Salve,
inizio con il ringraziarvi dell’eventuale supporto che saprete darmi.
Gli step che ho compiuto sono i seguenti:
-
Ho scaricato ed avviato correttamente la SDK-Spring, italia/spid-testenv2 (avviato direttamente dall’immagine presa da docker-hub) e SPID Validator (Build & start con docker).
-
Ho installato i certificati della mia organizzazione all’interno del KeyStore.jks contenuto nell’SDK (usando il keytool jdk8)
-
Ho firmato il metadata-sp.xml attraverso xmlsectool.sh con il comando
./xmlsectool.sh --sign --inFile metadata/metadata-sp.xml --outFile out.xml --certificate crt/mycert.cer --keyFile crt/mycert.key
-
ho posto alla validazione dello SPID-Validator sino a che non ho ottenuto tutti i segnali verdi (NB, ho rimosso il tag <?xml version=“1.0” encoding=“UTF-8” > come trovato in una issue sul forum per il problema “Parsing utf-8”
-
Ho inserito nella configurazione dello italia/spid-testenv2 il mio metadata e riavviato il container, verificato poi che sull’interfaccia grafica fosse disponibile il mio endpoint
-
Ho eseguito in locale da postman la chiamata all’SDK per ottenare la SAML Request.
PRIMO ERRORE: La SDK restituisce un formato che l’ambiente di test liquida con
Impossibile decodificare l’elemento ‘SAMLRequest’
- Sono andato in debug, ho quindi preso la SAML Request ed l’ho codificata in base64 inviandola all’ambiente di test sempre con una post in cui ho compilato i campi:
SAMLRequest e RelayState su tipo post FORM-DATA.
ottengo quindi:
AuthnRequest - attribute: IsPassive item not allowed
AuthnRequest/Issuer - attribute: Format Il valore dell’elemento è diverso dal valore atteso (urn:oasis:names:tc:SAML:2.0:nameid-format:entity):
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
Allego la mia SAMLRequest:
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="0" AssertionConsumerServiceURL="https://PRIVATE/spid/signin.html" AttributeConsumingServiceIndex="1" Destination="http://localhost:8088/sso" ID="_abdd8d0-370e-4f76-b281-8eebb276faef" IsPassive="false" IssueInstant="2021-04-09T08:58:39.939Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="PRIVATE">PRIVATE</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_abdd8d0-370e-4f76-b281-8eebb276faef">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue/>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue/>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>............</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
<ds:X509Data>
<ds:X509Certificate>MIIG..............6tVggXjY</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:NameIDPolicy xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
<saml2p:RequestedAuthnContext xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact">
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://www.spid.gov.it/SpidL2</saml:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>
</samlp:AuthnRequest>
ed anche il mio metadata
<?xml version="1.0" encoding="UTF-8" standalone="no"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:spid="https://spid.gov.it/saml-extensions" ID="_abdd8d0-370e-4f76-b281-8eebb276faef" entityID="https://PRIVATE"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>Tb3......oc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
........
</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
.........
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
<ds:X509Data>
<ds:X509Certificate>
MIIGJ....XjY
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIGJjCCB...ggXjY</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIGJ.....VggXjY</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://PRIVATE/logout"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://PRIVATE/spid/signin.html" index="0" isDefault="true"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://PRIVATE/spid/login.html" index="1" isDefault="false"/>
<md:AttributeConsumingService index="2">
<md:ServiceName xml:lang="it">Login</md:ServiceName>
<md:ServiceDescription xml:lang="it">Login</md:ServiceDescription>
<md:RequestedAttribute Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute Name="familyName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute Name="fiscalNumber" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
</md:AttributeConsumingService>
<md:AttributeConsumingService index="1">
<md:ServiceName xml:lang="it">Iscrizione</md:ServiceName>
<md:ServiceDescription xml:lang="it">Iscrizione</md:ServiceDescription>
<md:RequestedAttribute Name="spidCode" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute Name="gender" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute Name="placeOfBirth" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute Name="ivaCode" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute Name="companyName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute Name="mobilePhone" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute Name="address" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute Name="expirationDate" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute Name="familyName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute Name="fiscalNumber" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute Name="dateOfBirth" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute Name="countyOfBirth" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute Name="idCard" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute Name="registeredOffice" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute Name="digitalAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
</md:AttributeConsumingService>
</md:SPSSODescriptor>
<md:Organization>
<md:OrganizationName xml:lang="it">PRIVATE</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="it">PRIVATE</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="it">https://PRIVATE/</md:OrganizationURL>
</md:Organization>
<md:ContactPerson contactType="other">
<md:Extensions>
<spid:VATNumber>IT12345678901</spid:VATNumber>
<spid:FiscalCode>XYZABCAAMGGJ000W</spid:FiscalCode>
<spid:Private/>
</md:Extensions>
<md:EmailAddress>tech-info@example.org</md:EmailAddress>
<md:TelephoneNumber>+39 8472345634785</md:TelephoneNumber>
</md:ContactPerson>
</md:EntityDescriptor>
secondo voi dove sto sbagliando?