menu di navigazione del network

SPID - Integrazione con spid-passport


(Leonardo) #1

Buongiorno,
sto cercando di implementare l’autenticazione SPID in un’applicazione NodeJS tramite la libreria “spid-passport” (https://github.com/italia/spid-passport).

Per la fase di sviluppo, sto utilizzando l’ambiente SPID di test su docker (https://github.com/italia/spid-testenv2).

Dopo averlo configurato come spiegato nel README.md, ho esposto il container in locale sulla porta 8088.

Successivamente ho configurato l’applicazione NodeJS con i parametri del service provider configurato sull’identity provider ( il container spid di test).

Sfortunamente, quando provo ad a loggarmi tramite il sso ottengo questa risposta:

AuthnRequest - attribute: Destination	Il valore dell'elemento è diverso dal valore atteso (http://localhost:8088): http://localhost:8088/sso
AuthnRequest/NameIDPolicy - attribute: AllowCreate	item not allowed
AuthnRequest/Issuer - attribute: Format	required key not provided
AuthnRequest/Issuer - attribute: NameQualifier	required key not provided

Credo sia un problema della Authentication request che non è formattata correttamente.
Avete qualche suggerimento?

Grazie per il supporto.

Qui sotto i metadata del service provider e la configurazione di passport js:

<?xml version="1.0"?> 
<md:EntityDescriptor 
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"  
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"  
    entityID="http://localhost:3000"  
    ID="_3784f84-6617-4344-9c40-1ab47c94f999"> 
 
<md:SPSSODescriptor  
    protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"  
    AuthnRequestsSigned="true"  
    WantAssertionsSigned="true"> 
    
    <md:KeyDescriptor use="signing"> 
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
            <ds:X509Data> 
                <ds:X509Certificate>MY CERTIFICATE</ds:X509Certificate> 
            </ds:X509Data> 
        </ds:KeyInfo> 
    </md:KeyDescriptor> 
    
    <md:KeyDescriptor use="encryption"> 
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
            <ds:X509Data> 
                <ds:X509Certificate>MY CERTIFICATE </ds:X509Certificate> 
            </ds:X509Data> 
        </ds:KeyInfo> 
    </md:KeyDescriptor> 
    
    <md:SingleLogoutService 
        Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
        Location="http://localhost:3000/logout" /> 

    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat> 

    <md:AssertionConsumerService  
        Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"  
        Location="http://localhost:3000/acs"  
        index="0"  
        isDefault="true" /> 

    <md:AttributeConsumingService index="1"> 
        <md:ServiceName xml:lang="it">myService</md:ServiceName> 
        <md:ServiceDescription xml:lang="it">myService description</md:ServiceDescription> 
        <md:RequestedAttribute Name="spidCode" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
        <md:RequestedAttribute Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
        <md:RequestedAttribute Name="gender" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
        <md:RequestedAttribute Name="placeOfBirth" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
        <md:RequestedAttribute Name="ivaCode" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
        <md:RequestedAttribute Name="companyName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
        <md:RequestedAttribute Name="mobilePhone" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
        <md:RequestedAttribute Name="address" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
        <md:RequestedAttribute Name="expirationDate" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
        <md:RequestedAttribute Name="digitalAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
        <md:RequestedAttribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
        <md:RequestedAttribute Name="registeredOffice" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
        <md:RequestedAttribute Name="idCard" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
        <md:RequestedAttribute Name="countyOfBirth" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
        <md:RequestedAttribute Name="dateOfBirth" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
        <md:RequestedAttribute Name="familyName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
        <md:RequestedAttribute Name="fiscalNumber" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> 
    </md:AttributeConsumingService> 

</md:SPSSODescriptor> 

<md:Organization> 
    <md:OrganizationName xml:lang="it">MyCompany</md:OrganizationName> 
    <md:OrganizationDisplayName xml:lang="it">My Company</md:OrganizationDisplayName> 
    <md:OrganizationURL xml:lang="it">http://localhost:3000</md:OrganizationURL> 
</md:Organization> 

</md:EntityDescriptor>

Applicazione NodeJS

let spidStrategy = new SpidStrategy({
  sp: {
    issuer: "http://localhost:3000",
    entryPoint: 'http://localhost:8088/sso',
    privateCert: privateCert,
    decryptionPvk: decryptionPvk,
    attributeConsumingServiceIndex: 1,
    identifierFormat: "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
    authnContext: "https://www.spid.gov.it/SpidL1",
    callbackUrl: "http://localhost:3000/acs",
    attributes: {
      name: "Required attributes",
      attributes: ["fiscalNumber", "name", "familyName", "email"]
    },
    organization: {
      name: "LocalHost",
      displayName: "MyLocalHost",
      URL: "http://localhost:3000"
    }
  },
  idp: {
    test: {
      entryPoint: "http://localhost:8088/sso",
      cert: idpCert
    }
  }
}, function(profile, done){

  // Find or create user
  console.log(profile)
  done(null, profile);
})

passport.use(spidStrategy)