Merge pull request #1090 from ITfoxtec/test

Test

FoxIDs.sln

@@ -41,6 +41,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "docs", "docs", "{CB5D86A0-D
 		docs\app-reg-oauth-2.0.md = docs\app-reg-oauth-2.0.md
 		docs\app-reg-oidc.md = docs\app-reg-oidc.md
 		docs\app-reg-saml-2.0.md = docs\app-reg-saml-2.0.md
+		docs\auth-method-howto-oidc-amazon-cognito.md = docs\auth-method-howto-oidc-amazon-cognito.md
 		docs\auth-method-howto-oidc-azure-ad-b2c.md = docs\auth-method-howto-oidc-azure-ad-b2c.md
 		docs\auth-method-howto-oidc-azure-ad.md = docs\auth-method-howto-oidc-azure-ad.md
 		docs\auth-method-howto-oidc-facebook.md = docs\auth-method-howto-oidc-facebook.md
@@ -52,6 +53,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "docs", "docs", "{CB5D86A0-D
 		docs\auth-method-howto-saml-2.0-google-workspace.md = docs\auth-method-howto-saml-2.0-google-workspace.md
 		docs\auth-method-howto-saml-2.0-nemlogin.md = docs\auth-method-howto-saml-2.0-nemlogin.md
 		docs\auth-method-howto-saml-2.0-pingone.md = docs\auth-method-howto-saml-2.0-pingone.md
+		docs\auth-method-howto-saml-amazon-iam-identity-center.md = docs\auth-method-howto-saml-amazon-iam-identity-center.md
 		docs\auth-method-oidc.md = docs\auth-method-oidc.md
 		docs\auth-method-saml-2.0.md = docs\auth-method-saml-2.0.md
 		docs\bridge.md = docs\bridge.md
@@ -200,6 +202,18 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "images", "images", "{CB8812
 		docs\images\how-to.vsdx = docs\images\how-to.vsdx
 		docs\images\howto-environmentlink-foxids-auth-method-select.png = docs\images\howto-environmentlink-foxids-auth-method-select.png
 		docs\images\howto-environmentlink-foxids-auth-method-y-select.png = docs\images\howto-environmentlink-foxids-auth-method-y-select.png
+		docs\images\howto-oidc-amazon-cognito-app-client-client-id.png = docs\images\howto-oidc-amazon-cognito-app-client-client-id.png
+		docs\images\howto-oidc-amazon-cognito-app-client-logout.png = docs\images\howto-oidc-amazon-cognito-app-client-logout.png
+		docs\images\howto-oidc-amazon-cognito-app-client.png = docs\images\howto-oidc-amazon-cognito-app-client.png
+		docs\images\howto-oidc-amazon-cognito-authority.png = docs\images\howto-oidc-amazon-cognito-authority.png
+		docs\images\howto-oidc-amazon-cognito-config.png = docs\images\howto-oidc-amazon-cognito-config.png
+		docs\images\howto-oidc-amazon-cognito-urls.png = docs\images\howto-oidc-amazon-cognito-urls.png
+		docs\images\howto-oidc-amazon-cognito-user-pool.png = docs\images\howto-oidc-amazon-cognito-user-pool.png
+		docs\images\howto-oidc-amazon-iam-ic-acs-issuer.png = docs\images\howto-oidc-amazon-iam-ic-acs-issuer.png
+		docs\images\howto-oidc-amazon-iam-ic-binding-format.png = docs\images\howto-oidc-amazon-iam-ic-binding-format.png
+		docs\images\howto-oidc-amazon-iam-ic-certificate-change.png = docs\images\howto-oidc-amazon-iam-ic-certificate-change.png
+		docs\images\howto-oidc-amazon-iam-ic-certificate-type.png = docs\images\howto-oidc-amazon-iam-ic-certificate-type.png
+		docs\images\howto-oidc-amazon-iam-ic-create.png = docs\images\howto-oidc-amazon-iam-ic-create.png
 		docs\images\howto-oidc-azuread-readredirect.png = docs\images\howto-oidc-azuread-readredirect.png
 		docs\images\howto-oidc-facebook-app-details.png = docs\images\howto-oidc-facebook-app-details.png
 		docs\images\howto-oidc-facebook-config.png = docs\images\howto-oidc-facebook-config.png

docs/auth-method-howto-oidc-amazon-cognito.md

@@ -0,0 +1,63 @@
+# Connect to Amazon Cognito with OpenID Connect
+
+FoxIDs can be connected to Amazon Cognito with OpenID Connect and authenticate users in your Amazon Cognito user pool.
+
+You can add support for SAML 2.0 to your Amazon Cognito. 
+By configuring Amazon Cognito as an [OpenID Connect authentication method](auth-method-oidc.md) and a [SAML 2.0 application](app-reg-saml-2.0.md) FoxIDs become a [bridge](bridge.md) between OpenID Connect and SAML 2.0 and automatically convert JWT (OAuth 2.0) claims to SAML 2.0 claims.
+
+## Configure Amazon Cognito
+
+This chapter describes how to configure a connection with OpenID Connect Authorization Code flow and read the users claims from the ID token.
+
+**1 - Start by creating an OpenID Connect authentication method in [FoxIDs Control Client](control.md#foxids-control-client)**
+
+ 1. Navigate to the **Authentication** tab
+ 2. Click **New authentication**
+ 3. Select **OpenID Provider**
+ 4. Add the **Name** e.g. Amazon Cognito
+ ![Read the redirect URLs](images/howto-oidc-amazon-cognito-urls.png)
+
+ 5. Read the **Redirect URL** and **Post logout redirect URL** and save it for later
+
+**2 - Then go to the Amazon Cognito [AWS portal](https://aws.amazon.com/) and create the a new app client**
+
+ 1. Navigate to **Amazon Cognito**
+ 2. Select **User pools** 
+ ![Select user pool in Amazon Cognito](images/howto-oidc-amazon-cognito-user-pool.png)
+ 3. Select existing user pool or create a new user pool
+ 4. Find **Applications** in the menu and click **App clients**
+ 5. Click **Create app client** in the top right corner
+ 6. Select **Traditional web application**
+ 7. Add the name in **Name your application** e.g. FoxIDs
+ 8. Add the FoxIDs **Redirect URL** from before in the **Return URL** field
+ ![Create app client in Amazon Cognito](images/howto-oidc-amazon-cognito-app-client.png)
+ 9. Click **Create app client**
+ 10. Read the **Client ID** and **Client secret** and save it for later
+ ![Save values from app client in Amazon Cognito](images/howto-oidc-amazon-cognito-app-client-client-id.png)
+ 11. Click **Login pages** and click **Edit**
+ 12. Find **Allowed sign-out URLs - optional** click **Add sign-out URL**
+ 13. Add the **Post logout redirect URL** from FoxIDs in the **URL** field
+ ![App client logout in Amazon Cognito](images/howto-oidc-amazon-cognito-app-client-logout.png)
+ 14. You can optionnaly configure aditionally scopes like `phone` and `profile`
+ 15. Click **Save changes** 
+ 16. Find the **View quick setup guide** and example code
+ 17. Find the **authority** in the example code (it is also called **issuerURL**) and save it for later  
+     The authority is in this example is `https://cognito-idp.eu-north-1.amazonaws.com/eu-north-1_3nLCUMELB` 
+
+ **3 - Go back to the FoxIDs authentication method in [FoxIDs Control Client](control.md#foxids-control-client)**
+
+ 1. Add the **Authority** from Amazon Cognito
+ ![Add authority URL](images/howto-oidc-amazon-cognito-authority.png)
+ 2. Click **Show advanced** in the top right corner of this configuration section
+ 3. Add the **Optional custom SP client ID** from Amazon Cognito called **Client ID**
+ 4. Add `email` to the **scopes** list, you can possible configure the scopes `phone` and `profile` in Amazon Cognito and FoxIDs
+ 5. Add the **Client secret** from Amazon Cognito
+ 6. Set the **Read claims from the ID token instead of the access token** switch to **Yes**
+ 7. As **Response mode** select **query**
+ ![Configuration in FoxIDs](images/howto-oidc-amazon-cognito-config.png)
+ 8. Click **Create**
+ 9. Click **Test authentication** to test the Amazon Cognito connection  
+
+That's it, you are done.
+
+Your new Amazon Cognito authentication method can be selected as an allowed authentication method in an application registration.

docs/auth-method-howto-oidc-azure-ad-b2c.md

@@ -1,4 +1,4 @@
-# Connect Azure AD B2C with OpenID Connect
+# Connect to Azure AD B2C with OpenID Connect
 
 FoxIDs can be connected to Azure AD B2C with OpenID Connect and thereby authenticating end users in an Azure AD B2C tenant.
 

docs/auth-method-howto-oidc-azure-ad.md

@@ -1,4 +1,4 @@
-# Connect Microsoft Entra ID with OpenID Connect
+# Connect to Microsoft Entra ID with OpenID Connect
 
 FoxIDs can be connected to Microsoft Entra ID (Azure AD) with OpenID Connect and thereby authenticating end users in a Microsoft Entra ID tenant.
 

docs/auth-method-howto-oidc-facebook.md

@@ -1,4 +1,4 @@
-# Connect Facebook with OpenID Connect
+# Connect to Facebook with OpenID Connect
 
 FoxIDs can be connected to Facebook with OpenID Connect and authenticate users with Facebook login or Facebook Limited login.
 
@@ -54,18 +54,16 @@ This chapter describes how to configure a connection with OpenID Connect Authori
  **3 - Go back to the FoxIDs authentication method in [FoxIDs Control Client](control.md#foxids-control-client)**
 
  1. Click **Show advanced** in the top right corner of this configuration section
- 2. Disable the **Single logout** switch
- 3. Add the **Optional custom SP client ID** from Facebook called **App ID**
- 4. Add the two **scopes** `email` and `public_profile`
- 5. Set the **Use PKCE** switch to **No**
- 6. Add the **Client secret** from Facebook called **App Secret**
- 7. Set the **Read claims from the ID token instead of the access token** switch to **Yes**
- 8. As **Response mode** select **query**
- 9. Disable the **Front channel logout** switch
- 10. Disable the **Front channel logout session required** switch
+ 2. Add the **Optional custom SP client ID** from Facebook called **App ID**
+ 3. Add the two **scopes** `email` and `public_profile`
+ 4. Set the **Use PKCE** switch to **No**
+ 5. Add the **Client secret** from Facebook called **App Secret**
+ 6. Set the **Read claims from the ID token instead of the access token** switch to **Yes**
+ 7. As **Response mode** select **query**
  ![Configuration in FoxIDs](images/howto-oidc-facebook-config.png)
- 11. Click **Create**
-
+ 8. Click **Create**
+ 9. Click **Test authentication** to test the Facebook connection  
+
 That's it, you are done.
 
 Your new Facebook authentication method can be selected as an allowed authentication method in an application registration.

docs/auth-method-howto-oidc-google.md

@@ -1,4 +1,4 @@
-# Connect Google with OpenID Connect
+# Connect to Google with OpenID Connect
 
 FoxIDs can be connected to Google with OpenID Connect and authenticate users with Google login.
 
@@ -57,7 +57,8 @@ This chapter describes how to configure a connection with OpenID Connect Authori
  8. Disable the **Front channel logout session required** switch
  ![Configuration in FoxIDs](images/howto-oidc-google-config.png)
  9. Click **Create**
-
+ 10. Click **Test authentication** to test the Facebook connection  
+
 That's it, you are done.
 
 Your new Google authentication method can be selected as an allowed authentication method in an application registration.

docs/auth-method-howto-oidc-identityserver.md

@@ -1,4 +1,4 @@
-# Connect IdentityServer with OpenID Connect
+# Connect to IdentityServer with OpenID Connect
 
 FoxIDs can be connected to an IdentityServer with OpenID Connect and thereby authenticating end users in an IdentityServer.
 

docs/auth-method-howto-oidc-nets-eid-broker.md

@@ -1,4 +1,4 @@
-# Connect Nets eID Broker with OpenID Connect
+# Connect to Nets eID Broker with OpenID Connect
 
 FoxIDs can be connected to Nets eID Broker with OpenID Connect and thereby authenticating end users with MitID and other credentials supported by Nets eID Broker.
 

docs/auth-method-howto-oidc-signicat.md

@@ -1,4 +1,4 @@
-# Connect Signicat with OpenID Connect
+# Connect to Signicat with OpenID Connect
 
 FoxIDs can be connected to Signicat with OpenID Connect and thereby authenticating end users with MitID and all other credentials supported by Signicat.
 

docs/auth-method-howto-saml-2.0-adfs.md

@@ -1,4 +1,4 @@
-# Connect Microsoft AD FS with SAML 2.0
+# Connect to Microsoft AD FS with SAML 2.0
 
 FoxIDs can be connected to AD FS with a [SAML 2.0 authentication method](auth-method-saml-2.0.md). Where AD FS is a SAML 2.0 Identity Provider (IdP) and FoxIDs is acting as an SAML 2.0 Relying Party (RP).
 

docs/auth-method-howto-saml-2.0-nemlogin.md

@@ -1,4 +1,4 @@
-# Connect NemLog-in with SAML 2.0
+# Connect to NemLog-in with SAML 2.0
 
 You can connect FoxIDs to NemLog-in (Danish IdP) with a [SAML 2.0 authentication method](auth-method-saml-2.0.md) and let the users authenticate with MitID. NemLog-in is connected as a SAML 2.0 Identity Provider (IdP).
 
@@ -65,19 +65,17 @@ It is subsequently possible to add a secondary certificate and to swap between t
 3. Add the name
 4. Select show advanced
 5. Select the dot URL binding pattern
-6. Set the session lifetime to 1800 (30 minutes) in the Logout session tab
-7. Go back to the SAML tab
 
 ![NemLog-in SAML 2.0 authentication method](images/howto-saml-nemlogin3-auth-top.png)
 
-8. Disable automatic update
-9. Click Read metadata from file and select the NemLog-in IdP-metadata
+6. Disable automatic update
+7. Click Read metadata from file and select the NemLog-in IdP-metadata
 
 ![NemLog-in SAML 2.0 authentication method](images/howto-saml-nemlogin3-auth-read-metadata.png)
 
-10. Configure a custom SP issuer, the issuer can optionally start with `https://saml.`
+8. Configure a custom SP issuer, the issuer can optionally start with `https://saml.`
     - The issuer in this example is `https://saml.foxids.com/test-corp/nemlogin-test/`
-11. Optionally remove the `*` and configure claims, the following claims is most often used:
+9. Optionally remove the `*` and configure claims, the following claims is most often used:
     - `https://data.gov.dk/concept/core/nsis/loa`
     - `https://data.gov.dk/model/core/eid/cprNumber`
     - `https://data.gov.dk/model/core/eid/cprUuid`
@@ -92,27 +90,27 @@ It is subsequently possible to add a secondary certificate and to swap between t
 
 ![NemLog-in SAML 2.0 authentication method](images/howto-saml-nemlogin3-auth-claims.png)
 
- 12. Set Login hint in Authn request in Subject NameID to Disabled
- 13. In production only! optionally the Certificate validation mode to `Chain trust` if the OCES3 root certificate is trusted on your platform  
+ 10. Set Login hint in Authn request in Subject NameID to Disabled
+ 11. In production only! optionally the Certificate validation mode to `Chain trust` if the OCES3 root certificate is trusted on your platform  
      Set the Certificate revocation mode to `Online`
- 14. Select to include the encryption certificate in metadata
- 15. Set the NameID format in metadata to `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`
+ 12. Select to include the encryption certificate in metadata
+ 13. Set the NameID format in metadata to `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`
 
  ![NemLog-in SAML 2.0 authentication method](images/howto-saml-nemlogin3-auth-nameidformat.png)
 
- 16. Add an attribute consuming service in metadata and add the service name.
- 17. Add all the claims configured in step 11 as requested attributes with the format `urn:oasis:names:tc:SAML:2.0:attrname-format:uri`. Optionally set each attribute as required.
+ 14. Add an attribute consuming service in metadata and add the service name.
+ 15. Add all the claims configured in step 11 as requested attributes with the format `urn:oasis:names:tc:SAML:2.0:attrname-format:uri`. Optionally set each attribute as required.
 
 ![NemLog-in SAML 2.0 authentication method](images/howto-saml-nemlogin3-auth-attributes.png)
 
- 18. Add at least one technical contact person
+ 16. Add at least one technical contact person
 
 ![NemLog-in SAML 2.0 authentication method](images/howto-saml-nemlogin3-auth-contact.png)
 
- 19. Click create
- 20. Go to the top of the SAML 2.0 authentication method
- 21. Download the SAML 2.0 authentication method SP-metadata, in this case https://foxids.com/test-corp/nemlogin-test/.nemlogin./saml/spmetadata. 
- 22. The SP-metadata file is used to configure the NemLog-in IT system.
+ 17. Click create
+ 18. Go to the top of the SAML 2.0 authentication method
+ 19. Download the SAML 2.0 authentication method SP-metadata, in this case https://foxids.com/test-corp/nemlogin-test/.nemlogin./saml/spmetadata. 
+ 20. The SP-metadata file is used to configure the NemLog-in IT system.
 
  **2) - Then go to the [NemLog-in adminstration protal](https://administration.nemlog-in.dk/)**
 

docs/auth-method-howto-saml-2.0-pingone.md

@@ -1,4 +1,4 @@
-# Connect PingIdentity / PingOne with SAML 2.0
+# Connect to PingIdentity / PingOne with SAML 2.0
 
 FoxIDs can be connected to PingOne with a [SAML 2.0 authentication method](auth-method-saml-2.0.md). Where PingOne is a SAML 2.0 Identity Provider (IdP) and FoxIDs is acting as an SAML 2.0 Relying Party (RP).
 

docs/auth-method-howto-saml-amazon-iam-identity-center.md

@@ -0,0 +1,65 @@
+# Connect to Amazon IAM Identity Center with SAML 2.0
+
+FoxIDs can be added as an external identity provider for Amazon IAM Identity Center with SAML 2.0.
+
+By configuring an [OpenID Connect authentication method](auth-method-oidc.md) and Amazon IAM Identity Center as a [SAML 2.0 application](app-reg-saml-2.0.md) FoxIDs become a [bridge](bridge.md) between OpenID Connect and SAML 2.0 and automatically convert JWT (OAuth 2.0) claims to SAML 2.0 claims.
+
+## Configure Amazon IAM Identity Center
+
+This guide describe how to setup FoxIDs as an external identity provider for Amazon IAM Identity Center. Users is connected with there email address and is required to exist in Amazon IAM Identity Center.
+
+**1 - Start by configuring a certificate in [FoxIDs Control Client](control.md#foxids-control-client)**
+
+You are required to upload the SAML 2.0 metadata from FoxIDs to Amazon IAM Identity Center. It is therefor necessary to use a long living certificate in FoxIDs, e.g. valid for 3 years.
+
+1. Select the **Certificates** tab
+2. Click **Change Container type**
+![Change certificate container type in FoxIDs](images/howto-oidc-amazon-iam-ic-certificate-type.png)
+3. Find **Self-signed or your certificate** and click **Change to this container type**
+4. The self-signed certificate is valid for 3 years, and you can optionally upload you own certificate
+![Change certificate in FoxIDs](images/howto-oidc-amazon-iam-ic-certificate-change.png)
+
+
+**2 - Then go to the Amazon IAM Identity Center in [AWS portal](https://aws.amazon.com/)**
+
+ 1. Navigate to **Amazon IAM Identity Center**
+ 2. Click **Settings** 
+ 3. Click **Choose identity source** (may be located in the **Identity source** section and **Actions** button)
+ 4. Select **External identity provider**
+ 5. Click **Next**
+ 6. Copy the **IAM Identity Center Assertion Consumer Service (ACS) URL** and save it for later
+ 7. Copy the **IAM Identity Center issuer URL** and save it for later
+![Read ACS and issuer in Amazon IAM Identity Center](images/howto-oidc-amazon-iam-ic-acs-issuer.png)
+
+**3 - Then creating an SAML 2.0 application in [FoxIDs Control Client](control.md#foxids-control-client)**
+
+1. Select the **Applications** tab
+2. Click **New application**
+3. Click **Show advanced**
+4. Click **Web application (SAML 2.0)**
+5. Add the **Name** e.g. `Amazon IAM Identity Center`
+6. Add the **Application issuer** from Amazon IAM Identity Center called **IAM Identity Center issuer URL**
+7. Add the **Assertion consumer service (ACS) URL** from Amazon IAM Identity Center called **IAM Identity Center Assertion Consumer Service (ACS) URL** 
+![Add issuer and ACS in FoxIDs](images/howto-oidc-amazon-iam-ic-create.png)
+8. Click **Register**
+9. Click **Close**
+10. Find the application in the list and click on it to edit
+11. Click **Show advanced**
+12. Set the **Authn request binding** to **Post**
+13. Set the **NameID format** to `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`
+![Set binding and NameID format in FoxIDs](images/howto-oidc-amazon-iam-ic-binding-format.png)
+14. Set the **NameID format in metadata** to `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress` at the bottom of the application
+15. Click **Update**
+16. Go to the top of the application and click the **SAML 2.0 Metadata URL** link to open it in a browser
+17. Download the metadata as a metadata file
+
+**4 - Go back to the Amazon IAM Identity Center in [AWS portal](https://aws.amazon.com/)**
+
+1. Find the **IdP SAML metadata** and click **Choose file**
+2. Select the metadata file from FoxIDs
+3. Click **Next**
+4. Write **ACCEPT**
+5. Click **Change identity source**
+6. Find the **Identity source** section and the **AWS access portal URL**, click the link to test login (you may need to create a user in FoxIDs)
+
+> Amazon IAM Identity Center do not support logout.