Problemi con lo SPID-TESTENV2

SPID
1

Buongiorno, lo spid-testenv2 mi da errore di decodifica della AuthnRequest SAML

Nota: le chiavi qui riportate sono usate solo in sviluppo, quindi le condivido senza problemi.

Errore da SPID-TESTENV2:

Impossibile decodificare l’elemento ‘SAMLRequest’

Il service provider tenta l’autenticazione SPID producendo una pagina HTML autopostante come indicato nelle regole tecniche per SPID.

SAML REQUEST CODIFICATA PRESENTE NELLA POST
(utilizzando la libreria https://github.com/italia/spid-spring alla quale e’ stato aggiunto l’identity provider {
“identifier”: “Testenv2”,
“entityId”: “http://localhost:8088”,
“name”: “Testenv2”,
“imageUrl”: “https://www.spid.gov.it/assets/img/richiedi-spid/logo-poste.svg
}):

pVdZk6LMEn03wv9gMI%2BGTYG7MfYXhbhgKwiC28uNAopF2aRA0F9%2FcWmje76euR1z36oyszKTPIfi8POf3PcqJxwTNwz6FPMCqAoOjNB0A7tPaeqo1qH%2Bef1JkO9FPZgmTqDgY4pJUinOBaR3c%2FSpNA56ISIu6QXIx6SXGL0lnM967AvoRXGYhEboURVICI6TotAgDEjq43iJ45NrYCEwcd6nwO8jNGXWp5wkiUiPpknkmi8eNgz84ia3XY1EcdFwLS4aowkOzOsqKlLgImWSxK6eJviesgj7XJWhKnxxzA1QchvBtUpRxAsN5DkhSXod0OnQhIRUReD71H%2BQbpodE9TqbYBrDavdqulsh6l1MNZ1tt2yELaKSLJAhLgn3Kcs5F3bEAhJi5IkQUHSp1jAdGugWWPrKgN6DbbHdl9aXWZHVRaPaXFucMfgT6PV70GkN1HVRW0hLVWqsnrHsgig7sixvVv1%2BANm7J8To3ccqMoojH2U%2FDn8ailQsG6hvSRGAXFxkFAVsXDIKfJcy8XxbxCkXr80%2F6Q%2Ftv760yS9pWsXKKUxfjyISZ5wZVn2ktVfwtimWQAADbp0EWMS1%2F5BPc9iUwis8LYdoCAM3AJi93LDfY4TJzQr0LPD2E0c%2FzeJGZoB18Q1nBs1g2kEPyj6c2vfTgQa7x3W%2FDDGP2KCasRBbLP1SKlgC8fFu4grmiL0qR%2FfYt7tpHoF4AoG%2Bbz9n119mhsOTtgLI1y8Xe8P9%2Bjs%2Bwm%2Fnhf97x551y5ewm8O71ObxcyYR1%2F3JCvkpfhR5TnD%2B%2FYXEjxBez9S2N7w%2Bekv1jfPHY4l%2FLSfh2bqpeQ1OCs7rKx3adytVi23Xq9K%2FikbiKsDP87Olxi6xxkm6TmS4oXmd4cGe7AP0tS2QqXhH1tslHpOfYGHztJG5dLR9GiSp2%2FQESV9Oteh1alW5X11Jq2muWErre2Jb68P80GKkdydNvEbPyWT8zAbL2dRao155rI3crhTTbQvl5rDk3AWRXBJF3lrKR50gHVndUGp21FbqxDmyVIbkVYTHtxJVVtrwTRrCwrnrazJcTXKps7EmTO%2BhazNMiuXBok7vrSFhhdsmLUdtcJsJG1kxY2VHYcb8YZw2TTuANduJKoHYWyMAh6uYIeY612ob5B4Arm9SxvCSRHLpSo9dt3NCMRMXc23DEEkM3VzO7lw%2ByH2Uul0YI%2F1rN%2B%2FAfc%2B7Ovgh3lxsxe3yyuUIXfzPi13zD8CRf8K46YJujxK0HMzuF50VnEVJPh1Lgg8vAwGEKc2zAQO2sIUioc1iWbqJCSdOQTjwfI4Xgp6nZeHHCdrcM7Z%2BWgPNc4WVxycz%2FmNmKG1nJZL%2Bni137JaijZyNnEMca4a%2BZyH9bmqgflFy9dX2%2F5mY562PdzOlW02glt%2BJct84boYY%2B9QLs383NuyojfzPVD0yQl7KHL24egc3HE3AxyUhyMIpQGUO%2FDqH9hvxXoIv%2BJnufS3DP2KnwWWf8nQr%2FhZLv0tQ7%2FiZ7n0twz9ip8Fpv9iaMGYgochAzN1D80rCyZyYziyZc08W4TJUt0%2FRD45N8LLqamPO3q74dvZJNvy5dJKAXuOs7NRCP8YzV%2FZoACVg1oGsyFHX37FXhuVS3f0C8R3b6jB1fdNxfbSlYJaw9msudAXq4t%2FBLE180HQbu3dHYCYkBPnbhv0ZOw7B1OJ2ZEp%2BLSCuuVSppC1PASGE3Z3e2VVd1AzCI1g6R%2Fkpjq5iEG1oyGLF6saOkW7DtqCI6dJPD8%2FMNFgVkfM7Nxsxeuht5TUcim0gdRMzgM4PA4Jx85G5zdpNpa508bPnGQgHTeWF1%2B4%2BnmaTpxgEjej%2BQKIm86ZSxR0Tq32nmYnDRGe3fhULqHAloxm3t4ZW9gVLuqwmtDAOE3eJrqP90Q7MsxZGAR8d7vERymcAsteiKwEOHV8Pqr%2Bm0%2BDFQjVRML1vFziB7x0drbytgH0%2BmIjNGE0XJ9sVqHl42zbVuTWDqExqTuLQdaCjxvp16vjabxfLvTHTwn98VvzkGRR76qNBH4Req5x%2FqjMvi2n%2Fx9lRj%2FbeOh5bN7UfSGSE5wnf9XPIPQjFLvkKj5xjozkIT97HzMPvEJbFp%2FlDxW%2BK0WfOvGqBm5a0Q5P11%2BAZbGesXfB%2BGWx14eY%2FM3TPtyff3Be%2Fws%3D

NOTA: la codifica in BASE64 avviene nella classe SPIDIntegrationUtil del progetto spid-spring-integration nel metodo seguente :

public String encodeAndPrintAuthnRequest(AuthnRequest authnRequest) throws IntegrationServiceException {

	String requestMessage = printAuthnRequest(authnRequest);
	Deflater deflater = new Deflater(Deflater.DEFLATED, true);
	ByteArrayOutputStream byteArrayOutputStream = null;
	DeflaterOutputStream deflaterOutputStream = null;

	String encodedRequestMessage;
	try {
		byteArrayOutputStream = new ByteArrayOutputStream();
		deflaterOutputStream = new DeflaterOutputStream(byteArrayOutputStream, deflater);
		deflaterOutputStream.write(requestMessage.getBytes()); // compressing
		deflaterOutputStream.close();

		encodedRequestMessage = Base64.encodeBytes(byteArrayOutputStream.toByteArray(), Base64.DONT_BREAK_LINES);

		encodedRequestMessage = URLEncoder.encode(encodedRequestMessage, "UTF-8").trim(); // encoding string
	}
	catch (UnsupportedEncodingException e) {
		log.error("encodeAndPrintAuthnRequest :: " + e.getMessage(), e);
		throw new IntegrationServiceException(e);
	}
	catch (IOException e) {
		log.error("encodeAndPrintAuthnRequest :: " + e.getMessage(), e);
		throw new IntegrationServiceException(e);
	}

	return encodedRequestMessage;
}

SAML REQUEST PRIMA DELLA CODIFICA:

```xml
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="1" AttributeConsumingServiceIndex="1" Destination="http://localhost:8088/sso" ID="_abdd8d0-370e-4f76-b281-8eebb276faef" IsPassive="false" IssueInstant="2019-05-28T08:57:47.234Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
   <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://www.HIDDEN.it">https://www.HIDDEN.it</saml2:Issuer>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
         <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
         <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
         <ds:Reference URI="#_abdd8d0-370e-4f76-b281-8eebb276faef">
            <ds:Transforms>
               <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
               <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <ds:DigestValue />
         </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue />
      <ds:KeyInfo>
         <ds:KeyValue>
            <ds:RSAKeyValue>
               <ds:Modulus>nyRZeRWZur9++fi33+OmvwCNVkDGwyzrAiqLesuypOrPUm9Ec2kgkOJgfoR4mq62pulh3PeEhSga
qdl/sxuKAhNObJMbAf8++Qj+LOVJxcgR6YvD7WkMCueaQ9J5eKDJsHyEwGSLpufGD1zjcxAZTdaj
5EvIyNN0zuPx6SNkb0ebhVzaui8T6VoAxtSUFs65AkiH+UWUnJw7IRBlVfHqVFwJhHhM1mfafXSw
CtiGz7I4lnX1Wgp6owFOXQRirRZBe4rXsBwJr80ig4tTlAArcFnDAVA8sdWZobXaNv0xgZu4IvRN
+/GiiXF0r13TxY1saswdbdYHzBjEeluOvk2q3w==</ds:Modulus>
               <ds:Exponent>AQAB</ds:Exponent>
            </ds:RSAKeyValue>
         </ds:KeyValue>
         <ds:X509Data>
            <ds:X509Certificate>MIIDAzCCAeugAwIBAgIJANkWspLTHos8MA0GCSqGSIb3DQEBBQUAMBgxFjAUBgNVBAMMDXNwaWQu
bGVjY2UuaXQwHhcNMTcxMDA3MTU0MzUxWhcNMjcxMDA1MTU0MzUxWjAYMRYwFAYDVQQDDA1zcGlk
LmxlY2NlLml0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnyRZeRWZur9++fi33+Om
vwCNVkDGwyzrAiqLesuypOrPUm9Ec2kgkOJgfoR4mq62pulh3PeEhSgaqdl/sxuKAhNObJMbAf8+
+Qj+LOVJxcgR6YvD7WkMCueaQ9J5eKDJsHyEwGSLpufGD1zjcxAZTdaj5EvIyNN0zuPx6SNkb0eb
hVzaui8T6VoAxtSUFs65AkiH+UWUnJw7IRBlVfHqVFwJhHhM1mfafXSwCtiGz7I4lnX1Wgp6owFO
XQRirRZBe4rXsBwJr80ig4tTlAArcFnDAVA8sdWZobXaNv0xgZu4IvRN+/GiiXF0r13TxY1saswd
bdYHzBjEeluOvk2q3wIDAQABo1AwTjAdBgNVHQ4EFgQUdyfs1wubmkpmsy4ozv5bG8b74mgwHwYD
VR0jBBgwFoAUdyfs1wubmkpmsy4ozv5bG8b74mgwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUF
AAOCAQEAnZKa4B3j5RgluVRa6ELL5PbPVzmq0rfLm0n76jiZ0AessvBiY4/HGmhkdRr2FdIm/Ra9
wRsWQE0cho9ZjRV3ha5nocnSmkQ5THzNn+8UafDN+UavpZ8aY0qBUODDMk1pCL3a1Ly56rWElSOT
og0O5tyCAEqEsB2LFyKOLGQBvXmwhtCOqXflrzB3yJuHhnHr5pMP0NX8yBtRayuf7j/2H4NAyirv
angOc5x7ZcYA9IzTE+t/0cvHKHbmejsUq11yICnD9YSeqOoJ0fgPN2O0BTGyqTmKm/0V0oTtOe3x
DCDOyhYQY40b3PXI5ApEWvg2R/QqLY7RQ6ZaaGs3hPCw6A==</ds:X509Certificate>
         </ds:X509Data>
      </ds:KeyInfo>
   </ds:Signature>
   <saml2p:NameIDPolicy xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />
   <saml2p:RequestedAuthnContext xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact">
      <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://www.spid.gov.it/SpidL2</saml:AuthnContextClassRef>
   </saml2p:RequestedAuthnContext>
</samlp:AuthnRequest>

Metadata Service Provider (installato nel testenv2):

```xml
<?xml version="1.0"?> 
<md:EntityDescriptor 
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"  
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"  
    entityID="https://www.HIDDEN.it"  
    ID="_397e220-3ce8-4374-b35d-003c5ab1a64a"> 
     
    <md:SPSSODescriptor  
        protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"  
        AuthnRequestsSigned="true"  
        WantAssertionsSigned="true"> 
        
        <md:KeyDescriptor use="signing"> 
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
                <ds:X509Data> 
                    <ds:X509Certificate>MIIDAzCCAeugAwIBAgIJANkWspLTHos8MA0GCSqGSIb3DQEBBQUAMBgxFjAUBgNV
BAMMDXNwaWQubGVjY2UuaXQwHhcNMTcxMDA3MTU0MzUxWhcNMjcxMDA1MTU0MzUx
WjAYMRYwFAYDVQQDDA1zcGlkLmxlY2NlLml0MIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnyRZeRWZur9++fi33+OmvwCNVkDGwyzrAiqLesuypOrPUm9E
c2kgkOJgfoR4mq62pulh3PeEhSgaqdl/sxuKAhNObJMbAf8++Qj+LOVJxcgR6YvD
7WkMCueaQ9J5eKDJsHyEwGSLpufGD1zjcxAZTdaj5EvIyNN0zuPx6SNkb0ebhVza
ui8T6VoAxtSUFs65AkiH+UWUnJw7IRBlVfHqVFwJhHhM1mfafXSwCtiGz7I4lnX1
Wgp6owFOXQRirRZBe4rXsBwJr80ig4tTlAArcFnDAVA8sdWZobXaNv0xgZu4IvRN
+/GiiXF0r13TxY1saswdbdYHzBjEeluOvk2q3wIDAQABo1AwTjAdBgNVHQ4EFgQU
dyfs1wubmkpmsy4ozv5bG8b74mgwHwYDVR0jBBgwFoAUdyfs1wubmkpmsy4ozv5b
G8b74mgwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAnZKa4B3j5Rgl
uVRa6ELL5PbPVzmq0rfLm0n76jiZ0AessvBiY4/HGmhkdRr2FdIm/Ra9wRsWQE0c
ho9ZjRV3ha5nocnSmkQ5THzNn+8UafDN+UavpZ8aY0qBUODDMk1pCL3a1Ly56rWE
lSOTog0O5tyCAEqEsB2LFyKOLGQBvXmwhtCOqXflrzB3yJuHhnHr5pMP0NX8yBtR
ayuf7j/2H4NAyirvangOc5x7ZcYA9IzTE+t/0cvHKHbmejsUq11yICnD9YSeqOoJ
0fgPN2O0BTGyqTmKm/0V0oTtOe3xDCDOyhYQY40b3PXI5ApEWvg2R/QqLY7RQ6Za
aGs3hPCw6A==</ds:X509Certificate> 
                </ds:X509Data> 
            </ds:KeyInfo> 
        </md:KeyDescriptor> 
        
        <md:KeyDescriptor use="encryption"> 
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
                <ds:X509Data> 
                    <ds:X509Certificate>MIIDAzCCAeugAwIBAgIJANkWspLTHos8MA0GCSqGSIb3DQEBBQUAMBgxFjAUBgNV
BAMMDXNwaWQubGVjY2UuaXQwHhcNMTcxMDA3MTU0MzUxWhcNMjcxMDA1MTU0MzUx
WjAYMRYwFAYDVQQDDA1zcGlkLmxlY2NlLml0MIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnyRZeRWZur9++fi33+OmvwCNVkDGwyzrAiqLesuypOrPUm9E
c2kgkOJgfoR4mq62pulh3PeEhSgaqdl/sxuKAhNObJMbAf8++Qj+LOVJxcgR6YvD
7WkMCueaQ9J5eKDJsHyEwGSLpufGD1zjcxAZTdaj5EvIyNN0zuPx6SNkb0ebhVza
ui8T6VoAxtSUFs65AkiH+UWUnJw7IRBlVfHqVFwJhHhM1mfafXSwCtiGz7I4lnX1
Wgp6owFOXQRirRZBe4rXsBwJr80ig4tTlAArcFnDAVA8sdWZobXaNv0xgZu4IvRN
+/GiiXF0r13TxY1saswdbdYHzBjEeluOvk2q3wIDAQABo1AwTjAdBgNVHQ4EFgQU
dyfs1wubmkpmsy4ozv5bG8b74mgwHwYDVR0jBBgwFoAUdyfs1wubmkpmsy4ozv5b
G8b74mgwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAnZKa4B3j5Rgl
uVRa6ELL5PbPVzmq0rfLm0n76jiZ0AessvBiY4/HGmhkdRr2FdIm/Ra9wRsWQE0c
ho9ZjRV3ha5nocnSmkQ5THzNn+8UafDN+UavpZ8aY0qBUODDMk1pCL3a1Ly56rWE
lSOTog0O5tyCAEqEsB2LFyKOLGQBvXmwhtCOqXflrzB3yJuHhnHr5pMP0NX8yBtR
ayuf7j/2H4NAyirvangOc5x7ZcYA9IzTE+t/0cvHKHbmejsUq11yICnD9YSeqOoJ
0fgPN2O0BTGyqTmKm/0V0oTtOe3xDCDOyhYQY40b3PXI5ApEWvg2R/QqLY7RQ6Za
aGs3hPCw6A==</ds:X509Certificate> 
                </ds:X509Data> 
            </ds:KeyInfo> 
        </md:KeyDescriptor> 
        
        <md:SingleLogoutService 
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
            Location="https://www.HIDDEN.it/logout" /> 

        <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat> 

        <md:AssertionConsumerService  
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"  
            Location="https://www.HIDDEN.it/sendresponse"  
            index="0"  
            isDefault="true" /> 

        <md:AttributeConsumingService index="1"> 
            <md:ServiceName xml:lang="it">test</md:ServiceName> 
            <md:ServiceDescription xml:lang="it">test</md:ServiceDescription> 
            <md:RequestedAttribute Name="spidCode" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
            <md:RequestedAttribute Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
            <md:RequestedAttribute Name="gender" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
            <md:RequestedAttribute Name="fiscalNumber" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
            <md:RequestedAttribute Name="familyName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
            <md:RequestedAttribute Name="dateOfBirth" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
            <md:RequestedAttribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
        </md:AttributeConsumingService> 

    </md:SPSSODescriptor> 

</md:EntityDescriptor>

METADATA IDP SPID-TESTENV2:

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://www.HIDDEN.it:8088">
  <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthnRequestsSigned="true">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIC7TCCAdWgAwIBAgIJALkxwUJ2vJLaMA0GCSqGSIb3DQEBCwUAMA0xCzAJBgNV
BAYTAklUMB4XDTE5MDUwMjA3NTE0MloXDTE5MDYwMTA3NTE0MlowDTELMAkGA1UE
BhMCSVQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+HH5/I50gHhS4
P7ajFW5199K/QMqjvWCZm91YzYuSxs7wCQxmMwUPvcwUyEpKD8iVAVLFbRs2g7/q
pujtRvD/c7I6S9PNglPIeDhwfQn3I1O6heivJ5UXDJdWBxZbbpIambMjPWF8wkz8
g6iQPGSj2TwEKS5futWo+E2nxXeFjDgJcOEDS3zqS/FKysS89C2JyPC2eGZAKXY/
nXDv0WGF3LGE6QE0MrFR5yh+B+dejXw3NGM7x8+hJvA0PyFbbR/mS2xu6xgaBozL
pjk4GXxfUaEm+2gxFxu9VO/9N4NMSInPCzS0X3bwLBzYx47WhAi2md1rUhAXlhxE
oljFDis7AgMBAAGjUDBOMB0GA1UdDgQWBBQg5wT9evUQD6jdfXuH8i3s8kZ4FDAf
BgNVHSMEGDAWgBQg5wT9evUQD6jdfXuH8i3s8kZ4FDAMBgNVHRMEBTADAQH/MA0G
CSqGSIb3DQEBCwUAA4IBAQC14CEREMccumZTmAS7hZsnYL/Q5JZ3dBAywb1KgQhQ
jY+TUaT9BhX90grXhGzdWhdljg4zMfh9QhOPHwgWgDE3EAlXnEH9jedaoihw9tCq
bEpHbgHCocnERD9ZWYwnB3tTf7DVhG/TSuVeQXSDyL0zOfG/+BRPUk1FJhIo7D7C
lMqvKn6Htmdxs6rN/6YI/5oXbtLH0deDHGGBhjw8Yn1V4SZSqijqfViX0FJNKSGA
WSpgBA7W6TrsBFPo7Eb497iVkGb2BPHJxuOzPxOUautJ182884rtoc0RhOq7F0cF
guAIyhDgfoZgp9q90PpF+x4I09UC5SzpnPlSyeWrx3R0
</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://www.HIDDEN.it:8088/slo"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://www.HIDDEN.it:8088/slo"/>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://www.HIDDEN.it:8088/sso"/>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://www.HIDDEN.it:8088/sso"/>
    <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="ivaCode"/>
    <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="fiscalNumber"/>
    <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="familyName"/>
    <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="registeredOffice"/>
    <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="dateOfBirth"/>
    <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="name"/>
    <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="idCard"/>
    <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="companyName"/>
    <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="spidCode"/>
    <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="placeOfBirth"/>
    <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="countyOfBirth"/>
    <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="gender"/>
    <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="mobilePhone"/>
    <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="expirationDate"/>
    <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="address"/>
    <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="digitalAddress"/>
    <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="email"/>
  </md:IDPSSODescriptor>
</md:EntityDescriptor>

Quale potrebbe essere il problema?
Grazie

2

Nel caso del binding HTTP-POST non è previsto l’encoding Deflate, ma solo Base64: https://docs.italia.it/italia/spid/spid-regole-tecniche/it/stabile/trasmissione.html#binding-http-post

Il problema potrebbe essere questo.

Alessandro Ranellucci
Team per la Trasformazione Digitale

3

Buongiorno a tutti,
scusate se mi intrometto, non so se devo creare un nuovo argomento perché anch’io ho un problema con lo SPID-TESTENV2: sto cercando di configurare un ambiente di test (IDP) con SPID-TESTENV2 tramite sorgenti come illustrato dalla guida.
Purtroppo, dopo aver crato e configurato il tutto, eseguendo il comando

python spid-testenv.py

riscontro il seguente problema:

ERROR:testenv.log:Errore di sintassi nel file di configurazione: ./conf/config.yaml

il fatto e’ che sono certo che l’indentazione e la sintassi del config.yaml vanno bene, in quando verificato con un validator; non so a cosa possa essere dovuto, ovviamente ho abilitato le librerie richieste in php.ini e quelle dei prerequisiti.

Colgo l’occasione per ringraziarvi anticipatamente e soprattutto per il grande lavoro che avete svolto finora,

grazie, m.

Alcuni dettagli sull’ambiente utilizzato che potrebbero essere utili:

uname -a
Linux lapp 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64 GNU/Linux

lsb_release -a
Distributor ID: TurnKey
Description: TurnKey GNU/Linux 9.4 (stretch)
Release: 9.4
Codename: stretch

l’idea e’ quella di utilizzare un IDP con spid-testenv2 per poi creare un SP con spid-php-lib

P.S. se ho detto qualche castroneria sentitevi liberi di offendermi pure, SPID e’ un argomento nuovo per me… grazie ancora

4

Buongiorno a tutti,
sto cercando anch’io di configurare un ambiente di test (IDP) con SPID-TESTENV2 tramite sorgenti come illustrato dalla guida.
Purtroppo, dopo aver crato e configurato il tutto, eseguendo il comando

python spid-testenv.py

riscontro il seguente problema:

ERROR:testenv.log:Errore di sintassi nel file di configurazione: ./conf/config.yaml

il fatto e’ che sono certo che l’indentazione e la sintassi del config.yaml vanno bene, in quando verificato con un validator

non so a cosa possa essere dovuto tale errore; ovviamente ho abilitato le librerie richieste in php.ini e quelle prerequisite.

Colgo l’occasione per ringraziarvi anticipatamente e soprattutto per il grande lavoro che avete svolto finora,

grazie, m.

Alcuni dettagli sull’ambiente utilizzato che potrebbero essere utili:

uname -a
Linux lapp 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64 GNU/Linux

lsb_release -a
Distributor ID: TurnKey
Description: TurnKey GNU/Linux 9.4 (stretch)
Release: 9.4
Codename: stretch

l’idea e’ quella di utilizzare un IDP con spid-testenv2 per poi creare un SP con spid-php-lib

P.S. se ho detto qualche castroneria sentitevi liberi di offendermi pure, SPID e’ un argomento nuovo per me… grazie ancora

5

Ciao a tutti, sto cercando di attivare un idp e ho caricato i metadati sul sito https://idp.spid.gov.it/admin/databasesprecord/

Nel momento in cui il mio sp chiede l’autenticazione al server di test di agid ottengo una pagina di errore così fatta:

immagine
immagine1776×1612 209 KB

Non riesco a capire se il problema è nella mia asserzione o se c’è un problema nell’idp di test.

Grazie
Alfonso

6

Salve,
occorre risalvare il metadata eliminando la dichiarazione iniziale <?xml version="1.0" ... ?>

7

Salve ragazzi,
io vorrei integrare nel mio sito la possibilità di loggarsi tramite spid o CNS… esistono delle guide? dove posso trovarle?
grazie.
saluti.

8

Salve,
puoi trovare tutte le indicazioni e i riferimenti utili, per l’implementazione di SPID e per la procedura di accreditamento sul sito ufficiale:

https://www.spid.gov.it/come-diventare-fornitore-di-servizi-pubblici-e-privati-con-spid

Saluti,
Michele D’Amico

9

Buonasera,
lo spid-testenv2 mi da questo errore alla ricezione della AuthnRequest SAML:
UnicodeDecodeError: ‘utf-8’ codec can’t decode bytes in position 539-540: invalid continuation byte
Qualcuno sa dirmi dove può essere il problema?

I dati e le chiavi postati di seguito sono usati solo in sviluppo, non ci sono problemi con la loro condivisione.
Il service provider tenta l’autenticazione SPID producendo una pagina HTML autopostante come indicato nelle regole tecniche per SPID. Il progetto si basa sul la libreria https://github.com/italia/spid-spring.

Questa è la SAML codificata:
PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBBc3NlcnRpb25Db25zdW1lclNlcnZpY2VJbmRleD0iMCIgQXR0cmlidXRlQ29uc3VtaW5nU2VydmljZUluZGV4PSIwIiBEZXN0aW5hdGlvbj0iaHR0cDovL2xvY2FsaG9zdDo4MDg4IiBJRD0icGZ4ZmU2YTMzNWItNWNkZS1lODhlLTZiNDEtZjc2MDRiZjY2MjI2IiBJc3N1ZUluc3RhbnQ9IjIwMjAtMDItMDdUMTY6NDI6MDUuNDE5WiIgVmVyc2lvbj0iMi4wIj4KPHNhbWwyOklzc3VlciB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDplbnRpdHkiIE5hbWVRdWFsaWZpZXI9Imh0dHBzOi8vc3BpZC5jYXJ0c2MuZXUiPmh0dHBzOi8vc3BpZC5jYXJ0c2MuZXU8L3NhbWwyOklzc3Vlcj4KPGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI%2BCjxkczpTaWduZWRJbmZvPgo8ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPgo8ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTI1NiIvPgo8ZHM6UmVmZXJlbmNlIFVSST0iI3BmeGZlNmEzMzViLTVjZGUtZTg4ZS02YjQxLWY3NjA0YmY2NjIyNiI%2BCjxkczpUcmFuc2Zvcm1zPgo8ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz4KPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPgo8L2RzOlRyYW5zZm9ybXM%2BCjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGEyNTYiLz4KPGRzOkRpZ2VzdFZhbHVlLz4KPC9kczpSZWZlcmVuY2U%2BCjwvZHM6U2lnbmVkSW5mbz4KPGRzOlNpZ25hdHVyZVZhbHVlLz4KPGRzOktleUluZm8%2BCjxkczpLZXlWYWx1ZT4KPGRzOlJTQUtleVZhbHVlPgo8ZHM6TW9kdWx1cz4ydGRkUG4xNHNLc1RZbjVXNTg3NGVva1dEM0VxL2c4cENONWxaRGlhR2dvRHpLZTl5VUdua0tLTDNCWE1EVWQ0YlJEdHh1VFNoZHQ0CkdyTXpGSjNWd0JNMnNHWm9wV2pCcHpoLzFGUHdOaVg0Ny9qM0tWZmN6dEtrN0xqcEdEeHNHMlBMY2p4aG9xT3VvVERxdmI1bEQ0b3MKT3IzWHh3UFhKemtIRjRIb0tOZXU4Y1RUcmVRVnpxaUxuTEJNMG9qZUN3WHZlMmJoTlV6VlIrR2ZFeU5UMThqVTJPbUE1cTJsVnJWYwpXd3lrNUJyUmxWZUQ3ZFJaeU4xVS9vSW4rZlgwUEUzaVp5YU1jV2tIL2Jhd203QVVsR25HSWpCeUlsYUdTMko3R1paYXBlVVRZalVsCnhqcmh0dHRPL2t3MEptMGQxbllXNWFsS0dVVmZNSFR0dVpvYU93PT08L2RzOk1vZHVsdXM%2BCjxkczpFeHBvbmVudD5BUUFCPC9kczpFeHBvbmVudD4KPC9kczpSU0FLZXlWYWx1ZT4KPC9kczpLZXlWYWx1ZT4KPGRzOlg1MDlEYXRhPgo8ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUVFekNDQXZ1Z0F3SUJBZ0lVQ2xUL2FQVHdHNW1lS1Byb3RhWEVVNzF0NlJnd0RRWUpLb1pJaHZjTkFRRUxCUUF3Z1pneEN6QUoKQmdOVkJBWVRBa2xVTVE4d0RRWURWUVFJREFaSlZFRk1TVUV4RHpBTkJnTlZCQWNNQmxCbGMyRnliekVTTUJBR0ExVUVDZ3dKYkc5agpZV3hvYjNOME1SSXdFQVlEVlFRTERBbHNiMk5oYkdodmMzUXhFakFRQmdOVkJBTU1DV3h2WTJGc2FHOXpkREVyTUNrR0NTcUdTSWIzCkRRRUpBUlljY0dsbGNuQmhiMnh2TG5CbGNteHBibWxBYjNKallYSjBMbU52YlRBZUZ3MHlNREF5TURZeE5USTJOVEJhRncweU1UQXkKTURVeE5USTJOVEJhTUlHWU1Rc3dDUVlEVlFRR0V3SkpWREVQTUEwR0ExVUVDQXdHU1ZSQlRFbEJNUTh3RFFZRFZRUUhEQVpRWlhOaApjbTh4RWpBUUJnTlZCQW9NQ1d4dlkyRnNhRzl6ZERFU01CQUdBMVVFQ3d3SmJHOWpZV3hvYjNOME1SSXdFQVlEVlFRRERBbHNiMk5oCmJHaHZjM1F4S3pBcEJna3Foa2lHOXcwQkNRRVdISEJwWlhKd1lXOXNieTV3WlhKc2FXNXBRRzl5WTJGeWRDNWpiMjB3Z2dFaU1BMEcKQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURhMTEwK2ZYaXdxeE5pZmxibnp2aDZpUllQY1NyK0R5a0kzbVZrT0pvYQpDZ1BNcDczSlFhZVFvb3ZjRmN3TlIzaHRFTzNHNU5LRjIzZ2Fzek1VbmRYQUV6YXdabWlsYU1Hbk9IL1VVL0EySmZqditQY3BWOXpPCjBxVHN1T2tZUEd3Ylk4dHlQR0dpbzY2aE1PcTl2bVVQaWl3NnZkZkhBOWNuT1FjWGdlZ28xNjd4eE5PdDVCWE9xSXVjc0V6U2lONEwKQmU5N1p1RTFUTlZINFo4VEkxUFh5TlRZNllEbXJhVld0VnhiREtUa0d0R1ZWNFB0MUZuSTNWVCtnaWY1OWZROFRlSm5Kb3h4YVFmOQp0ckNic0JTVWFjWWlNSElpVm9aTFluc1psbHFsNVJOaU5TWEdPdUcyMjA3K1REUW1iUjNXZGhibHFVb1pSVjh3ZE8yNW1obzdBZ01CCkFBR2pVekJSTUIwR0ExVWREZ1FXQkJSZ0E4TGdlK2VHaVBtV2JYWTdXV25zdStZZUh6QWZCZ05WSFNNRUdEQVdnQlJnQThMZ2UrZUcKaVBtV2JYWTdXV25zdStZZUh6QVBCZ05WSFJNQkFmOEVCVEFEQVFIL01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRRFdxc1pJU0g3QQpaT1lCQkJOQ0pCZ1RVOXNmWWhybWtFTEg5STNocWlPemJvYmg5Z3JwYWtldzNkNUtBcU0wRnYycEJ6VkJ0TXVmbXQrNFI4c0lJTUk1CmF6TjhnNDBXbjBSZWpnOTNEWm1lMS9vNC9nZVh6REwvUWRkMXJxQld2eEo5ZndsblRvRHNZN0pxekFRR2xxL0ZIemxtSGRjcG9yVW0KZWw4M1o1SmNzQWErbW1zSFpQZHprelN3Uzd4dW9makF6WWcvdVRFQzE5UjZIeHdTSnc0UHF6NXpHZUdSYUlXbXB6aHdxOVd2enJUcQpmZ0VMRXBReXFVVkV0U1BOOVVKeTdEK2sraHM5SkUvR2NzbExIU0Y3Rk5veE9kcW5EVGI0cXNwNXRJSFRuVENNRmF2Mk9wUEZaL0ExCkpob2N2c1Z2NnZCVkhSMlMzMitQWVJ5U2FycHM8L2RzOlg1MDlDZXJ0aWZpY2F0ZT4KPC9kczpYNTA5RGF0YT4KPC9kczpLZXlJbmZvPgo8L2RzOlNpZ25hdHVyZT4KPHNhbWwycDpOYW1lSURQb2xpY3kgeG1sbnM6c2FtbDJwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6dHJhbnNpZW50Ii8%2BCjxzYW1sMnA6UmVxdWVzdGVkQXV0aG5Db250ZXh0IHhtbG5zOnNhbWwycD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBDb21wYXJpc29uPSJleGFjdCI%2BCjxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHBzOi8vd3d3LnNwaWQuZ292Lml0L1NwaWRMMTwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj4KPC9zYW1sMnA6UmVxdWVzdGVkQXV0aG5Db250ZXh0Pgo8L3NhbWxwOkF1dGhuUmVxdWVzdD4K

Di seguito riporto il codice che effettua la codifica nella classe SPIDIntegrationUtil:

public String encodeAndPrintAuthnRequest(AuthnRequest authnRequest, String binding) throws IntegrationServiceException {
	String requestMessage = printAuthnRequest(authnRequest);
	Deflater deflater = new Deflater(Deflater.DEFLATED, true);
	ByteArrayOutputStream byteArrayOutputStream = null;
	DeflaterOutputStream deflaterOutputStream = null;
	String encodedRequestMessage;
	try {
		byteArrayOutputStream = new ByteArrayOutputStream();
		/** Nel caso del binding HTTP-POST non è previsto l’encoding Deflate, ma solo Base64 */
		if (binding.indexOf(HTTP_POST) != -1) {
			byteArrayOutputStream = new ByteArrayOutputStream();
			byteArrayOutputStream.write(requestMessage.getBytes());
			byteArrayOutputStream.close();
		} else { 
			deflaterOutputStream = new DeflaterOutputStream(byteArrayOutputStream, deflater);
			deflaterOutputStream.write(requestMessage.getBytes()); // compressing
			deflaterOutputStream.close();
		}
		System.out.println("SAML no encode: " + byteArrayOutputStream.toString());
		encodedRequestMessage = Base64.encodeBytes(byteArrayOutputStream.toByteArray(), Base64.DONT_BREAK_LINES);
		encodedRequestMessage = URLEncoder.encode(encodedRequestMessage, "UTF-8").trim(); // encoding string
	}
	catch (UnsupportedEncodingException e) {
		log.error("encodeAndPrintAuthnRequest :: " + e.getMessage(), e);
		throw new IntegrationServiceException(e);
	}
	catch (IOException e) {
		log.error("encodeAndPrintAuthnRequest :: " + e.getMessage(), e);
		throw new IntegrationServiceException(e);
	}
	return encodedRequestMessage;
}

Questa è la SAML prima della codifica:

<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="0" AttributeConsumingServiceIndex="0" Destination="http://localhost:8088" ID="pfxfe6a335b-5cde-e88e-6b41-f7604bf66226" IssueInstant="2020-02-07T16:42:05.419Z" Version="2.0">
<saml2:Issuer
	xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" NameQualifier="https://spid.cartsc.eu">https://spid.cartsc.eu
</saml2:Issuer>
<ds:Signature
	xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
	<ds:SignedInfo>
		<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
		<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
		<ds:Reference URI="#pfxfe6a335b-5cde-e88e-6b41-f7604bf66226">
			<ds:Transforms>
				<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
				<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
			</ds:Transforms>
			<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
			<ds:DigestValue/>
		</ds:Reference>
	</ds:SignedInfo>
	<ds:SignatureValue/>
	<ds:KeyInfo>
		<ds:KeyValue>
			<ds:RSAKeyValue>
				<ds:Modulus>2tddPn14sKsTYn5W5874eokWD3Eq/g8pCN5lZDiaGgoDzKe9yUGnkKKL3BXMDUd4bRDtxuTShdt4GrMzFJ3VwBM2sGZopWjBpzh/1FPwNiX47/j3KVfcztKk7LjpGDxsG2PLcjxhoqOuoTDqvb5lD4osOr3XxwPXJzkHF4HoKNeu8cTTreQVzqiLnLBM0ojeCwXve2bhNUzVR+GfEyNT18jU2OmA5q2lVrVcWwyk5BrRlVeD7dRZyN1U/oIn+fX0PE3iZyaMcWkH/bawm7AUlGnGIjByIlaGS2J7GZZapeUTYjUlxjrhtttO/kw0Jm0d1nYW5alKGUVfMHTtuZoaOw==</ds:Modulus>
				<ds:Exponent>AQAB</ds:Exponent>
			</ds:RSAKeyValue>
		</ds:KeyValue>
		<ds:X509Data>
			<ds:X509Certificate>MIIEEzCCAvugAwIBAgIUClT/aPTwG5meKProtaXEU71t6RgwDQYJKoZIhvcNAQELBQAwgZgxCzAJBgNVBAYTAklUMQ8wDQYDVQQIDAZJVEFMSUExDzANBgNVBAcMBlBlc2FybzESMBAGA1UECgwJbG9jYWxob3N0MRIwEAYDVQQLDAlsb2NhbGhvc3QxEjAQBgNVBAMMCWxvY2FsaG9zdDErMCkGCSqGSIb3DQEJARYccGllcnBhb2xvLnBlcmxpbmlAb3JjYXJ0LmNvbTAeFw0yMDAyMDYxNTI2NTBaFw0yMTAyMDUxNTI2NTBaMIGYMQswCQYDVQQGEwJJVDEPMA0GA1UECAwGSVRBTElBMQ8wDQYDVQQHDAZQZXNhcm8xEjAQBgNVBAoMCWxvY2FsaG9zdDESMBAGA1UECwwJbG9jYWxob3N0MRIwEAYDVQQDDAlsb2NhbGhvc3QxKzApBgkqhkiG9w0BCQEWHHBpZXJwYW9sby5wZXJsaW5pQG9yY2FydC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDa110+fXiwqxNiflbnzvh6iRYPcSr+DykI3mVkOJoaCgPMp73JQaeQoovcFcwNR3htEO3G5NKF23gaszMUndXAEzawZmilaMGnOH/UU/A2Jfjv+PcpV9zO0qTsuOkYPGwbY8tyPGGio66hMOq9vmUPiiw6vdfHA9cnOQcXgego167xxNOt5BXOqIucsEzSiN4LBe97ZuE1TNVH4Z8TI1PXyNTY6YDmraVWtVxbDKTkGtGVV4Pt1FnI3VT+gif59fQ8TeJnJoxxaQf9trCbsBSUacYiMHIiVoZLYnsZllql5RNiNSXGOuG2207+TDQmbR3WdhblqUoZRV8wdO25mho7AgMBAAGjUzBRMB0GA1UdDgQWBBRgA8Lge+eGiPmWbXY7WWnsu+YeHzAfBgNVHSMEGDAWgBRgA8Lge+eGiPmWbXY7WWnsu+YeHzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQDWqsZISH7AZOYBBBNCJBgTU9sfYhrmkELH9I3hqiOzbobh9grpakew3d5KAqM0Fv2pBzVBtMufmt+4R8sIIMI5azN8g40Wn0Rejg93DZme1/o4/geXzDL/Qdd1rqBWvxJ9fwlnToDsY7JqzAQGlq/FHzlmHdcporUmel83Z5JcsAa+mmsHZPdzkzSwS7xuofjAzYg/uTEC19R6HxwSJw4Pqz5zGeGRaIWmpzhwq9WvzrTqfgELEpQyqUVEtSPN9UJy7D+k+hs9JE/GcslLHSF7FNoxOdqnDTb4qsp5tIHTnTCMFav2OpPFZ/A1JhocvsVv6vBVHR2S32+PYRySarps</ds:X509Certificate>
		</ds:X509Data>
	</ds:KeyInfo>
</ds:Signature>
<saml2p:NameIDPolicy
	xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
	<saml2p:RequestedAuthnContext
		xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact">
		<saml:AuthnContextClassRef
			xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://www.spid.gov.it/SpidL1
		</saml:AuthnContextClassRef>
	</saml2p:RequestedAuthnContext>
</samlp:AuthnRequest>
10

Buonasera,
l’errore UnicodeDecodeError: ‘utf-8’ codec can’t decode bytes in position 539-540: invalid continuation byte di test spid-testenv2 sembrava che fosse causato dal valore mancante per gli elementi SignatureValue o DigestValue della Signature.
Risolti questi problemi con la Signature l’ambiente di test spid-testenv2 si comportava come atteso.

11

Ciao anche io sto utilizzando la libreria Spring ed anche la mia authRequest firmata è priva di valore nel digestValue. Penso che l’errore ricevuto dal server "TypeError: argument should be a bytes-like object or ASCII string, not ‘NoneType’ sia dovuto a questo. Come hai aggiunto i valori mancanti ?
Grazie

12

Ciao,
ho aggiunto i valori mancanti nel digestValue eseguendo la firma come ultima operazione sulla Signature.
Con riferimento alle librerie org.opensaml.saml2, per ottenere la authRequest con la firma valorizzata ho seguito questi passi:

  1. creare authRequest e configurarla
  2. creare la Signature e configurarla
  3. firmare la Signature.

Ciao, Pierpaolo

13

Grazie, sono finalmente riuscito ad autenticarmi. Pensavo che la libreria facesse correttamente tutto il lavoro, invece ho dovuto correggere i parametri della AuthnRequest e poi aggiustare la firma.
Ora speriamo che la rilettura dell’autenticazione sia meno problematica.
Saluti

14

Ciao Pietro, scusa se mi allaccio ad una tua issue. Riesci per caso a modificare l’ID dell’authentication request?

15

Ciao Biagio,
se usi la libreria spring il valore dell’ID viene ricavato dall’ID presente nel tuo metadata (Service Provider).

Saluti

16

Perdonami, sono nuovo nell’utilizzo dello SPID. Ma è possibile per me crearmi la richiesta SAML di autenticazione in locale e poi inoltrarla ai vari IDP? Il formato è lo stesso?

17

Anche io sono alla prima esperienza con SPID, la rete e il forum è ricco di informazioni ma le ho trovate disordinate e spesso datate e quindi sto perdendo un sacco di tempo nel riuscire a mettere tutte le cose in ordine.
Devi creare la tua SamlRequest di autenticazione localmente firmarla e inviarla all’ipd scelto dall’utente

18

Buongiorno, anche io ho parecche difficoltà ad utilizzare l’identity provider di test (https://idptest.spid.gov.it) con la libreria italia/spid-php-lib. Ieri ricevevo degli errori relativi alla validità della firma, oggi una serie di errori di validazione, per esempio:

Element ‘Signature’: This element is not expected. Expected is one of ( ContactPerson, AdditionalMetadataLocation ).

L’ambiente sembra abbastanza incoerente e, come fatto notare in altri thread, a volte vengono resistituiti errori relativi ai metadati di altri service provider di test.

Qualcuno può dare conferma o meno sulla funzionalità dell’ambiente o su eventuali malfunzionamenti?

19

Ciao @Pierpaolo_Perlini sto integrando il mio SP con l’ambiente demo validator. La mia AuthRequest viene generata da Spring Security e applica un Algoritmo di Digest che è “XML-Signature Syntax and Processing”. Per passare tutti i test del validatore mi servirebbe applicare un algoritmo di digest tra questi:

The digest algorithm MUST be one of [XML Encryption Syntax and Processing, XML Encryption Syntax and Processing, XML Encryption Syntax and Processing]

Ti sei già scontrato con questa issue? se sì, come sei riuscito a risolverla?

20

Ciao,
non ho avuto questo problema durante i test con spid validator.
Ho usato come algoritmo di digest XML Encryption Syntax and Processing