Problema con Spid Validator/Demo

lucav1 · 9 Agosto 2023, 7:48am

Buongiorno,

ho avviato spid-saml-check 1.9.5 con docker e risponde su localhost, porta 8443.
Ho scaricato il metadato del validator e avviato la mia applicazione spring che risponde sul mio ip, con metadati dell’sp coerenti.

Inoltro quindi la richiesta all’IdP, eseguo il login sul validator, scarico i metadati dell’SP che vengono correttamente validati con la validazione semplice.

A questo punto visualizzo la richiesta SAML e cerco di validarla, ottenendo il seguente errore:

Error while loading report: Traceback (most recent call last): File "/usr/local/bin/spid_sp_test", line 306, in metadata_check = _cls(**data_md) File "/usr/local/lib/python3.9/dist-packages/spid_sp_test/metadata.py", line 50, in __init__ self.metadata = self.get(metadata_url) File "/usr/local/lib/python3.9/dist-packages/spid_sp_test/metadata.py", line 64, in get return open(metadata_url[7:], "rb").read() FileNotFoundError: [Errno 2] No such file or directory: '../data//sp-metadata.xml'

Riporto per completezza la busta saml:

<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="0" AssertionConsumerServiceURL="http://192.168.1.67:8080/spidLogin" AttributeConsumingServiceIndex="1" Destination="https://localhost:8443/samlsso" ID="_f7ea52f2bc464643a609b642560efb46" IsPassive="false" IssueInstant="2023-08-09T07:42:55.878Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="http://myspidsp.it"/>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <ds:Reference URI="#_f7ea52f2bc464643a609b642560efb46">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue>
                    LAe9vsReXERJzeEeDswa5L2mjyY=
                </ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>
            erxv6URWfGbqyH//YQ/ewJhfLD4bB/tGgG52/x8sUgkiuHZrxQ38+l3nEtgBRevEeoSRCd5ZPyZA/xJWZWL1qnQ79Jqiu+sNgxdgbmhYPj7OFOcNm4Rv3drv1X3fGJYuUVVu8w/VY5EzslafqKkUBMpRfeNP5pqbu0jeV29oP/adkSM79AjMosIkHqtYtgukwvAl25ExoK6jGW6Ha0YfwOXp+VN+OnCObPSSv7IT9uze1cb8zgT+0GkbqRwfzOGePLhheid+XGeChSdw7QWC56RWGokn9T3Q2nqjFi7YUVVAtPr+j4fKsfpNQgxKHo7mjd8jfaMOMkYZBCqDHSO4UCFsUgZ9wJovGm+sCwu8Rj9Q4z6axX2JzkCx+9JFeH3wkxdVhmllhPbC5nJneWt1KNEq163a6h3IuwnUzKM3Zp8hLZOBO1xIabKjfjYyEqh0ynkqL83U3dMHAab6WJUB9B6KxiTNQEd7I6iZn6Dj9waZvkNZ0yAvw4Y2aeUVHpSq
        </ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>
                    MIIGJjCCBI6gAwIBAgIUQBmmnWG0ueosiUedL++nRESzI/8wDQYJKoZIhvcNAQELBQAwgYoxJDAi
BgNVBAoMG0EgQ29tcGFueSBNYWtpbmcgRXZlcnl0aGluZzEQMA4GA1UEAwwHQS5DLk0uRTEdMBsG
A1UEUwwUaHR0cHM6Ly9zcGlkLmFjbWUuaXQxFTATBgNVBGEMDFBBOklULWNfaDUwMTELMAkGA1UE
BhMCSVQxDTALBgNVBAcMBFJvbWEwHhcNMjMwODA3MDgzNzExWhcNMjQwODA2MDgzNzExWjCBijEk
MCIGA1UECgwbQSBDb21wYW55IE1ha2luZyBFdmVyeXRoaW5nMRAwDgYDVQQDDAdBLkMuTS5FMR0w
GwYDVQRTDBRodHRwczovL3NwaWQuYWNtZS5pdDEVMBMGA1UEYQwMUEE6SVQtY19oNTAxMQswCQYD
VQQGEwJJVDENMAsGA1UEBwwEUm9tYTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJPg
ZX+vVS7YZ4n3b5u8sOINNwOxo0hTAYyj+De+L4B51xLdehTIEgX4Zym0fX+OK6X9CyKAfTcpfXjH
qyXjxUTjwahT2jTmT3RVI3XvkGh2H7c/7LlolIwn0Z3SUQALVPiv6uN7KV344C1wCiVSEuzZVRI0
R8qBtjtiQeOSGaj9FwWnqUmEaf5kaiKQXSwLIkXc8qdzv47WeE8XfOlJIjZL39W4vic2dKClvdKD
u5c3b6bNF4voGD5e39lB0ijgn+tog3PQuqPOUoJQMW2GGrKBGr+a9y3ZwBWqOH2/2CFiiBsgpeIL
gb7l66SdC+AO9n274OpQarUCzCN+frEEQKpmK9Hv6pcME79IA4PGR/ZKj8vQQ/jQuxfBbWvJIP0r
jkZZF7w5Qjakz1r4YilFjjCUcnebMdqhJblwJ6lWR/HH2C7LH8agOgFI6mRK1i2mMQ/KoOan7h/B
q3s50X9OKtT/OAIoxL0HOmI8aLKk73UPUiwMHdtAIvhIBwcTAB5RGQIDAQABo4IBgDCCAXwwCQYD
VR0TBAIwADAOBgNVHQ8BAf8EBAMCBsAwcwYDVR0gBGwwajAfBgMrTBAwGDAWBggrBgEFBQcCAjAK
DAhBZ0lEcm9vdDAgBgQrTBAGMBgwFgYIKwYBBQUHAgIwCgwIYWdJRGNlcnQwJQYGK0wQBAIBMBsw
GQYIKwYBBQUHAgIwDQwLY2VydF9TUF9QdWIwHQYDVR0OBBYEFA/7smxTpI6i2q9fMkxwZrIipH/s
MIHKBgNVHSMEgcIwgb+AFA/7smxTpI6i2q9fMkxwZrIipH/soYGQpIGNMIGKMSQwIgYDVQQKDBtB
IENvbXBhbnkgTWFraW5nIEV2ZXJ5dGhpbmcxEDAOBgNVBAMMB0EuQy5NLkUxHTAbBgNVBFMMFGh0
dHBzOi8vc3BpZC5hY21lLml0MRUwEwYDVQRhDAxQQTpJVC1jX2g1MDExCzAJBgNVBAYTAklUMQ0w
CwYDVQQHDARSb21hghRAGaadYbS56iyJR50v76dERLMj/zANBgkqhkiG9w0BAQsFAAOCAYEAWdKE
tpHODJ9ic0HGCub7yhCq4LB/Y8YUN1rcF+DBUjWDzjJ8lVWXArOYgL1B4tXnDkhFJY8GOi0Cyp2m
CIG4rIE7cTp/NQC+xcpHJu1mMp+IIxrs8Qv2d9dmXnXPIlj7hAcRqNnyRnBiEAwVg7cU7ZRE3RI4
ySBhA3+FIDbNxY5hiRQE5YBaEGwuPfwzrnn0k4V7GH8pGoG+dMA63K7hUiB8OXlTrvHn7Y9aPv4w
1Xn2tIkruhRk4p4Ldaqs1W387L0V5Alqbwi1/1OyErqKDHHCHncer/dWJU9UlnUBjzo/8NJaPMCZ
f/mLTKf8ogtHTOcP0G0tU6FjehxhwqeS8AxzWd1ZtyFsT9V7xx9Hh0cBNBVcXIAOukZcrtDtmXCG
sTska7k0s2ObmGaI8lQuhibQrdx2rg2/jDARAKmJRKQ8GJrNvy7+vbJEdf5c0vBePP8jvO3mM/wU
9UPFX6yxiW2B91ftDluvChjgzfXeUWLX8zzGZGyphyXVYGiTm97m
                </ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml2p:NameIDPolicy xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
    <saml2p:RequestedAuthnContext xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact">
        <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
            https://www.spid.gov.it/SpidL2
        </saml:AuthnContextClassRef>
    </saml2p:RequestedAuthnContext>
</samlp:AuthnRequest>

Se provo a puntare all’ambiente demo ovviamente non accetta la richiesta.

AGS · 9 Agosto 2023, 8:56am

Non sono pratico di docker, ma l’errore sembra indicare che non trova il metadata con cui conforntare l’AuthnRequest (forse problemi di permessi?).

In merito all’AuthnRequest, ci sono i seguenti errori:

Rimuovi AssertionConsumerServiceURL e ProtocolBinding (sono ridondanti rispetto a AssertionConsumerServiceIndex)
Rimuovi IsPassive (non previsto dalle regole tecniche SPID)
Per un exact SPIDL2 serve inserire ForceAuthn=true come attributo del tag AuthnRequest

lucav1 · 9 Agosto 2023, 10:21am

Grazie.

Temo ci sia altro, ho aperto un paio di bug sul canale apposito, vediamo cosa dicono

swpFra · 5 Marzo 2024, 12:54pm

Ciao, qual’era il tuo problema? io ottengo lo stesso errore, grazie anticipatamente

lucav1 · 5 Marzo 2024, 1:51pm

Palesemente l’immagine rotta, se stai prendendo la latest, cambia con una versione precedente e prova