AuthnRequest/NameIDPolicy - attribute: AllowCreate item not allowed

vladimirfedonov · 12 Febbraio 2019, 1:32pm

Salve,

ho configurato spid-testenv2 come Docker container in locale. Ho poi installato Shibbolet 2 SP e configurato in linea con quanto indicato in spid-sp-shibboleth
Ricevo tuttavia il seguente errore dal IdP e non riesco a capire come si risolve:
AuthnRequest/NameIDPolicy - attribute: AllowCreate item not allowed

La richiesta di autenticazione inviata è la seguente:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://serviceprovider.progettidiimpresa.it:8092/Shibboleth.sso/SAML2/POST" AttributeConsumingServiceIndex="0" Destination="http://idp.progettidiimpresa.it:8088/sso" ForceAuthn="false" ID="_fe7a380806a32963ad44e5f063bb3876" IssueInstant="2019-02-12T13:18:21Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" NameQualifier="https://serviceprovider.progettidiimpresa.it:8092/sp">https://serviceprovider.progettidiimpresa.it:8092/sp</saml:Issuer> 
<samlp:NameIDPolicy AllowCreate="1" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
<samlp:RequestedAuthnContext Comparison="exact">
	<saml:AuthnContextClassRef>https://www.spid.gov.it/SpidL2</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>

</samlp:AuthnRequest>

vladimirfedonov · 12 Febbraio 2019, 4:04pm

Ho risolto il problema nella configurazione di Shibbolet (shibboleth2.xml) mettendo:

<samlp:NameIDPolicy AllowCreate=“1” Format=“urn:oasis:names:tc:SAML:2.0:nameid-format:transient”/>

questo è l’initiator completo:

		  <SessionInitiator type="SAML2" Location="/Login" isDefault="true" entityID="https://serviceprovider.progettidiimpresa.it:8092/sp"
		  outgoingBinding="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
		  NameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
		  isPassive="false"
		  allowCreate="false"
		  signing="true">
		<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_6D20FE6B-8A1D-4D08-8457-73A1E2727CE3" Version="2.0" IssueInstant="2012-01-01T00:00:00Z">
			<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" NameQualifier="https://serviceprovider.progettidiimpresa.it:8092/sp">https://serviceprovider.progettidiimpresa.it:8092/sp</saml:Issuer>
			<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
			<samlp:RequestedAuthnContext Comparison="exact" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
				<saml:AuthnContextClassRef>https://www.spid.gov.it/SpidL2</saml:AuthnContextClassRef>
			</samlp:RequestedAuthnContext>
		</samlp:AuthnRequest>
	  </SessionInitiator>

peppelinux · 2 Aprile 2019, 9:53am

Ciao @vladimirfedonov, ho avuto lo stesso problema con pySAML2.
Ho risolto costruendo il message (di tipo AuthnRequest) a mano, escludendo appunto allow_create.

Ho aperto una issue per la discussione tecnica qui: