Merge pull request #1075 from ITfoxtec/test

Test

FoxIDs.sln

@@ -165,7 +165,6 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "images", "images", "{CB8812
 		docs\images\configure-tenant-custom-domain-my-environment.png = docs\images\configure-tenant-custom-domain-my-environment.png
 		docs\images\configure-tenant-text.png = docs\images\configure-tenant-text.png
 		docs\images\configure-tenant.png = docs\images\configure-tenant.png
-		docs\images\configure-user-external.png = docs\images\configure-user-external.png
 		docs\images\configure-user-mfa.png = docs\images\configure-user-mfa.png
 		docs\images\configure-user.png = docs\images\configure-user.png
 		docs\images\connections-app-reg-oauth.svg = docs\images\connections-app-reg-oauth.svg
@@ -271,14 +270,16 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "images", "images", "{CB8812
 		docs\images\upload-risk-passwords-seed-client.png = docs\images\upload-risk-passwords-seed-client.png
 		docs\images\user-create-new-account-config.png = docs\images\user-create-new-account-config.png
 		docs\images\user-create-new-account.png = docs\images\user-create-new-account.png
+		docs\images\user-external-auth-method-redemption.png = docs\images\user-external-auth-method-redemption.png
 		docs\images\user-external-create-new-account-config.png = docs\images\user-external-create-new-account-config.png
 		docs\images\user-external-create-new-account.png = docs\images\user-external-create-new-account.png
+		docs\images\user-external-redemption.png = docs\images\user-external-redemption.png
 		docs\images\user-login.png = docs\images\user-login.png
 	EndProjectSection
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "FoxIDs.ConvertCertificateTool", "tools\FoxIDs.ConvertCertificateTool\FoxIDs.ConvertCertificateTool.csproj", "{AF16CC91-2EEA-4790-8672-9ACCA430991D}"
 EndProject
-Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "FoxIDs.ResourceTranslateTool", "src\FoxIDs.ResourceTranslateTool\FoxIDs.ResourceTranslateTool.csproj", "{B63EC694-505A-4730-92B7-6827B8E61A6E}"
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "FoxIDs.ResourceTranslateTool", "tools\FoxIDs.ResourceTranslateTool\FoxIDs.ResourceTranslateTool.csproj", "{B63EC694-505A-4730-92B7-6827B8E61A6E}"
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Docker", "Docker", "{93A3AFF1-8A33-4CA6-8F25-EECD477D73D1}"
 	ProjectSection(SolutionItems) = preProject

docs/auth-method-howto-saml-2.0-google-workspace.md

@@ -4,6 +4,8 @@ Connect Google Workspace to FoxIDs with an [SAML 2.0 authentication method](auth
 
 By configuring an [SAML 2.0 authentication method](auth-method-saml-2.0.md) and a [OpenID Connect application](app-reg-oidc.md) FoxIDs become a [bridge](bridge.md) between SAML 2.0 and OpenID Connect and automatically convert SAML 2.0 claims to JWT (OAuth 2.0) claims.
 
+> The Google Workspace OpenID Connect implementation is lacking, mostly because it does not support any custom claims or group claims. It is therefor recommended to use Google Workspace with SAML 2.0.
+
 ## Configuring Google Workspace
 This guide describe how to setup Google Workspace as a SAML 2.0 Identity Provider.
 

docs/auth-method-howto-saml-2.0-nemlogin.md

@@ -16,7 +16,7 @@ FoxIDs support NemLog-in and the SAML 2.0 based OIOSAML3 including single logout
 
 NemLog-in documentation:
 - The [NemLog-in development portal](https://tu.nemlog-in.dk/oprettelse-og-administration-af-tjenester/) with documentation
-  - [test](https://tu.nemlog-in.dk/oprettelse-og-administration-af-tjenester/log-in/dokumentation-og-guides/integrationstestmiljo/), where you can find the NemLog-in IdP-metadata for test and get OCES3 test certificates
+  - [test](https://tu.nemlog-in.dk/oprettelse-og-administration-af-tjenester/log-in/dokumentation-og-guides/integrationstestmiljo/), where you can find the NemLog-in IdP-metadata for test and download the OCES3 test certificate
   - [production](https://tu.nemlog-in.dk/oprettelse-og-administration-af-tjenester/log-in/dokumentation-og-guides/produktionsmiljo/), where you can find the NemLog-in IdP-metadata for production
 - Create OCES3 production certificate in the [certificate administration](https://erhvervsadministration.nemlog-in.dk/certificates) 
 - The [NemLog-in administration portal](https://administration.nemlog-in.dk/) where you configure IT-systems

docs/control.md

@@ -97,7 +97,7 @@ The administrator role `foxids:tenant.admin` grants access to all data in a tena
 #### Tenant access rights
 The tenant access rights is at the same time both scopes and roles.
 
-> If the scope you need is not defined on the Control API `foxids_control_api` you can add the scope. The same goes for roles which has to be defined on the user or the calling client.
+> If the scope you need is not defined on the Control API `foxids_control_api` you can add the scope.
 
 The `:track[xxxx]` specifies a tenant e.g., the `dev` tenant is `:track[dev]`.
 

docs/users.md

@@ -3,7 +3,7 @@ Users are saved in the environment's user repository. To achieve multiple user s
 
 There are two different types of users:
 - [Internal users](#internal-users) which are authenticated using the [login](login.md) authentication method.
-- [External users](#external-users) which are linked by an authenticated method to an external user/identity with a claim. The user is authenticated in an external Identity Provider using an authenticated method: OpenID Connect, SAML 2.0, External Login or Environment Link.
+- [External users](#external-users) which are linked by an authenticated method to an external user/identity with a claim. The users are authenticated in an external Identity Provider and the users can be [redeemed](#provision-and-redeem) based on e.g. an `email` claim.
 
 ## Internal users
 Internal users can be authenticated in all [login](login.md) authentication methods in an environment, making is possible to [customize](customization.md) the login experience e.g., depending on different [application](connections.md#application-registration) requirements.
@@ -53,17 +53,17 @@ Current supported hash algorithm `P2HS512:10` which is defined as:
 Standard .NET liberals are used to calculate the hash.
 
 ## External users
-An external user is linked to one authentication method and can only be authenticated with that particular authentication method. External users can be linked to the authentication methods: OpenID Connect, SAML 2.0, External Login or Environment Link.  
+An external user is linked to one authentication method and can only be authenticated with that particular authentication method. External users can be linked to the authentication methods: OpenID Connect, SAML 2.0, External Login and Environment Link.  
 It is optional to use external users, they are not created by default.
 
-All external user grouped under a authentication method is linked with the same claim type (e.g. the `sub` or `email` claim type) and the users are separated by unique claim values.
+All external user grouped under an authentication method is linked with the same claim type (e.g. the `sub` claim type) and the users are separated by unique claim values.
 
 > With external users you can store claims on each user. E.g. store the your user ID claim representing the user in your system and thereby mapping the external user ID to your user ID. 
 
-A unique ID is by default added to each external user.
+An automatically generated unique ID is added to each external user by default.
 
 ### Create external user
-Depending on the selected authentication method's configuration, new users is asked to fill out a form to create a user.
+Depending on the selected authentication method's configuration, new users is optionally asked to fill out a form to create a user.
 
 ![New external users create an account](images/user-external-create-new-account.png)
 
@@ -78,9 +78,24 @@ This is the configuration in a [OpenID Connect](auth-method-oidc.md) authenticat
 
 > If the login sequence is started base on a [login](login.md) authentication method, it provides the basis for the UI look and feel ([customize](customization.md)). Otherwise, the default [login](login.md) authentication method is selected as the base.
 
-### Provisioning
+### Provision and redeem
 External users can be created, changed and deleted with the [Control Client](control.md#foxids-control-client) or be provisioned through the [Control API](control.md#foxids-control-api).
 
-![Configure Login](images/configure-user-external.png)
+You probably do not know the link claim value in advanced because it is an external user ID. But if you do, it is possible to create users and associate them with the link claim value. Most often, you will know a redemption claim in advanced instead.
+
+The external users can be redeemed by a redemption claim type (e.g. `email`) and they are then automatically linked with the link claim type. 
+It is bad practice to link users based on there email over a long period of time, as emails can change. But the email is unlikely to change within the short redemption period.
+
+Once the user has been redeemed, the external user is subsequently logged in based on the link claim value.
+
+This authentication method is configured with `email` claim redemption and `sub` link claim type.
+
+![Authentication method, external user redemption](images/user-external-auth-method-redemption.png)
+
+And user's is added with their known email as the redemption claim value.
+
+![External user redemption](images/user-external-redemption.png)
+
+In this example the user is connected to Google Workspace with an OpenID Connect authentication method and a `app_user_id` claim is added with an internal user ID.
 
-In this example the user is connected to Azure AD with an OpenID Connect authentication method and a `app_user_id` claim is added with the internal user ID.
+> You can reset a redeemed user by deleting the link claim value and, if necessary, also changing the redemption claim value. The external user is then redeemed again next time the user logs in.