordered by prevalence` from [haveibeenpwned.com/passwords](https://haveibeenpwned.com/Passwords).
+Download the `SHA-1` pwned passwords in a single file from [haveibeenpwned.com/passwords](https://haveibeenpwned.com/Passwords) using the [PwnedPasswordsDownloader tool](https://github.com/HaveIBeenPwned/PwnedPasswordsDownloader).
 
 > Be aware that it takes some time to upload all risk passwords. This step can be omitted and postponed to later.  
 
-The risk passwords are uploaded as bulk which has a higher consumption. Please make sure to adjust the Cosmos DB provisioned throughput (e.g. to 20000 RU/s or higher) temporarily. 
+The risk passwords are uploaded as bulk which has a higher consumption. Please make sure to adjust the Cosmos DB provisioned throughput (e.g. to 4000 RU/s or higher) temporarily. 
 The throughput can be adjusted in Azure Cosmos DB --> Data Explorer --> Scale & Settings.
 
 You can read the number of risk passwords uploaded to FoxIDs in [FoxIDs Control Client](control.md#foxids-control-client) master tenant on the Risk Passwords tap. And you can test if a password is okay or has appeared in breaches.

docs/down-party-oidc.md

@@ -22,6 +22,10 @@ There can be configured a maximum of 10 secrets per client.
 
 FoxIDs support the OpenID Connect [UserInfo endpoint](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo).
 
+How to guides:
+
+- Connect two FoxIDs tracks in the same or different tenants with [OpenID connect](howto-oidc-foxids.md)
+
 > It is recommended to use OpenID Connect Authorization Code flow with PKCE, because it is considered a secure flow.
 
 ## Require multi-factor authentication (MFA)

docs/up-party-howto.md → docs/howto-connect.md

@@ -1,23 +1,31 @@
-# Up-party - How to connect Identity Provider (IdP)
+# How to connect
+
+An [IdP is connected](#up-party---how-to-connect-identity-provider-idp) with a [up-party](parties.md#up-party) and an [application or API is connected]() with a [down-party](parties.md#down-party).
+
+It is possible to interconnect FoxIDs tracks either with a track link or OpenID Connect:
+
+- Connect two FoxIDs tracks in a tenant with a [track link](howto-tracklink-foxids.md)
+- Connect two FoxIDs tracks in the same or different tenants with [OpenID connect](howto-oidc-foxids.md)
+
+## Up-party - How to connect Identity Provider (IdP)
 
 An Identity Provider (IdP) can be connected with an [OpenID Connect up-party](#openid-connect-up-party) or an [SAML 2.0 up-party](#saml-20-up-party). An Identity Provider (IdP) is more precisely called an OpenID Provider (OP) if configured with OpenID Connect.
 
 All IdPs supporting either OpenID Connect or SAML 2.0 can be connected to FoxIDs. The following is how to guides for some IdPs, more guides will be added over time.
 
-## OpenID Connect up-party
+### OpenID Connect up-party
 
 Configure [OpenID Connect up-party](up-party-oidc.md) which trust an external OpenID Provider (OP) - *an Identity Provider (IdP) is called an OpenID Provider (OP) if configured with OpenID Connect*.
 
 How to guides:
 
-- Connect [FoxIDs](up-party-howto-oidc-foxids.md) between tracks, optionally in different tenants
 - Connect [Azure AD](up-party-howto-oidc-azure-ad.md) 
 - Connect [Azure AD B2C](up-party-howto-oidc-azure-ad-b2c.md) 
 - Connect [IdentityServer](up-party-howto-oidc-identityserver.md)
 - Connect [Signicat](up-party-howto-oidc-signicat.md)
 - Connect [Nets eID Broker](up-party-howto-oidc-nets-eid-broker.md)
 
-## SAML 2.0 up-party
+### SAML 2.0 up-party
 
 Configure [SAML 2.0 up-party](up-party-saml-2.0.md) which trust an external SAML 2.0 Identity Provider (IdP).
 
@@ -26,4 +34,7 @@ How to guides:
 - Connect [AD FS](up-party-howto-saml-2.0-adfs.md)
 - Connect [PingIdentity / PingOne](up-party-howto-saml-2.0-pingone.md)
 - Connect [NemLog-in (Danish IdP)](up-party-howto-saml-2.0-nemlogin.md)
-- Connect [Context Handler (Danish IdP)](howto-saml-2.0-context-handler.md#up-party---connect-to-context-handler)
+- Connect [Context Handler (Danish IdP)](howto-saml-2.0-context-handler.md#up-party---connect-to-context-handler)
+
+## Up-party - How to connect relying party (RP)
+// TODO

docs/up-party-howto-oidc-foxids.md → docs/howto-oidc-foxids.md

@@ -1,7 +1,9 @@
 # Interconnect FoxIDs with OpenID Connect
 
 FoxIDs can be connected to another FoxIDs with OpenID Connect and thereby authenticating end users in another FoxIDs track or an external Identity Provider (IdP) configured as an up-party.  
-FoxIDs tracks can be interconnect in the same FoxIDs tenant or in different FoxIDs tenants. Interconnect can also be configured between FoxIDs tracks in different FoxIDs deployments.
+FoxIDs tracks can be interconnect in the same FoxIDs tenant or in different FoxIDs tenants. Interconnections can also be configured between FoxIDs tracks in different FoxIDs deployments.
+
+> You can easy connect two tracks in the same tenant with a [track link](howto-tracklink-foxids.md).
 
 The integration between two FoxIDs tracks support [OpenID Connect authentication](https://openid.net/specs/openid-connect-core-1_0.html#Authentication) (login), [RP-initiated logout](https://openid.net/specs/openid-connect-rpinitiated-1_0.html) and [front-channel logout](https://openid.net/specs/openid-connect-frontchannel-1_0.html). A session is established when the user authenticates and the session is invalidated on logout.
 

docs/howto-saml-2.0-context-handler.md

@@ -18,7 +18,7 @@ Context Handler documentation and configuration:
 
 Context Handler requires the Relying Party (RP) and Identity Provider (IdP) to use different OSES certificates. Therefore, consider connecting Context Handler in separate tracks where the OCES certificates can be configured without affecting any other configurations.
 
-Two FoxIDs tracks can be connected with OpenID Connect. Please see the [connect FoxIDs with OpenID Connect](up-party-howto-oidc-foxids.md) guide. The track with a up-party connected to Context Handler is called the parallel FoxIDs track in the guide.
+Two FoxIDs tracks can be connected with OpenID Connect. Please see the [connect FoxIDs with OpenID Connect](howto-oidc-foxids.md) guide. The track with a up-party connected to Context Handler is called the parallel FoxIDs track in the guide.
 
 ## Certificate
 

docs/howto-tracklink-foxids.md

@@ -0,0 +1,38 @@
+# Interconnect two FoxIDs tracks with a track link
+
+FoxIDs tracks in the same tenant can be connected with track links. A track link acts mostly like OpenID Connect but it is simpler to configure and the steps it goes through is faster.  
+Therefor a login sequence that jumps between tracks will execute faster using a track link competed with using OpenID Connect. But an [OpenID connect connection](howto-oidc-foxids.md) is required if you need to jump between tracks located in different tenants.
+
+Track links support login, RP-initiated logout and front-channel logout. Furthermore, it is possible to configure [claim and claim transforms](claim.md), logout session and home realm discovery (HRD) like all other connecting up-parties and down-parties.
+
+## Configure integration
+
+The following describes how to connect two tracks called `track_x` and `track_y` where `track_y` become an up-party on `track_x`.
+
+**1 - Start in the `track_x` track by creating a track link in [FoxIDs Control Client](control.md#foxids-control-client)**
+
+1. Select the Parties tab and then the Up-parties
+2. Click Create up-party and then Track link
+3. Add the name e.g., `track_y-connection` 
+4. Add the `track_y` track name
+5. Add the down-party name in the `track_y` track e.g., `track_x-connection` 
+6. Click Create
+
+![Create track link up-party](images/howto-tracklink-foxids-up-party.png)
+
+**2 - Then go to the `track_y` track and create a track link in [FoxIDs Control Client](control.md#foxids-control-client)**
+
+1. Select the Parties tab and then the Down-parties
+2. Click Create down-party and then Track link
+3. Add the name e.g., `track_x-connection` 
+4. Add the `track_x` track name
+5. Add the up-party name in the `track_x` track e.g., `track_y-connection` 
+6. Select which up-parties in the `track_y` track the user is allowed to use for authentication
+6. Click Create
+
+![Create track link down-party](images/howto-tracklink-foxids-down-party.png)
+
+That's it, you are done. 
+
+> Your new up-party `track_y-connection` can now be selected as an allowed up-party in the down-parties in you `track_x` track.  
+> The down-parties in you `track_x` track can read the claims from your `track_y-connection` up-party. 

docs/login.md

@@ -59,12 +59,12 @@ You can select to require two-factor authentication for all users authenticating
 ### Configure user session
 The user sessions lifetime can be changed. The default lifetime is 10 hours. 
 The user session is a sliding session, where the lifetime is extended every time, an application makes a login request until the absolute session lifetime is reached.  
-It is possible to configure an absolute session lifetime in the advanced settings.
+It is possible to configure an absolute session lifetime as well.
 
 The user session can be changed to a persistent session which is preserved when the browser is closed and reopened.  
 The user session become a persistent session if either the persistent session lifetime is configured to be grater, then 0. Or the persistent session lifetime unlimited setting is set to on.
 
-> Click `show advanced settings` to see all session settings.
+> Click the `User session` tag to see all session settings.
 
 ![Configure Login](images/configure-login-session.png)
 

docs/name-title-icon-css.md

@@ -30,7 +30,7 @@ Find the up-party login in [FoxIDs Control Client](control.md#foxids-control-cli
 
  ## CSS examples
 
- Change background and add logo text. It is also possible to add a logo image.
+ Change background and add logo text. 
 
     body {
         background: #7c8391;
@@ -48,6 +48,16 @@ Find the up-party login in [FoxIDs Control Client](control.md#foxids-control-cli
 
 ![Configure background and add logo with CSS](images/configure-login-css-backbround-logo.png)    
 
+It is also possible to use a logo image.
+
+    .brand-content-text {
+        display: none;
+    }
+
+    .brand-content-icon:before {
+       content:url('https://some-external-site.com/logo.png');
+    }
+
 Add a background image from an external site.
 
     body {
@@ -61,6 +71,51 @@ Add a background image from an external site.
 
 ![Configure background image](images/configure-login-css-backbround-image.png)   
 
+Change button and link color, in this example CSS to green.
+
+    label {
+        color: #a4c700 !important;
+    }
+
+    .input:focus {
+        outline: none !important;
+        border:1px solid #a4c700;
+        box-shadow: 0 0 10px #a4c700;
+      }
+
+    .btn-link, .btn-link:hover, a, a:hover {
+        color: #a4c700;
+    }
+
+    .btn-primary.disabled, .btn-primary:disabled {
+        color: #fff;
+        background-color: #afc44f;
+        border-color: #afc44f;
+    }
+
+    .btn-primary, .btn-primary:hover, .btn-primary:active, .btn-primary:focus, .btn-primary:active {
+        background-color: #a4c700;
+        border-color: #a4c700;
+    }
+
+    .btn-primary:not(:disabled):not(.disabled).active, .btn-primary:not(:disabled):not(.disabled):active, .show>.btn-primary.dropdown-toggle {
+        background-color: #7c9600;
+        border-color: #7c9600;
+    }
+
+    .btn-link:not(:disabled):not(.disabled):active, .btn-link:not(:disabled):not(.disabled).active, .show>.btn-link.dropdown-toggle {
+        color: #a4c700;
+    }
+
+    .btn:focus, .form-control:focus {
+        border-color: #a4c700;
+        box-shadow: 0 0 0 .2rem rgba(64,78,0,.25);
+    }
+
+    .btn-primary:not(:disabled):not(.disabled).active:focus, .btn-primary:not(:disabled):not(.disabled):active:focus, .show>.btn-primary.dropdown-toggle:focus {
+        box-shadow: 0 0 0 .2rem rgba(64,78,0,.25);
+    }
+
  Add information to the login box.
 
     div.page-content:before {

docs/oidc.md

@@ -12,7 +12,8 @@ Configure [up-party OpenID Connect](up-party-oidc.md) which trust an external Op
 
 How to guides:
 
-- Connect [FoxIDs](up-party-howto-oidc-foxids.md) 
+- Connect two FoxIDs tracks in a tenant with a [track link](howto-tracklink-foxids.md)
+- Connect two FoxIDs tracks in the same or different tenants with [OpenID connect](howto-oidc-foxids.md)
 - Connect [Azure AD](up-party-howto-oidc-azure-ad.md) 
 - Connect [Azure AD B2C](up-party-howto-oidc-azure-ad-b2c.md) 
 - Connect [IdentityServer](up-party-howto-oidc-identityserver.md)

docs/reverse-proxy.md

@@ -53,7 +53,7 @@ Configuration:
 - In the Networking section of the App Services. Enable access restriction to only allow traffic from Azure Front Door
 - Optionally add a Front Door endpoint for both the FoxIDs App Service and the FoxIDs Control App Service test slots
 - Restrict access to the App Services test slots
-- Add the `Settings:TrustProxyHeaders` setting with the value `true` in the FoxIDs App Service (optionally also the test slot) configuration to support [custom domains](custom-domain.md)
+- Add the `Settings:TrustProxyHeaders` setting with the value `true` and select Deployment slot setting in the FoxIDs App Service configuration to support [custom domains](custom-domain.md) (optionally also add the setting in the test slot)
 - Disable Session affinity
 - Optionally configure WAF policies
 

docs/up-party-howto-saml-2.0-nemlogin.md

@@ -25,7 +25,7 @@ NemLog-in documentation and configuration:
 
 NemLog-in requires the Relying Party (RP) to use a OSES certificate and a high level of logging. Therefore, consider connecting NemLog-in in a separate track where the OCES certificate and log level can be configured without affecting any other configuration.
 
-Two FoxIDs tracks can be connected with OpenID Connect. Please see the [connect FoxIDs with OpenID Connect](up-party-howto-oidc-foxids.md) guide. The track with a up-party connected to NemLog-in is called the parallel FoxIDs track in the guide.
+Two FoxIDs tracks can be connected with OpenID Connect. Please see the [connect FoxIDs with OpenID Connect](howto-oidc-foxids.md) guide. The track with a up-party connected to NemLog-in is called the parallel FoxIDs track in the guide.
 
 ## Certificate
 

docs/up-party-oidc.md

@@ -8,7 +8,8 @@ It is possible to configure multiple OpenID Connect up-parties which then can be
 
 How to guides:
 
-- Connect [FoxIDs](up-party-howto-oidc-foxids.md) 
+- Connect two FoxIDs tracks in a tenant with a [track link](howto-tracklink-foxids.md)
+- Connect two FoxIDs tracks in the same or different tenants with [OpenID connect](howto-oidc-foxids.md)
 - Connect [Azure AD](up-party-howto-oidc-azure-ad.md) 
 - Connect [Azure AD B2C](up-party-howto-oidc-azure-ad-b2c.md) 
 - Connect [IdentityServer](up-party-howto-oidc-identityserver.md)

src/FoxIDs.Control/Controllers/Master/MRiskPasswordFirstController.cs

@@ -0,0 +1,45 @@
+using FoxIDs.Infrastructure;
+using FoxIDs.Models;
+using Api = FoxIDs.Models.Api;
+using FoxIDs.Repository;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc;
+using System.Collections.Generic;
+using System.Threading.Tasks;
+using AutoMapper;
+
+namespace FoxIDs.Controllers
+{
+    public class MRiskPasswordFirstController : MasterApiController
+    {
+        private readonly TelemetryScopedLogger logger;
+        private readonly IMapper mapper;
+        private readonly IMasterRepository masterRepository;
+
+        public MRiskPasswordFirstController(TelemetryScopedLogger logger, IMapper mapper, IMasterRepository masterRepository) : base(logger)
+        {
+            this.logger = logger;
+            this.mapper = mapper;
+            this.masterRepository = masterRepository;
+        }
+
+        /// <summary>
+        /// Get the first 1000 risk password. Can be used query risk passwords before deleting them.
+        /// </summary>
+        /// <returns>Risk passwords.</returns>
+        [ProducesResponseType(typeof(HashSet<Api.RiskPassword>), StatusCodes.Status200OK)]
+        [ProducesResponseType(StatusCodes.Status404NotFound)]
+        public async Task<ActionResult<HashSet<Api.RiskPassword>>> GetRiskPasswordFirst()
+        {
+            var mRiskPasswords = await masterRepository.GetListAsync<RiskPassword>(maxItemCount: 1000);
+            if (mRiskPasswords?.Count > 0) 
+            {
+                return Ok(mapper.Map<HashSet<Api.RiskPassword>>(mRiskPasswords));
+            }
+            else
+            {
+                return Ok();
+            }
+        }
+    }
+}