Buongiorno,
sto cercando di implementare l’autenticazione SPID in un’applicazione NodeJS tramite la libreria “spid-passport” (https://github.com/italia/spid-passport).
Per la fase di sviluppo, sto utilizzando l’ambiente SPID di test su docker (https://github.com/italia/spid-testenv2).
Dopo averlo configurato come spiegato nel README.md, ho esposto il container in locale sulla porta 8088.
Successivamente ho configurato l’applicazione NodeJS con i parametri del service provider configurato sull’identity provider ( il container spid di test).
Sfortunamente, quando provo ad a loggarmi tramite il sso ottengo questa risposta:
AuthnRequest - attribute: Destination Il valore dell'elemento è diverso dal valore atteso (http://localhost:8088): http://localhost:8088/sso
AuthnRequest/NameIDPolicy - attribute: AllowCreate item not allowed
AuthnRequest/Issuer - attribute: Format required key not provided
AuthnRequest/Issuer - attribute: NameQualifier required key not provided
Credo sia un problema della Authentication request che non è formattata correttamente.
Avete qualche suggerimento?
Grazie per il supporto.
Qui sotto i metadata del service provider e la configurazione di passport js:
<?xml version="1.0"?>
<md:EntityDescriptor
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
entityID="http://localhost:3000"
ID="_3784f84-6617-4344-9c40-1ab47c94f999">
<md:SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"
AuthnRequestsSigned="true"
WantAssertionsSigned="true">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MY CERTIFICATE</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MY CERTIFICATE </ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://localhost:3000/logout" />
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://localhost:3000/acs"
index="0"
isDefault="true" />
<md:AttributeConsumingService index="1">
<md:ServiceName xml:lang="it">myService</md:ServiceName>
<md:ServiceDescription xml:lang="it">myService description</md:ServiceDescription>
<md:RequestedAttribute Name="spidCode" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute Name="gender" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute Name="placeOfBirth" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute Name="ivaCode" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute Name="companyName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute Name="mobilePhone" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute Name="address" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute Name="expirationDate" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute Name="digitalAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute Name="registeredOffice" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute Name="idCard" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute Name="countyOfBirth" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute Name="dateOfBirth" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute Name="familyName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute Name="fiscalNumber" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
</md:AttributeConsumingService>
</md:SPSSODescriptor>
<md:Organization>
<md:OrganizationName xml:lang="it">MyCompany</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="it">My Company</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="it">http://localhost:3000</md:OrganizationURL>
</md:Organization>
</md:EntityDescriptor>
Applicazione NodeJS
let spidStrategy = new SpidStrategy({
sp: {
issuer: "http://localhost:3000",
entryPoint: 'http://localhost:8088/sso',
privateCert: privateCert,
decryptionPvk: decryptionPvk,
attributeConsumingServiceIndex: 1,
identifierFormat: "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
authnContext: "https://www.spid.gov.it/SpidL1",
callbackUrl: "http://localhost:3000/acs",
attributes: {
name: "Required attributes",
attributes: ["fiscalNumber", "name", "familyName", "email"]
},
organization: {
name: "LocalHost",
displayName: "MyLocalHost",
URL: "http://localhost:3000"
}
},
idp: {
test: {
entryPoint: "http://localhost:8088/sso",
cert: idpCert
}
}
}, function(profile, done){
// Find or create user
console.log(profile)
done(null, profile);
})
passport.use(spidStrategy)