Interfacciamento ambiente di test

beri75 · 25 Giugno 2018, 9:32am

Ciao, sto provando #spid-php con interfacciamento a #spid-testenv-docker, solo che incontro qualche difficoltà.

Ho aggiunto nel file saml20-idp-remote.php questa entry per l’interfacciamento all’ambiente di test:

$metadata[‘https://spid-testenv-identityserver:9443’] = array (
‘entityid’ => ‘https://spid-testenv-identityserver:9443’,
‘entityDescriptor’ => ‘_5c2n3699-c647-82gd-hfjs-ak4xu6710475’,
‘description’ =>
array (
‘it’ => ‘AGID - IDP Test SPID’,
),
‘OrganizationName’ =>
array (
‘it’ => ‘AGID - IDP Test SPID’,
),
‘name’ =>
array (
‘it’ => ‘AGID - IDP Test SPID’,
),
‘OrganizationDisplayName’ =>
array (
‘it’ => ‘AGID - IDP Test SPID’,
),
‘url’ =>
array (
‘it’ => ‘https://www.spid.gov.it’,
),
‘OrganizationURL’ =>
array (
‘it’ => ‘https://www.spid.gov.it’,
),
‘contacts’ =>
array (
),
‘metadata-set’ => ‘saml20-idp-remote’,
‘sign.authnrequest’ => false,
‘SingleSignOnService’ =>
array (
0 =>
array (
‘Binding’ => ‘urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST’,
‘Location’ => ‘https://spid-testenv-identityserver:9443/samlsso’,
),
1 =>
array (
‘Binding’ => ‘urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect’,
‘Location’ => ‘https://spid-testenv-identityserver:9443/samlsso’,
),
),
‘SingleLogoutService’ =>
array (
0 =>
array (
‘Binding’ => ‘urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST’,
‘Location’ => ‘https://spid-testenv-identityserver:9443/samlsso’,
),
1 =>
array (
‘Binding’ => ‘urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect’,
‘Location’ => ‘"https://spid-testenv-identityserver:9443/samlsso’,
),
),
‘ArtifactResolutionService’ =>
array (
),
‘NameIDFormats’ =>
array (
0 => ‘urn:oasis:names:tc:SAML:2.0:nameid-format:transient’,
),
‘keys’ =>
array (
0 =>
array (
‘encryption’ => false,
‘signing’ => true,
‘type’ => ‘X509Certificate’,
‘X509Certificate’ => ‘MIIDZz…’,
),
)
);

Effettivamente arrivo alla pagina di login dell’IdP:
https://spid-testenv-identityserver:9443/authenticationendpoint/login.do?RelayState…

Inserisco le credenziali di prova, ma il ritorno ricevo questo errore:

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION

Backtrace:
0 /var/www/vhosts/spid.patente.it/httpdocs/spid-php/vendor/simplesamlphp/simplesamlphp/www/module.php:180 (N/A)
Caused by: SimpleSAML_Error_Exception: Could not find the metadata of an IdP with entity ID ‘https://spid-testenv-identityserver:9443/’
Backtrace:
2 /var/www/vhosts/spid.patente.it/httpdocs/spid-php/vendor/simplesamlphp/simplesamlphp/modules/saml/lib/Auth/Source/SP.php:134 (sspmod_saml_Auth_Source_SP::getIdPMetadata)
1 /var/www/vhosts/spid.patente.it/httpdocs/spid-php/vendor/simplesamlphp/simplesamlphp/modules/saml/www/sp/saml2-acs.php:91 (require)
0 /var/www/vhosts/spid.patente.it/httpdocs/spid-php/vendor/simplesamlphp/simplesamlphp/www/module.php:137 (N/A)

Ho verificato le diverse configurazioni e sembrano corrette, ma evidentemente qualcosa mi sfugge.
Ambedue i sistemi SP e IdP girano su un server linux (Centos7) di sviluppo in locale (spid-testenv-identityserver=>localhost, spid.patente.it=>localhost)

Qualche idea?

Grazie!

damikael · 2 Luglio 2018, 3:28pm

Ciao @beri75,
nel wso2 del testenv-docker l’entityid è impostato a spid-testenv-identityserver.
Pertando l’identificativo nell’array $metadata e il valore per entityid devono essere spid-testenv-identityserver

$metadata[‘spid-testenv-identityserver’] = array (
‘entityid’ => ‘spid-testenv-identityserver’,
...

Inoltre verifica che il certificato sia il seguente:

MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UE
CAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxv
Y2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5
HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQID
AQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44i
QlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJR
O4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=

Per ulteriore verifica puoi controllare il metadata generato da wso2 accedendo a https://spid-testenv-identityserver:9443 con admin:admin dal menu: Identity Providers > Resident > Inbound Authentication Configuration > SAML2 Web SSO Configuration > Download SAML Metadata

Ricordo inoltre che nel salvataggio del metadata del SP su wso2 tramite l’interfaccia di backoffice vanno specificati:

Single Logout Service: https:///myservice/module.php/saml/sp/saml2-logout.php/service-l1
Assertion Consumer Service: http:///myservice/module.php/saml/sp/saml2-acs.php/service-l1

come indicato nel metadata sp scaricabile da:
/myservice/module.php/core/frontpage_federation.php

Fammi sapere.

Michele D’Amico
Collaboratore Agenzia per l’Italia Digitale

beri75 · 3 Luglio 2018, 2:15pm

Ciao @damikael,
grazie per la risposta!

Come da suggerimento ricevuto via slack
https://developersitalia.slack.com/archives/C7ERREG9Z/p1529938651000585
il problema risiede in una differenza di configurazione legata al singolo “/” finale dell’Identity Provider Entity Id.

Nel wso2 l’entity id è “https://spid-testenv-identityserver:9443/” di default, mentre nel file generato saml20-idp-remote.php il valore è

$metadata['https://spid-testenv-identityserver:9443']

come effettivamente indicavi tu.
La discrepanza sta li…