Spid Validator: Caso di test 98

SPID
1

Vorrei porre all’attenzione l’esito di questo test:
Elemento AttributeStatement presente, ma sottoelemento Attribute mancante. Risultato atteso: KO

Tale caso di test va in contrasto con tutti gli altri casi di test che dovrebbero dare esito positivo, ma che sono deficitari anch’essi del sotto elemento indicato.
Inserendo un controllo su tale richiesta e quindi sollevando un’eccezione (errore) per la mancanza si andrebbe a invalidare gli altri casi di test che dovrebbe dare esito positivo (ad esempio il caso di test 1).

Vorrei capire per cortesia l’esatto significato o comportamento di questo test, dato che genera la stessa response (cambia solo la data e gli id) rispetto a quelle che si attende esito positivo

2

Buongiorno @gdecagna,
le regole tecniche SPID specificano che:

può essere presente l’elemento AttributeStatement riportante gli attributi
identificativi certificati dall’Identity provider. Tale elemento se presente dovrà comprendere:

  • uno o più elementi di tipo relativi ad attributi che l’Identity Provider
    può rilasciare (cfr. Tabella attributi SPID) su richiesta del Service Provider espressa attraverso l’attributo AttributeConsumingServiceIndex quando presente nella authnrequest;

Pertanto, se AttributeStatement è presente (perchè richiesto almeno un set di attributi nella AuthnRequest) allora deve contenere almeno un elemento Attribute (in relazione al set di attributi richiesto) e gli elementi Attribute devono a, loro volta, contenere AttributeValue, eventualmente vuoto.

Il test #98, quindi, vuole considerare il caso in cui sia presente AttributeStatement ma con nessun elemento Attribute, caso non possibile.

Michele D’Amico

3

Ho segnalato il caso di test 98, perchè utilizzando anche il validator all’endPoint https://www.spid-validator.it se inserisco il nostro metadata per cui si è richiesta la certificazione come SP, i campi (CF,address) non vengono prefillati neanche per il caso di test N. 1 nè per quelli che devono andare a buon fine, quindi la response aveva il campo AttributeStatement ma senza Attributi, proprio come il caso di test 98.

Noto invece che se carico il metadata i campi sono prefillati (intendo C.F., address etc etc )
Perchè questo comportamento diverso del validatore?

E’ stata rigettata infatti una prima richiesta di certificazione proprio perchè falliva già il primo caso di test essendoci il controllo sulla presenza di AttributeStatement ma sull’assenza dei sui children Attribute.

Se il comportamento è come lei giustamente ha descritto, rimetto il controllo sulla presenza di almeno un child.

Riporto di seguito la response per il caso 1 quando è caricato il metadata e quando non lo è.

Con Metadata:
<samlp:Response Destination=“https://espid.exprivia.it/eSpid/responseSaml” ID="_0d3e430e-d2ab-4a8c-ab87-bec169313b25" InResponseTo="_182f227b-898f-47da-9dc5-81f344c2309f" IssueInstant=“2021-05-04T12:38:59+02:00” Version=“2.0” xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion” xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol”>
<saml:Issuer Format=“urn:oasis:names:tc:SAML:2.0:nameid-format:entity”>https://www.spid-validator.it</saml:Issuer>
<ds:Signature xmlns:ds=“http://www.w3.org/2000/09/xmldsig#”>
ds:SignedInfo
<ds:CanonicalizationMethod Algorithm=“http://www.w3.org/2001/10/xml-exc-c14n#”/>
<ds:SignatureMethod Algorithm=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha256”/>
<ds:Reference URI="#_0d3e430e-d2ab-4a8c-ab87-bec169313b25">
ds:Transforms
<ds:Transform Algorithm=“http://www.w3.org/2000/09/xmldsig#enveloped-signature”/>
<ds:Transform Algorithm=“http://www.w3.org/2001/10/xml-exc-c14n#”/>
</ds:Transforms>
<ds:DigestMethod Algorithm=“http://www.w3.org/2001/04/xmlenc#sha256”/>
ds:DigestValuef1PkQPKMYfzCggTESB50rY3Pf27Yg3Tke0PwQqp68PA=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
ds:SignatureValueHJoemP7W911q8mjsg2+Ge9H2wU02BpD8f4mjSVcafrBF2dmygOfcns8Cb7ifH778lLVBqeMQzg1XIWrElqaVMpKLFBHuK3Q4sczZiCn264fmFBofn+Aa9KfJRj93GytwhL3T+YhHNERgPYBIaDWAqCl1yYvbCekjSgOSytyoUTdpNrcMWhdAIg3qFgZQvletoCtw8nMp6LhOOuYrSJkFgDsZWrZjkDmZBgTX/dgqzd8MXmHKaSRqeUkZTjT6ivQKSGHx7v0oVy0IVqmI6IkZNSTMGgY44h/ySjo6+z6iY1b8E7DzmAD3tnYzXLxQTBt6/YLTau4cpQIoEdN9mjIcJw==</ds:SignatureValue>
ds:KeyInfo
ds:X509Data
ds:X509CertificateMIIEGDCCAwCgAwIBAgIJAOrYj9oLEJCwMA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNVBAYTAklUMQ4wDAYDVQQIEwVJdGFseTENMAsGA1UEBxMEUm9tZTENMAsGA1UEChMEQWdJRDESMBAGA1UECxMJQWdJRCBURVNUMRQwEgYDVQQDEwthZ2lkLmdvdi5pdDAeFw0xOTA0MTExMDAyMDhaFw0yNTAzMDgxMDAyMDhaMGUxCzAJBgNVBAYTAklUMQ4wDAYDVQQIEwVJdGFseTENMAsGA1UEBxMEUm9tZTENMAsGA1UEChMEQWdJRDESMBAGA1UECxMJQWdJRCBURVNUMRQwEgYDVQQDEwthZ2lkLmdvdi5pdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK8kJVo+ugRrbbv9xhXCuVrqi4B7/MQzQc62ocwlFFujJNd4m1mXkUHFbgvwhRkQqo2DAmFeHiwCkJT3K1eeXIFhNFFroEzGPzONyekLpjNvmYIs1CFvirGOj0bkEiGaKEs+/umzGjxIhy5JQlqXE96y1+Izp2QhJimDK0/KNij8I1bzxseP0Ygc4SFveKS+7QO+PrLzWklEWGMs4DM5Zc3VRK7g4LWPWZhKdImC1rnS+/lEmHSvHisdVp/DJtbSrZwSYTRvTTz5IZDSq4kAzrDfpj16h7b3t3nFGc8UoY2Ro4tRZ3ahJ2r3b79yK6C5phY7CAANuW3gDdhVjiBNYs0CAwEAAaOByjCBxzAdBgNVHQ4EFgQU3/7kV2tbdFtphbSA4LH7+w8SkcwwgZcGA1UdIwSBjzCBjIAU3/7kV2tbdFtphbSA4LH7+w8SkcyhaaRnMGUxCzAJBgNVBAYTAklUMQ4wDAYDVQQIEwVJdGFseTENMAsGA1UEBxMEUm9tZTENMAsGA1UEChMEQWdJRDESMBAGA1UECxMJQWdJRCBURVNUMRQwEgYDVQQDEwthZ2lkLmdvdi5pdIIJAOrYj9oLEJCwMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAJNFqXg/V3aimJKUmUaqmQEEoSc3qvXFITvT5f5bKw9yk/NVhR6wndL+z/24h1OdRqs76blgH8k116qWNkkDtt0AlSjQOx5qvFYh1UviOjNdRI4WkYONSw+vuavcx+fB6O5JDHNmMhMySKTnmRqTkyhjrch7zaFIWUSV7hsBuxpqmrWDoLWdXbV3eFH3mINA5AoIY/m0bZtzZ7YNgiFWzxQgekpxd0vcTseMnCcXnsAlctdir0FoCZztxMuZjlBjwLTtM6Ry3/48LMM8Z+lw7NMciKLLTGQyU8XmKKSSOh0dGh5Lrlt5GxIIJkH81C0YimWebz8464QPL3RbLnTKg+c=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
samlp:Status
<samlp:StatusCode Value=“urn:oasis:names:tc:SAML:2.0:status:Success”/>
</samlp:Status>
<saml:Assertion ID="_c0468681-2f12-4142-b6a4-5d8c442ce6ac" IssueInstant=“2021-05-04T12:38:59+02:00” Version=“2.0” xmlns:xs=“http://www.w3.org/2001/XMLSchema” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance”>
<saml:Issuer Format=“urn:oasis:names:tc:SAML:2.0:nameid-format:entity”>https://www.spid-validator.it</saml:Issuer>
<ds:Signature xmlns:ds=“http://www.w3.org/2000/09/xmldsig#”>
ds:SignedInfo
<ds:CanonicalizationMethod Algorithm=“http://www.w3.org/2001/10/xml-exc-c14n#”/>
<ds:SignatureMethod Algorithm=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha256”/>
<ds:Reference URI="#_c0468681-2f12-4142-b6a4-5d8c442ce6ac">
ds:Transforms
<ds:Transform Algorithm=“http://www.w3.org/2000/09/xmldsig#enveloped-signature”/>
<ds:Transform Algorithm=“http://www.w3.org/2001/10/xml-exc-c14n#”/>
</ds:Transforms>
<ds:DigestMethod Algorithm=“http://www.w3.org/2001/04/xmlenc#sha256”/>
ds:DigestValueoxYY4p5ARXXqlK24Azc07pfiE35qDdjQeWXSgNNjHb0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
ds:SignatureValueFRjxOGebnp5dtKNNrAqLeTXwWaJjCkI3yNvgqICq4s2C7DAQiZro71U3Il48rHTqHuujGpL3VmcVQBTwCBoP+tSRNbplrAkRV5L0vmcbSg2wMitO8qsaFUzhtQpPJy9Y8b1/V320CY5dEmpuEhGq3inHO7t625VeLxAOT0r2VNqDIqCJPPn4vTY2agYUH1coGB7hyR7vGJP8x+5uWWhhBoJYkbBQjEiXqSOEDnHx3t75fnUsXeGUaaYDnNoxb7Fn4vkeDSuvz4wtncb0QNZolbv7JfAQI2pOalSSwMIZF0mVxYfeI0BlAi9tWX0vCwWObNYEevb1L6Ka2ba731ZVgQ==</ds:SignatureValue>
ds:KeyInfo
ds:X509Data
ds:X509CertificateMIIEGDCCAwCgAwIBAgIJAOrYj9oLEJCwMA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNVBAYTAklUMQ4wDAYDVQQIEwVJdGFseTENMAsGA1UEBxMEUm9tZTENMAsGA1UEChMEQWdJRDESMBAGA1UECxMJQWdJRCBURVNUMRQwEgYDVQQDEwthZ2lkLmdvdi5pdDAeFw0xOTA0MTExMDAyMDhaFw0yNTAzMDgxMDAyMDhaMGUxCzAJBgNVBAYTAklUMQ4wDAYDVQQIEwVJdGFseTENMAsGA1UEBxMEUm9tZTENMAsGA1UEChMEQWdJRDESMBAGA1UECxMJQWdJRCBURVNUMRQwEgYDVQQDEwthZ2lkLmdvdi5pdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK8kJVo+ugRrbbv9xhXCuVrqi4B7/MQzQc62ocwlFFujJNd4m1mXkUHFbgvwhRkQqo2DAmFeHiwCkJT3K1eeXIFhNFFroEzGPzONyekLpjNvmYIs1CFvirGOj0bkEiGaKEs+/umzGjxIhy5JQlqXE96y1+Izp2QhJimDK0/KNij8I1bzxseP0Ygc4SFveKS+7QO+PrLzWklEWGMs4DM5Zc3VRK7g4LWPWZhKdImC1rnS+/lEmHSvHisdVp/DJtbSrZwSYTRvTTz5IZDSq4kAzrDfpj16h7b3t3nFGc8UoY2Ro4tRZ3ahJ2r3b79yK6C5phY7CAANuW3gDdhVjiBNYs0CAwEAAaOByjCBxzAdBgNVHQ4EFgQU3/7kV2tbdFtphbSA4LH7+w8SkcwwgZcGA1UdIwSBjzCBjIAU3/7kV2tbdFtphbSA4LH7+w8SkcyhaaRnMGUxCzAJBgNVBAYTAklUMQ4wDAYDVQQIEwVJdGFseTENMAsGA1UEBxMEUm9tZTENMAsGA1UEChMEQWdJRDESMBAGA1UECxMJQWdJRCBURVNUMRQwEgYDVQQDEwthZ2lkLmdvdi5pdIIJAOrYj9oLEJCwMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAJNFqXg/V3aimJKUmUaqmQEEoSc3qvXFITvT5f5bKw9yk/NVhR6wndL+z/24h1OdRqs76blgH8k116qWNkkDtt0AlSjQOx5qvFYh1UviOjNdRI4WkYONSw+vuavcx+fB6O5JDHNmMhMySKTnmRqTkyhjrch7zaFIWUSV7hsBuxpqmrWDoLWdXbV3eFH3mINA5AoIY/m0bZtzZ7YNgiFWzxQgekpxd0vcTseMnCcXnsAlctdir0FoCZztxMuZjlBjwLTtM6Ry3/48LMM8Z+lw7NMciKLLTGQyU8XmKKSSOh0dGh5Lrlt5GxIIJkH81C0YimWebz8464QPL3RbLnTKg+c=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
saml:Subject
<saml:NameID Format=“urn:oasis:names:tc:SAML:2.0:nameid-format:transient” NameQualifier=“https://validator.spid.gov.it”>_fa250db4-4560-4828-b8f0-f04f1ade7c4f </saml:NameID>
<saml:SubjectConfirmation Method=“urn:oasis:names:tc:SAML:2.0:cm:bearer”>
<saml:SubjectConfirmationData InResponseTo="_182f227b-898f-47da-9dc5-81f344c2309f" NotOnOrAfter=“2021-05-04T12:43:38+02:00” Recipient=“https://espid.exprivia.it/eSpid/responseSaml”/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore=“2021-05-04T12:38:59+02:00” NotOnOrAfter=“2021-05-04T12:43:38+02:00”>
saml:AudienceRestriction
saml:Audiencehttps://espid.exprivia.it</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant=“2021-05-04T12:38:59+02:00” SessionIndex="_29ac0e87-2a02-44d4-991b-30e6335a76f7">
saml:AuthnContext
saml:AuthnContextClassRefhttps://www.spid.gov.it/SpidL2</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
saml:AttributeStatement/
</saml:Assertion>
</samlp:Response>

Senza metadata:
<samlp:Response Destination="" ID="_36f51fc5-7405-4501-9ae8-ea8cbf58886a" InResponseTo="_d1f47a2c-aa0b-4612-ac7d-51c011687b30" IssueInstant=“2021-05-04T12:35:24+02:00” Version=“2.0” xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion” xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol”>
<saml:Issuer Format=“urn:oasis:names:tc:SAML:2.0:nameid-format:entity”>https://www.spid-validator.it</saml:Issuer>
<ds:Signature xmlns:ds=“http://www.w3.org/2000/09/xmldsig#”>
ds:SignedInfo
<ds:CanonicalizationMethod Algorithm=“http://www.w3.org/2001/10/xml-exc-c14n#”/>
<ds:SignatureMethod Algorithm=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha256”/>
<ds:Reference URI="#_36f51fc5-7405-4501-9ae8-ea8cbf58886a">
ds:Transforms
<ds:Transform Algorithm=“http://www.w3.org/2000/09/xmldsig#enveloped-signature”/>
<ds:Transform Algorithm=“http://www.w3.org/2001/10/xml-exc-c14n#”/>
</ds:Transforms>
<ds:DigestMethod Algorithm=“http://www.w3.org/2001/04/xmlenc#sha256”/>
ds:DigestValueKsuLNufnpSR71beCGR/IKoIxx/pfldCI636kCtCrSS0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
ds:SignatureValueo4/1RSO60jVwT1azF8fdxbpboMg8nKWoopbxutvWZUpPmN41NitxKdwsACvX7cXS+YpSyaRupOsL+t/pEy1LyfJklx01Xc4rH1iaNM773DBUtZKxC16xbRNpRRDILA5hbBsMoPzSJmUmlCJhkEsjdDg2p2S0PZi+RxYi1qlxc8L1DR3yo4uwktDtPasIHmAKagTYMGo80f2U2rgAsPgPdRmFcl6Xr0O/bg4GKCc8UGzBQ4HwHTvHPzINeOp7Pjaqbqbb8vdKmxSoUxU+DyG0ds7NjRiRFbWrJCkSUDt5FLJVcKpf+qaeKK3f2VlUL1NbWWXuW+pYK7ewq7x3jIZKkw==</ds:SignatureValue>
ds:KeyInfo
ds:X509Data
ds:X509CertificateMIIEGDCCAwCgAwIBAgIJAOrYj9oLEJCwMA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNVBAYTAklUMQ4wDAYDVQQIEwVJdGFseTENMAsGA1UEBxMEUm9tZTENMAsGA1UEChMEQWdJRDESMBAGA1UECxMJQWdJRCBURVNUMRQwEgYDVQQDEwthZ2lkLmdvdi5pdDAeFw0xOTA0MTExMDAyMDhaFw0yNTAzMDgxMDAyMDhaMGUxCzAJBgNVBAYTAklUMQ4wDAYDVQQIEwVJdGFseTENMAsGA1UEBxMEUm9tZTENMAsGA1UEChMEQWdJRDESMBAGA1UECxMJQWdJRCBURVNUMRQwEgYDVQQDEwthZ2lkLmdvdi5pdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK8kJVo+ugRrbbv9xhXCuVrqi4B7/MQzQc62ocwlFFujJNd4m1mXkUHFbgvwhRkQqo2DAmFeHiwCkJT3K1eeXIFhNFFroEzGPzONyekLpjNvmYIs1CFvirGOj0bkEiGaKEs+/umzGjxIhy5JQlqXE96y1+Izp2QhJimDK0/KNij8I1bzxseP0Ygc4SFveKS+7QO+PrLzWklEWGMs4DM5Zc3VRK7g4LWPWZhKdImC1rnS+/lEmHSvHisdVp/DJtbSrZwSYTRvTTz5IZDSq4kAzrDfpj16h7b3t3nFGc8UoY2Ro4tRZ3ahJ2r3b79yK6C5phY7CAANuW3gDdhVjiBNYs0CAwEAAaOByjCBxzAdBgNVHQ4EFgQU3/7kV2tbdFtphbSA4LH7+w8SkcwwgZcGA1UdIwSBjzCBjIAU3/7kV2tbdFtphbSA4LH7+w8SkcyhaaRnMGUxCzAJBgNVBAYTAklUMQ4wDAYDVQQIEwVJdGFseTENMAsGA1UEBxMEUm9tZTENMAsGA1UEChMEQWdJRDESMBAGA1UECxMJQWdJRCBURVNUMRQwEgYDVQQDEwthZ2lkLmdvdi5pdIIJAOrYj9oLEJCwMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAJNFqXg/V3aimJKUmUaqmQEEoSc3qvXFITvT5f5bKw9yk/NVhR6wndL+z/24h1OdRqs76blgH8k116qWNkkDtt0AlSjQOx5qvFYh1UviOjNdRI4WkYONSw+vuavcx+fB6O5JDHNmMhMySKTnmRqTkyhjrch7zaFIWUSV7hsBuxpqmrWDoLWdXbV3eFH3mINA5AoIY/m0bZtzZ7YNgiFWzxQgekpxd0vcTseMnCcXnsAlctdir0FoCZztxMuZjlBjwLTtM6Ry3/48LMM8Z+lw7NMciKLLTGQyU8XmKKSSOh0dGh5Lrlt5GxIIJkH81C0YimWebz8464QPL3RbLnTKg+c=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
samlp:Status
<samlp:StatusCode Value=“urn:oasis:names:tc:SAML:2.0:status:Success”/>
</samlp:Status>
<saml:Assertion ID="_1e5f158b-3f62-43da-a83c-99272baedc63" IssueInstant=“2021-05-04T12:35:24+02:00” Version=“2.0” xmlns:xs=“http://www.w3.org/2001/XMLSchema” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance”>
<saml:Issuer Format=“urn:oasis:names:tc:SAML:2.0:nameid-format:entity”>https://www.spid-validator.it</saml:Issuer>
<ds:Signature xmlns:ds=“http://www.w3.org/2000/09/xmldsig#”>
ds:SignedInfo
<ds:CanonicalizationMethod Algorithm=“http://www.w3.org/2001/10/xml-exc-c14n#”/>
<ds:SignatureMethod Algorithm=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha256”/>
<ds:Reference URI="#_1e5f158b-3f62-43da-a83c-99272baedc63">
ds:Transforms
<ds:Transform Algorithm=“http://www.w3.org/2000/09/xmldsig#enveloped-signature”/>
<ds:Transform Algorithm=“http://www.w3.org/2001/10/xml-exc-c14n#”/>
</ds:Transforms>
<ds:DigestMethod Algorithm=“http://www.w3.org/2001/04/xmlenc#sha256”/>
ds:DigestValuebaX8oVbO1Z+8DnVX1OWvY8Wpm4nIF6b0kudaFBPCG4s=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
ds:SignatureValueTRMW7nvgjqzXVliDsBvx9v1+O2YWJmZx33lLcSjqC4Dtclxif4TtMiU0bHYlcr1mrhoZ10QGdNlioyXAg5FUnYKcxDnjU75JheoNL+anHlL6nCERG0Ui2oNSEnKHcrC73Y3Y4jFEH1Xv6MPDutLMQY8jM4v022hTIzSuT6AER99wgXd1O4wfnfgNg0lvGQ+11O73DZDnZAWfc9GoJFx+Xv9ctBDPT1AvV0aXwxmlRcZSnLlrrOSognIC8ErBl6whkZlOPNUBoC+sR7Doo2JIwiF1rUD9267pBz2IZxcFOLgwYZKyF3muB+Mro/+2rPBGi39593sADg5f7PKAeimcEA==</ds:SignatureValue>
ds:KeyInfo
ds:X509Data
ds:X509CertificateMIIEGDCCAwCgAwIBAgIJAOrYj9oLEJCwMA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNVBAYTAklUMQ4wDAYDVQQIEwVJdGFseTENMAsGA1UEBxMEUm9tZTENMAsGA1UEChMEQWdJRDESMBAGA1UECxMJQWdJRCBURVNUMRQwEgYDVQQDEwthZ2lkLmdvdi5pdDAeFw0xOTA0MTExMDAyMDhaFw0yNTAzMDgxMDAyMDhaMGUxCzAJBgNVBAYTAklUMQ4wDAYDVQQIEwVJdGFseTENMAsGA1UEBxMEUm9tZTENMAsGA1UEChMEQWdJRDESMBAGA1UECxMJQWdJRCBURVNUMRQwEgYDVQQDEwthZ2lkLmdvdi5pdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK8kJVo+ugRrbbv9xhXCuVrqi4B7/MQzQc62ocwlFFujJNd4m1mXkUHFbgvwhRkQqo2DAmFeHiwCkJT3K1eeXIFhNFFroEzGPzONyekLpjNvmYIs1CFvirGOj0bkEiGaKEs+/umzGjxIhy5JQlqXE96y1+Izp2QhJimDK0/KNij8I1bzxseP0Ygc4SFveKS+7QO+PrLzWklEWGMs4DM5Zc3VRK7g4LWPWZhKdImC1rnS+/lEmHSvHisdVp/DJtbSrZwSYTRvTTz5IZDSq4kAzrDfpj16h7b3t3nFGc8UoY2Ro4tRZ3ahJ2r3b79yK6C5phY7CAANuW3gDdhVjiBNYs0CAwEAAaOByjCBxzAdBgNVHQ4EFgQU3/7kV2tbdFtphbSA4LH7+w8SkcwwgZcGA1UdIwSBjzCBjIAU3/7kV2tbdFtphbSA4LH7+w8SkcyhaaRnMGUxCzAJBgNVBAYTAklUMQ4wDAYDVQQIEwVJdGFseTENMAsGA1UEBxMEUm9tZTENMAsGA1UEChMEQWdJRDESMBAGA1UECxMJQWdJRCBURVNUMRQwEgYDVQQDEwthZ2lkLmdvdi5pdIIJAOrYj9oLEJCwMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAJNFqXg/V3aimJKUmUaqmQEEoSc3qvXFITvT5f5bKw9yk/NVhR6wndL+z/24h1OdRqs76blgH8k116qWNkkDtt0AlSjQOx5qvFYh1UviOjNdRI4WkYONSw+vuavcx+fB6O5JDHNmMhMySKTnmRqTkyhjrch7zaFIWUSV7hsBuxpqmrWDoLWdXbV3eFH3mINA5AoIY/m0bZtzZ7YNgiFWzxQgekpxd0vcTseMnCcXnsAlctdir0FoCZztxMuZjlBjwLTtM6Ry3/48LMM8Z+lw7NMciKLLTGQyU8XmKKSSOh0dGh5Lrlt5GxIIJkH81C0YimWebz8464QPL3RbLnTKg+c=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
saml:Subject
<saml:NameID Format=“urn:oasis:names:tc:SAML:2.0:nameid-format:transient” NameQualifier=“https://validator.spid.gov.it”>_ed4b6cde-8889-4af1-a1e7-f6c2b8f92867 </saml:NameID>
<saml:SubjectConfirmation Method=“urn:oasis:names:tc:SAML:2.0:cm:bearer”>
<saml:SubjectConfirmationData InResponseTo="_d1f47a2c-aa0b-4612-ac7d-51c011687b30" NotOnOrAfter=“2021-05-04T12:40:16+02:00” Recipient=""/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore=“2021-05-04T12:35:24+02:00” NotOnOrAfter=“2021-05-04T12:40:16+02:00”>
saml:AudienceRestriction
saml:Audience/
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant=“2021-05-04T12:35:24+02:00” SessionIndex="_d5e5be26-feb2-4a22-aee8-bf575a15b10b">
saml:AuthnContext
saml:AuthnContextClassRefhttps://www.spid.gov.it/SpidL2</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
saml:AttributeStatement
<saml:Attribute Name=“spidCode” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue xmlns:xs=“http://www.w3.org/2001/XMLSchema” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xsi:type=“xs:string”>AGID-001</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name=“name” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue xmlns:xs=“http://www.w3.org/2001/XMLSchema” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xsi:type=“xs:string”>SpidValidator</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name=“familyName” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue xmlns:xs=“http://www.w3.org/2001/XMLSchema” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xsi:type=“xs:string”>AgID</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name=“placeOfBirth” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue xmlns:xs=“http://www.w3.org/2001/XMLSchema” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xsi:type=“xs:string”>Roma</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name=“countyOfBirth” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue xmlns:xs=“http://www.w3.org/2001/XMLSchema” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xsi:type=“xs:string”>RM</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name=“dateOfBirth” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue xmlns:xs=“http://www.w3.org/2001/XMLSchema” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xsi:type=“xs:date”>2000-01-01</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name=“gender” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue xmlns:xs=“http://www.w3.org/2001/XMLSchema” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xsi:type=“xs:string”>M</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name=“companyName” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue xmlns:xs=“http://www.w3.org/2001/XMLSchema” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xsi:type=“xs:string”>Agenzia per l’Italia Digitale</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name=“registeredOffice” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue xmlns:xs=“http://www.w3.org/2001/XMLSchema” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xsi:type=“xs:string”>Via Listz 21 00144 Roma</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name=“fiscalNumber” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue xmlns:xs=“http://www.w3.org/2001/XMLSchema” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xsi:type=“xs:string”>TINIT-GDASDV00A01H501J</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name=“ivaCode” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue xmlns:xs=“http://www.w3.org/2001/XMLSchema” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xsi:type=“xs:string”>VATIT-97735020584</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name=“idCard” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue xmlns:xs=“http://www.w3.org/2001/XMLSchema” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xsi:type=“xs:string”>CartaIdentità AA00000000 ComuneRoma 2018-01-01 2028-01-01</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name=“expirationDate” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue xmlns:xs=“http://www.w3.org/2001/XMLSchema” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xsi:type=“xs:date”>2028-01-01</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name=“mobilePhone” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue xmlns:xs=“http://www.w3.org/2001/XMLSchema” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xsi:type=“xs:string”>+393331234567</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name=“email” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue xmlns:xs=“http://www.w3.org/2001/XMLSchema” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xsi:type=“xs:string”>spid.tech@agid.gov.it</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name=“address” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue xmlns:xs=“http://www.w3.org/2001/XMLSchema” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xsi:type=“xs:string”>Via Listz 21 00144 Roma</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name=“digitalAddress” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue xmlns:xs=“http://www.w3.org/2001/XMLSchema” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xsi:type=“xs:string”>pec@pecagid.gov.it</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name=“companyFiscalNumber” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue xmlns:xs=“http://www.w3.org/2001/XMLSchema” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xsi:type=“xs:string”>TINIT-GDASDV00A01H501J</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name=“domicileStreetAddress” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue xmlns:xs=“http://www.w3.org/2001/XMLSchema” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xsi:type=“xs:string”>Via Listz 21</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name=“domicilePostalCode” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue xmlns:xs=“http://www.w3.org/2001/XMLSchema” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xsi:type=“xs:string”>00144</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name=“domicileMunicipality” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue xmlns:xs=“http://www.w3.org/2001/XMLSchema” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xsi:type=“xs:string”>Roma</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name=“domicileProvince” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue xmlns:xs=“http://www.w3.org/2001/XMLSchema” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xsi:type=“xs:string”>RM</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name=“domicileNation” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue xmlns:xs=“http://www.w3.org/2001/XMLSchema” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xsi:type=“xs:string”>IT</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>

4

Noto invece che se NON carico il metadata i campi sono prefillati (intendo C.F., address etc etc )

5

Il set di attributi da restituire al SP è recuperato dal metadata sulla base dell’indice AttributeConsumingServiceIndex specificato nella AuthnRequest.
Occorre verificare che il metadata caricato contenga il set di attributi indirizzato dall’indice AttributeConsumingServiceIndex e che tale set contenga almeno un attributo.
Se non viene caricato il metadata, il Validator utilizza per la Response 1 un set di attributi di default.

Michele

6

Riporto una frazione del metadata con gli attributi richiesti e che è stato anche validato dalla stesso validator:

<md:AssertionConsumerService Binding=“urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” Location=“https://espid.exprivia.it/eSpid/responseSaml” index=“0” isDefault=“true”/>

<md:AttributeConsumingService index=“0”>

<md:ServiceName xml:lang=“it”>Set Attributi - ID Cittadino completo</md:ServiceName>

<md:ServiceDescription xml:lang=“it”>Set Attributi - ID Cittadino completo</md:ServiceDescription>

<md:RequestedAttribute Name=“spidCode”/>

<md:RequestedAttribute Name=“name”/>

<md:RequestedAttribute Name=“familyName”/>

<md:RequestedAttribute Name=“placeOfBirth”/>

<md:RequestedAttribute Name=“countyOfBirth”/>

<md:RequestedAttribute Name=“dateOfBirth”/>

<md:RequestedAttribute Name=“gender”/>

<md:RequestedAttribute Name=“fiscalNumber”/>

<md:RequestedAttribute Name=“idCard”/>

<md:RequestedAttribute Name=“mobilePhone”/>

<md:RequestedAttribute Name=“email”/>

<md:RequestedAttribute Name=“digitalAddress”/>

</md:AttributeConsumingService>

Con tali info non vengono prefillati nessuno dei campi nel validator.
Non capisco dove sto sbagliando

7

Allego anche l’intestazione della Request che evidenzia l’AssertionConsumerServiceIndex=“0”

<samlp:AuthnRequest xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol” AssertionConsumerServiceIndex=“0” Destination=“https://www.spid-validator.it/samlsso” ForceAuthn=“true” ID="_812062e0-324d-4a3b-b6de-47a94b41fa0d" IssueInstant=“2021-05-04T15:29:47.234Z” ProtocolBinding=“urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” Version=“2.0”>
<saml2:Issuer xmlns:saml2=“urn:oasis:names:tc:SAML:2.0:assertion” Format=“urn:oasis:names:tc:SAML:2.0:nameid-format:entity” NameQualifier=“https://espid.exprivia.it”>
https://espid.exprivia.it

8

Nella Request c’è l’attributo AssertionConsumerServiceIndex=“0” che specifica l’endpoint al quale deve essere inviata la Response, che dal metadata, risulta essere: https://espid.exprivia.it/eSpid/responseSaml

mentre manca l’attributo AttributeConsumingServiceIndex=“0” per identificare il set di attributi richiesti.

Michele D’Amico

9

Grazie per la disponibiltà e consigli.

Risolto tutto

Un saluto.

Attendiamo con speranza la certificazione come SP.

10

Avrei bisogno per cortesia di un consiglio relativo al:

Inoltre è strettamente necessario richiedere ad AGID un certificato oppure è possibile usarne uno proprio rilasciato dalla C.A.