Software Development Kit for easy SPID/CIE access integration with simplesamlphp - developed and mantained by Michele D'Amico (@damikael)
Home Page: https://italia.github.io/spid-cie-php/
License: Apache License 2.0
currently at the end of the setup:
AssertionConsumerServices hardcoded in the metadataAssertionConsumerServiceIndex to submit with the AuthnRequest is hardcodedprovide an API for the user to:
AssertionConsumerServices that go in the metadataAssertionConsumerServiceInded to submit with the AuthnRequest via a parameter in the login methodsalve,
ho il seguente problema con TIM dopo aver eseguito l'accesso:
in base alla documentazione dovrebbe essere possibile eliminare questo codice:
https://github.com/italia/spid-php/blob/master/setup/Setup.php#L159
e basarci invece su:
https://github.com/simplesamlphp/simplesamlphp/blob/master/www/admin/metadata-converter.php
questo prototipo:
$xmldata = file_get_contents($filename);
$config = SimpleSAML_Configuration::getInstance();
if (!empty($xmldata)) {
$entities = SimpleSAML_Metadata_SAMLParser::parseDescriptorsString($xmldata);
// get all metadata for the entities
foreach ($entities as &$entity) {
$entity = $entity->getMetadata20IdP();
// remove the entityDescriptor element because it is unused, and only makes the output harder to read
unset($entity['entityDescriptor']);
}
print_r($entities);
}per infocert dà:
Array
(
[https://identity.infocert.it] => Array
(
[entityid] => https://identity.infocert.it
[description] => Array
(
[it] => InfoCert S.p.A.
[en] => InfoCert S.p.A.
[fr] => InfoCert S.p.A.
[de] => InfoCert S.p.A.
)
[OrganizationName] => Array
(
[it] => InfoCert S.p.A.
[en] => InfoCert S.p.A.
[fr] => InfoCert S.p.A.
[de] => InfoCert S.p.A.
)
[name] => Array
(
[it] => InfoCert S.p.A.
[en] => InfoCert S.p.A.
[fr] => InfoCert S.p.A.
[de] => InfoCert S.p.A.
)
[OrganizationDisplayName] => Array
(
[it] => InfoCert S.p.A.
[en] => InfoCert S.p.A.
[fr] => InfoCert S.p.A.
[de] => InfoCert S.p.A.
)
[url] => Array
(
[it] => https://www.infocert.it
[en] => https://www.infocert.it/international/?lang=en
[fr] => https://www.infocert.it/international/?lang=fr
[de] => https://www.infocert.it/international/?lang=de
)
[OrganizationURL] => Array
(
[it] => https://www.infocert.it
[en] => https://www.infocert.it/international/?lang=en
[fr] => https://www.infocert.it/international/?lang=fr
[de] => https://www.infocert.it/international/?lang=de
)
[contacts] => Array
(
)
[metadata-set] => saml20-idp-remote
[sign.authnrequest] => 1
[SingleSignOnService] => Array
(
[0] => Array
(
[Binding] => urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
[Location] => https://identity.infocert.it/spid/samlsso
)
[1] => Array
(
[Binding] => urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
[Location] => https://identity.infocert.it/spid/samlsso
)
)
[SingleLogoutService] => Array
(
[0] => Array
(
[Binding] => urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
[Location] => https://identity.infocert.it/spid/samlslo
[ResponseLocation] => https://identity.infocert.it/spid/samlslo/response
)
[1] => Array
(
[Binding] => urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
[Location] => https://identity.infocert.it/spid/samlslo
[ResponseLocation] => https://identity.infocert.it/spid/samlslo/response
)
)
[ArtifactResolutionService] => Array
(
)
[NameIDFormats] => Array
(
[0] => urn:oasis:names:tc:SAML:2.0:nameid-format:transient
)
[keys] => Array
(
[0] => Array
(
[encryption] =>
[signing] => 1
[type] => X509Certificate
[X509Certificate] => ...
)
)
)
)Nel README non è indicato, ma dopo aver fatto il setup con Composer ho dovuto eseguire il seguente symlink:
ln -s vendor/simplesamlphp/simplesamlphp/www myservice
per poter accedere ai file di SimpleSAMLphp come richiesto dai vari path hardcoded, ovvero sotto http://localhost/myservice. La stessa cosa ovviamente si può fare configurando un alias nel web server.
È questa la modalità di pubblicazione suggerita? In ogni caso andrebbe documentata.
secondo https://getcomposer.org/doc/01-basic-usage.md#installing-without-composer-lock:
You should commit the composer.lock file to your project repo so that all people working on the project are locked to the same versions of dependencies (more below)."
Secondo quanto previsto dalle regole tecniche SPID, l'elemento Issuer della LogoutRequest deve riportare gli attributi:
after #34, provide an API for the user to choose dynamically which AttributeConsumingServiceIndex to submit with the AuthnRequest via a parameter in the login method
Il metadata del Service Provider generato da simplesamplphp è diverso da quello generato a mano con https://idp.spid.gov.it:8080/#/, le differenze sono 5:
ds:Signaturemd:EntityDescriptor:
protocolSupportEnumeration, per simplesamlphp è urn:oasis:names:tc:SAML:2.0:protocol, mentre per idp.spi.gov.it è urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocolWantAssertionsSigned valorizzato a truemd:AssertionConsumerService, idp.spid.gov.it setta l'attributo isDefaulta truemd:AssertionConsumerService con attributo Binding valorizzato come urn:oasis:names:tc:SAML:1.0:profiles:browser-postmd:AttributeConsumingService che non sapendo come impostare per ora ho settato a:<md:AttributeConsumingService index="1">
<md:ServiceName xml:lang="it">myservice</md:ServiceName>
<md:ServiceDescription xml:lang="it"/>
<md:RequestedAttribute Name="spidCode" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute Name="fiscalNumber" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute Name="familyName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
</md:AttributeConsumingService>
allego i due files normalizzati con xmlllint --format ...:
metadata.zip
Nella visualizzazione del metadata attraverso il link /module.php/saml/sp/metadata.php/service non ottengo niente.
Nel file di log mi riporta il seguente errore
SimpleSAML_Error_Exception: Error 1 - Class 'DOMDocument' not found
/usr/local/spid-php/vendor/simplesamlphp/simplesamlphp/www/_include.php:58 (SimpleSAML_error_handler)
/usr/local/spid-php/vendor/simplesamlphp/simplesamlphp/www/_include.php:26 (SimpleSAML_exception_handler)
errors reported by spid-testenv2:
| Error ID | Elemento | Dettagli errore |
|---|---|---|
| 1 | samlp:AuthnRequest | AttributeConsumingServiceIndex: 0 non corrisponde a nessuno dei valori contenuti in [] |
| 2 | saml:Issuer | NameQualifier: L'attributo è obbligatorio; Format: L'attributo è obbligatorio |
| 3 | samlp:NameIDPolicy | AllowCreate: L'attributo non è richiesto |
| 4 | saml:AuthnContext | Comparison: L'attributo è obbligatorio |
screenshot:
metadata for spid-php (digest and x509 data skipped):
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://sp.simevo.com" ID="pfxcac9ef02-c970-fb85-bc1a-6cc51506c172"><ds:Signature>
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#pfxcac9ef02-c970-fb85-bc1a-6cc51506c172"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>...</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>...</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol" AuthnRequestsSigned="true">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sp.simevo.com/myservice/module.php/saml/sp/saml2-logout.php/service-l1"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sp.simevo.com/myservice/module.php/saml/sp/saml2-acs.php/service-l1" index="0"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://sp.simevo.com/myservice/module.php/saml/sp/saml1-acs.php/service-l1" index="1"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
authnrequest generated by spid-php:
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_fe4589f2b156246207d3e2eabb9d228599ffae0109"
Version="2.0"
IssueInstant="2018-08-09T13:40:33Z"
Destination="https://idp.simevo.com/sso"
AssertionConsumerServiceURL="https://sp.simevo.com/myservice/module.php/saml/sp/saml2-acs.php/service-l1"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AttributeConsumingServiceIndex="0">
<saml:Issuer>https://sp.simevo.com</saml:Issuer>
<samlp:NameIDPolicy
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
AllowCreate="true"/>
<samlp:RequestedAuthnContext>
<saml:AuthnContextClassRef>https://www.spid.gov.it/SpidL1</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
Scusa forse la domanda banale, ma mi puoi spiegare come utilizzare le sessioni php specifiche dell'applicazione.
Se provo ad utilizzarle il framework me le cancella, da come ho potuto leggere.
questo pacchetto php si installa e configura con composer, ma i pre- (le dipendenze) e post-requisiti (php cgi/fpm e server web) restano a mano
può essere utile offrire un ruolo ansible per fare tutto ciò più agevolmente, vedi anche italia/spid-testenv2#29
da fare dopo #9
rendere il pacchetto installabile aggiungendo il campo name al composer.json (vedi simevo/spid-php2@5953fb8)
e pubblicare su packagist, esiste già un account italia:
https://packagist.org/packages/italia/
Nei metadata SP manca l'attributo isDefault previsto dalle regole tecniche:
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://localhost" ID="pfx68bd64c9-8e41-77cd-e617-6cab6e249040"><ds:Signature>
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#pfx68bd64c9-8e41-77cd-e617-6cab6e249040"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>1BkGBIUqOmnthu5/oQ/xhr8rHyk1W7RsFk7GCOuF6Os=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>AIhk2l2DB61J+QasaYBj93x9txAP7K073M0MFcYv1q0DQTZR2+OgpzxitiFohUCdA40OnzHVCzTUtCrD5uxkJDqGR7uGtI2FDd5rrCzhzzpcH4yTQ7NAfV6cst7RVt2FD/n9oqVPpxTINZhrIztRpnCDy4Z0VgAG07ZMlVYWdDMgGjH28PocRJQfbrsK48Z8suV3N93f7ktoXU7V5qdYpkN5/eNMyqbLccu/1i/4gQ8njPsd0CB31McqLULQ7i/qo1g5Ftjsg7pLkGTjcJWK40UCoEttvC0W7rdkgM9hKz8b7WM7Uu5SCSp43QGwsnY5Z7O5v8zto576WbuzQ/62uA==</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICljCCAX4CCQCVRcWoMpIwkjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQGEwJJVDAeFw0xODA4MjEwNTIxMjRaFw0yODA4MjAwNTIxMjRaMA0xCzAJBgNVBAYTAklUMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzT7QTEchpq1tFbfrIM8zZsTwL/hlg8OoSmW2OgX7aRcuEUTVlJmjSBHRRlH/29TvhZ2GG05oI67jOcH+8vZfs2/3u79JgsQfTdGZdI2nlF22TVBZCICAdjiPfqzzGZyyapWyoMzC6fNA0zCuhOpAMoL3GZVy8sHqszuvbXj2qwW1dwTaLKU0T/nkkxC5RkIxODK5IWyIMw7fVGF012SCWQDMSEQ3cm6gK0LEboIPriYtsvx60C/OzvudOF4bbZFPsURbg62wUc8RiE77F68TAnV5X1J2pa6EfWwtkD6qkH+rMw1DkM3F6WcAcYWKt9F8YB3Qz4EFdhAsvoj1oATjswIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBmvs/5qa0sPgkr3IraXIXYwAkcAGZQYtiGHf8ouVpDoe96qMw5eGbtyFiQk7+/dQjpi2faWhABKi8Zn4FeecG4+mbBML3z7eLNBgLJfkc2giUj9bRXBGOA/1+8KEBf3A8f8lrSWXLDEusjR0PNm9I4MLYYASDTLQzF/07sPQ/GQaUcbx/c+ttUq+HzY2tTRPq03cUZZL9AB45zJa4Q6ONoovUZSXmsO7itTH7adhNdx/aerKhV4VqkRCLzgmXmAXds0LXAvSzhS0TRmEgenfJx2J/1FadrpUKLVP3vlBbFhXMnX4fQIK+Pb8pJgTS6mR+vcBijReYEOvH0vIcs2uOI</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol" AuthnRequestsSigned="true">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIICljCCAX4CCQCVRcWoMpIwkjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQGEwJJVDAeFw0xODA4MjEwNTIxMjRaFw0yODA4MjAwNTIxMjRaMA0xCzAJBgNVBAYTAklUMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzT7QTEchpq1tFbfrIM8zZsTwL/hlg8OoSmW2OgX7aRcuEUTVlJmjSBHRRlH/29TvhZ2GG05oI67jOcH+8vZfs2/3u79JgsQfTdGZdI2nlF22TVBZCICAdjiPfqzzGZyyapWyoMzC6fNA0zCuhOpAMoL3GZVy8sHqszuvbXj2qwW1dwTaLKU0T/nkkxC5RkIxODK5IWyIMw7fVGF012SCWQDMSEQ3cm6gK0LEboIPriYtsvx60C/OzvudOF4bbZFPsURbg62wUc8RiE77F68TAnV5X1J2pa6EfWwtkD6qkH+rMw1DkM3F6WcAcYWKt9F8YB3Qz4EFdhAsvoj1oATjswIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBmvs/5qa0sPgkr3IraXIXYwAkcAGZQYtiGHf8ouVpDoe96qMw5eGbtyFiQk7+/dQjpi2faWhABKi8Zn4FeecG4+mbBML3z7eLNBgLJfkc2giUj9bRXBGOA/1+8KEBf3A8f8lrSWXLDEusjR0PNm9I4MLYYASDTLQzF/07sPQ/GQaUcbx/c+ttUq+HzY2tTRPq03cUZZL9AB45zJa4Q6ONoovUZSXmsO7itTH7adhNdx/aerKhV4VqkRCLzgmXmAXds0LXAvSzhS0TRmEgenfJx2J/1FadrpUKLVP3vlBbFhXMnX4fQIK+Pb8pJgTS6mR+vcBijReYEOvH0vIcs2uOI</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIICljCCAX4CCQCVRcWoMpIwkjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQGEwJJVDAeFw0xODA4MjEwNTIxMjRaFw0yODA4MjAwNTIxMjRaMA0xCzAJBgNVBAYTAklUMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzT7QTEchpq1tFbfrIM8zZsTwL/hlg8OoSmW2OgX7aRcuEUTVlJmjSBHRRlH/29TvhZ2GG05oI67jOcH+8vZfs2/3u79JgsQfTdGZdI2nlF22TVBZCICAdjiPfqzzGZyyapWyoMzC6fNA0zCuhOpAMoL3GZVy8sHqszuvbXj2qwW1dwTaLKU0T/nkkxC5RkIxODK5IWyIMw7fVGF012SCWQDMSEQ3cm6gK0LEboIPriYtsvx60C/OzvudOF4bbZFPsURbg62wUc8RiE77F68TAnV5X1J2pa6EfWwtkD6qkH+rMw1DkM3F6WcAcYWKt9F8YB3Qz4EFdhAsvoj1oATjswIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBmvs/5qa0sPgkr3IraXIXYwAkcAGZQYtiGHf8ouVpDoe96qMw5eGbtyFiQk7+/dQjpi2faWhABKi8Zn4FeecG4+mbBML3z7eLNBgLJfkc2giUj9bRXBGOA/1+8KEBf3A8f8lrSWXLDEusjR0PNm9I4MLYYASDTLQzF/07sPQ/GQaUcbx/c+ttUq+HzY2tTRPq03cUZZL9AB45zJa4Q6ONoovUZSXmsO7itTH7adhNdx/aerKhV4VqkRCLzgmXmAXds0LXAvSzhS0TRmEgenfJx2J/1FadrpUKLVP3vlBbFhXMnX4fQIK+Pb8pJgTS6mR+vcBijReYEOvH0vIcs2uOI</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost/myservice/module.php/saml/sp/saml2-logout.php/service-l1"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost/myservice/module.php/saml/sp/saml2-acs.php/service-l1" index="0"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="http://localhost/myservice/module.php/saml/sp/saml1-acs.php/service-l1" index="1"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
Viene inoltre esposto un secondo AssertionConsumerService con binding urn:oasis:names:tc:SAML:1.0:profiles:browser-post non supportato da SPID.
Per personalizzare le schermate di errore standard di SimpleSAMLphp, la soluzione consigliata è creare un tema, come indicato nella documentazione ufficiale:
https://simplesamlphp.org/docs/stable/simplesamlphp-theming
All'interno della directory del tema, occorrerà copiare e personalizzare i file del tema di default.
In particolare il file che gestisce le schermate per le eccezioni è:
spid-php/vendor/simplesamlphp/simplesamlphp/templates/error.php
Tale file è una versione modificata da spid-php rispetto al file originale di SimpleSAMLphp per permettere la visualizzazione dei messaggi di errore relativi alle anomalie SPID derivanti dall'utente (https://docs.italia.it/italia/spid/spid-regole-tecniche/it/stabile/messaggi-errore.html) anche nel caso in cui nel file di configurazione venga impostato showerrors => false (impostazione consigliata in produzione. Rif. https://github.com/simplesamlphp/simplesamlphp/blob/d0921997489791e3ef35dd70d556d4786283f79b/config-templates/config.php#L234).
Altra soluzione è intercettare gli errori con una funzione personalizzata definita tramite la variabile errors.show_function nel file di configurazione (Rif. https://simplesamlphp.org/docs/stable/simplesamlphp-errorhandling#5.5)
Buongiorno @damikael ,
un utente ha effettuato il login su Aruba e la libreria SAML va in eccezione. Di seguito il messaggio di errore:
www/include.php:17 (SimpleSAML_exception_handler)
[builtin] (N/A) Caused by: SimpleSAML_Error_Exception: state not found for ID spid-php__stringalfanumerica
pathinstallazione/setup/simplesamlphp/simplesamlphp/modules/saml/lib/Message.php:607 (sspmod_saml_Message::processResponse)
modules/saml/www/sp/saml2-acs.php:129 (require)
www/module.php:135 (N/A)
Ho provato Poste Italiane con le mie credenziali e non rilevo nessun problema. Mi puoi aiutare?
Sono riuscito finalmente a generare il mio metadata, ma facendo una prova di autenticazione su idp.spid.gov.it ottengo i seguenti errori:
Elemento: /md:EntityDescriptor/script
Descrizione : Element 'script': This element is not expected. Expected is one of ( Signature, Extensions, AffiliationDescriptor, RoleDescriptor, IDPSSODescriptor, SPSSODescriptor, AuthnAuthorityDescriptor, AttributeAuthorityDescriptor, PDPDescriptor ).
Elemento: EntityDescriptor/script
Descrizione : extra keys not allowed {'attrs': {}, 'children': {}, 'text': '// Catch errors if signal is already set by user agent or other extension try { Object.defineProperty(navigator, "globalPrivacyControl", { value: false, enumerable: true }); // Remove script tag after execution document.currentScript.parentElement.removeChild(document.currentScript); } catch(e) {};'}
Il tutto ripetuto 4 volte.
Rif. Regole Tecniche SPID 1.2.2.1
L’Identity Provider ha facoltà di utilizzare per l’autenticazione un livello SPID più alto
rispetto a quelli risultanti dall’indicazione del richiedente mediante l’attributo Comparison.
Tale scelta non deve comportare un esito negativo della richiesta.
Per l'ambiente di produzione si consigliano le seguenti configurazioni
in spid-php/vendor/simplesamlphp/simplesamlphp/config/config.php :
'debug' => false,
'showerrors' => false,
'admin.protectindexpage' => true,
su debian buster con composer 1.6.5:
In Setup.php line 73:
symlink(): No such file or directory
in effetti sta cercando di creare un link da /home/paolog/Sviluppo/teamdigitale/spid-php/vendor/simplesamlphp/simplesamlphp/www a: -e /home/paolog/public_html/myservice
c'è qualcosa di sbagliato qui:
https://github.com/damikael/spid-php/blob/master/setup/Setup.php#L18
Ciao a tutti,
ho eseguito l'installazione di spid-php con successo e configurato il metadata su https://idp.spid.gov.it:8080 (ambiente di test), ma quando provo ad autenticarmi con le credenziali di accesso di un utente di test, SimpleSAML mi restituisce una pagina di errore:
Qualcuno sa darmi qualche informazione? Potrei aver sbagliato qualcosa nella configurazione?
Buonasera a tutti, sto realizzando una piattaforma dove le aziende si candidano a sviluppare progetti sul territorio e lo SPID per persone fisiche è già attivo, ma per coerenza e motivi di sviluppo della piattaforma sarebbe meglio utilizzare lo SPID per persone giuridiche. Ho girato un pò su internet e ho visto che, per esempio, Aruba offre un servizio business, però mi chiedo se l'attuale sdk PHP di SPID funziona anche con le identità delle persone giuridiche. @damikael cosa puoi dirmi a riguardo? Scusa il leggero off-topic, ero indeciso se scrivere qui o nel forum di Agid, però penso che le informazioni che potresti darmi possono essere utili anche ad altri sviluppatori.
il repo originale si chiamava https://github.com/damikael/spid-php-sdk, questo solo spid-php
per consistenza si dovrebbe cambiare ovunque spid-php-sdk -> spid-php
~/spid-php$ grep -l -r spid-php-sdk | grep -v '\.git'
README.md
setup/sdk/login.tpl
setup/sdk/user.tpl
setup/Setup.php
e:
~/spid-php$ find . | grep spid-php-sdk
./setup/sdk/spid-php-sdk.tpl
location.href a: https://spid.simevo.com/myservice/module.php/core/as_login.php?AuthId=service-l1&ReturnTo=https%3A%2F%2Fspid.simevo.comhttps://spid.simevo.com/myservice/module.php/saml/disco.php?entityID=https%3A%2F%2Fspid.simevo.com&return=https%3A%2F%2Fspid.simevo.com%2Fmyservice%2Fmodule.php%2Fsaml%2Fsp%2Fdiscoresp.php%3FAuthID%3D_c9f63d95f0aa8e19e2485c697629c8ea265725233f%253Ahttps%253A%252F%252Fspid.simevo.com%252Fmyservice%252Fmodule.php%252Fcore%252Fas_login.php%253FAuthId%253Dservice-l1%2526ReturnTo%253Dhttps%25253A%25252F%25252Fspid.simevo.com&returnIDParam=idpentityid/var/log/nginx/error.log sul serverche fare ?
a scopo di test ho un idp testenv2
come faccio a configurare spid-php in modo che:
questo andrebbe documentato nel README, es. per far sì che funzioni con i valori di difetto:
mkdir -p "$HOME/public_html"
required for item 1 of #31
composer scarica le dipendenze in vendor; questa cartella dovrebbe essere gestita da composer, che può decidere di aggiornare i files a suo piacimento in seguito
invece:
git clone https://github.com/simevo/spid-php
git checkout develop
# eliminare tutta la parte script in composer.json
composer install
# back-up di vendor in vendor_orig:
tar cf vendor.tar && mv vendor.tar vendor_orig && tar xf vendor.tar && vendor.tar
# ripristino composer.json:
git checkout composer.json
cp config.yaml.example config.yaml
# aggiustare config.yaml se necessario ...
composer run-script post-update-cmd
diff -r vendor_orig vendor
Solo in vendor/simplesamlphp/simplesamlphp: cert
Solo in vendor/simplesamlphp/simplesamlphp/config: authsources.php
Solo in vendor/simplesamlphp/simplesamlphp/config: config.php
Solo in vendor/simplesamlphp/simplesamlphp: log
Solo in vendor/simplesamlphp/simplesamlphp/metadata: saml20-idp-remote.php
diff -r vendor_orig/simplesamlphp/simplesamlphp/templates/selectidp-links.php vendor/simplesamlphp/simplesamlphp/templates/selectidp-links.php
2a3,4
> // customized 20180221
>
8c10
< $this->includeAtTemplateBase('includes/header.php');
---
>
13c15,18
< $this->includeInlineTranslation('idpname_'.$idpentry['entityid'], $idpentry['OrganizationDisplayName']);
---
> $this->includeInlineTranslation(
> 'idpname_'.$idpentry['entityid'],
> $idpentry['OrganizationDisplayName']
> );
20,49d24
< <h2><?php echo $this->data['header']; ?></h2>
< <form method="get" action="<?php echo $this->data['urlpattern']; ?>">
< <input type="hidden" name="entityID" value="<?php echo htmlspecialchars($this->data['entityID']); ?>"/>
< <input type="hidden" name="return" value="<?php echo htmlspecialchars($this->data['return']); ?>"/>
< <input type="hidden" name="returnIDParam"
< value="<?php echo htmlspecialchars($this->data['returnIDParam']); ?>"/>
< <p><?php
< echo $this->t('selectidp_full');
< if ($this->data['rememberenabled']) {
< echo '<br /><input type="checkbox" name="remember" value="1" title="'.$this->t('remember').'" />'.
< $this->t('remember');
< }
< ?></p>
< <?php
< if (!empty($this->data['preferredidp']) &&
< array_key_exists($this->data['preferredidp'], $this->data['idplist'])
< ) {
< $idpentry = $this->data['idplist'][$this->data['preferredidp']];
< echo '<div class="preferredidp">';
< echo ' <img src="/'.$this->data['baseurlpath'].
< 'resources/icons/experience/gtk-about.64x64.png" class="float-r" alt="'.
< $this->t('icon_prefered_idp').'" />';
<
< if (array_key_exists('icon', $idpentry) && $idpentry['icon'] !== null) {
< $iconUrl = \SimpleSAML\Utils\HTTP::resolveURL($idpentry['icon']);
< echo '<img class="float-l" style="margin: 1em; padding: 3px; border: 1px solid #999" src="'.
< htmlspecialchars($iconUrl).'" />';
< }
< echo "\n".' <h3 style="margin-top: 8px">'.
< htmlspecialchars($this->t('idpname_'.$idpentry['entityid'])).'</h3>';
51,74c26,56
< if (!empty($idpentry['description'])) {
< echo ' <p>'.htmlspecialchars($this->t('idpdesc_'.$idpentry['entityid'])).'<br />';
< }
< echo('<button id="preferredidp" type="submit" class="btn" name="idp_'.
< htmlspecialchars($idpentry['entityid']).'">'.
< $this->t('select').'</button></p>');
< echo '</div>';
< }
<
< foreach ($this->data['idplist'] as $idpentry) {
< if ($idpentry['entityid'] != $this->data['preferredidp']) {
< if (array_key_exists('icon', $idpentry) && $idpentry['icon'] !== null) {
< $iconUrl = \SimpleSAML\Utils\HTTP::resolveURL($idpentry['icon']);
< echo '<img class="float-l" style="clear: both; margin: 1em; padding: 3px; border: 1px solid #999"'.
< ' src="'.htmlspecialchars($iconUrl).'" />';
< }
< echo "\n".' <h3 style="margin-top: 8px">'.htmlspecialchars($this->t('idpname_'.$idpentry['entityid']));
< echo '</h3>';
<
< if (!empty($idpentry['description'])) {
< echo ' <p>'.htmlspecialchars($this->t('idpdesc_'.$idpentry['entityid'])).'<br />';
< }
< echo '<button type="submit" class="btn" name="idp_'.htmlspecialchars($idpentry['entityid']).'">'.
< $this->t('select').'</button></p>';
---
> <!DOCTYPE html>
> <html lang="it">
> <head>
> <title lang="en">SPID Smart Button</title>
> <meta charset="utf-8" />
> <meta name="viewport" content="width=device-width, initial-scale=1">
> <link rel="stylesheet" href="/myservice/css/agid-spid-enter.css">
> <link rel="icon" type="image/ico" href="/myservice/img/favicon.ico">
> </head>
> <body>
>
> <noscript>You need to enable JavaScript to run this app.</noscript>
> <div id="infomodal" class="modal"></div>
> <div id="agid-spid-enter"></div>
> <script type="text/javascript">
> <?php
> echo 'var config = {';
> foreach ($this->data['idplist'] as $idpentry) {
>
> $name = htmlspecialchars($this->t('idpname_'.$idpentry['entityid']));
> $url = $this->data['urlpattern'] .
> '?entityID=' . urlencode(htmlspecialchars($this->data['entityID'])) .
> '&return=' . urlencode(htmlspecialchars($this->data['return'])) .
> '&returnIDParam=' . urlencode(htmlspecialchars($this->data['returnIDParam'])) .
> '&idp_' . $idpentry['entityid'] . '=' . 'idp_' . $idpentry['entityid'];
> $title = htmlspecialchars($this->t('idpdesc_'.$idpentry['entityid']));
> //$iconUrl = \SimpleSAML\Utils\HTTP::resolveURL($idpentry['icon']);
> $iconUrl = $idpentry['icon'];
> $logo = htmlspecialchars($iconUrl);
>
> echo '"'.$name.'": {"url": "'.$url.'","title": "'.$title.'","logo": "'.$logo.'"},';
76,79c58,68
< }
< ?>
< </form>
< <?php $this->includeAtTemplateBase('includes/footer.php');
---
> echo '};'
> ?>
> </script>
> <script type="text/javascript" src="/myservice/js/agid-spid-enter.js" ></script>
> <script type="text/javascript">
> agid_spid_enter();
> showPanel("agid-spid-panel-select");
> </script>
>
> </body>
> </html>
\ Manca newline alla fine del file
Solo in vendor/simplesamlphp/simplesamlphp/www: css
Solo in vendor/simplesamlphp/simplesamlphp/www: img
Solo in vendor/simplesamlphp/simplesamlphp/www: js
questo modo di procedere confligge con quello che gli utenti si aspettano da un pacchetto composer
ci sono due problemi diversi:
vendor/simplesamlphp/simplesamlphp/crert, config, metadata e www, probabilmente si può configurare facilmente in modo da metterli altrovevendor/simplesamlphp/simplesamlphp/templates/selectidp-links.php di fatto sono una patch a simplesamlphp, applicata direttamente in vendorse simplesamlphp evolve, questa nostra patch potrebbe diventare incompatibile (questo è per l'appunto il problema che abbiamo avuto in #6)
un approccio più corretto sarebbe un fork di simplesamlphp, che potrebbe essere https://github.com/italia/spid-sp-simplesamlphp, che però è fermo a v1.14.11 (Dec 2016) menre adesso upstream è a 1.16.0 (Jun 2018)
se dall'interfaccia di gestione si simplesamlphp: https://spid.example.com/myservice/module.php/core/frontpage_config.php si clicca su "Login as administrator" si ottiene:
Il messaggio di errore è:
SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
0 /srv/spid-php/vendor/simplesamlphp/simplesamlphp/www/module.php:180 (N/A)
Caused by: SimpleSAML_Error_Exception: Cannot find "admin" auth source, and admin privileges are required.
Backtrace:
2 /srv/spid-php/vendor/simplesamlphp/simplesamlphp/lib/SimpleSAML/Utils/Auth.php:69 (SimpleSAML\Utils\Auth::requireAdmin)
1 /srv/spid-php/vendor/simplesamlphp/simplesamlphp/modules/core/www/login-admin.php:10 (require)
0 /srv/spid-php/vendor/simplesamlphp/simplesamlphp/www/module.php:137 (N/A)
si tratta dello stesso problema menzionato qui: https://groups.google.com/d/topic/simplesamlphp/6hzYIElDUhg/discussion
currently the AuthnContextClassRef (SPID level) can be customized passing a parameter to the class constructor
separate SP metadata are made available for the 3 SPID levels at the /myservice/module.php/saml/sp/metadata.php/service-l1 / service-l2 / service-l3 endpoints;
for a single real SP, offering 2 different SPID levels would then count as two separate SPs; this is undesirable for private SPs, as they would have to "pay twice" for each identity
SPID level switching could be made more flexible by making the package generate a single SP with one metadata for all SPID levels, and allowing to choose dynamically which SPID level to request passing a parameter to the login method
According to Avviso SPID n°3 the value of NameID elemento must be Identity Provider's entityID
Sarebbe utile avere una modalità di installazione non interattiva per il pacchetto spid-php.
L'unattended installation sarebbe opzionale ed alternativa a rispondere alle 7-8 domande poste dal setup script.
Idealmente qualunque cosa di canonico nel mondo php / composer, a me viene in mente un file config.yaml che se lo trova nella root vi legge le opzioni e non pone nessuna domanda interattiva (assumendo i default per le opzioni mancanti).
Ciò sarebbe utile se questo pacchetto dovesse essere richiamato dal composer install di un progetto di livello superiore che lo integra con altri (ad esempio il futuro spid-drupal).
there is an error in #8, the generated ./vendor/simplesamlphp/simplesamlphp/metadata/saml20-idp-remote.php file has this line for the local test IdP:
$metadata[''] = array (
as a result, the link for the test idp is: https://sp.simevo.com/myservice/module.php/saml/disco.php?entityID=https%3A%2F%2Fsp.simevo.com&return=https%3A%2F%2Fsp.simevo.com%2Fmyservice...%2526ReturnTo%253Dhttps%25253A%25252F%25252Fsp.simevo.com%25252F&returnIDParam=idpentityid&idp_=idp_
so clicking on the link results in the idp list page to reload:
this related to #21, but has a simple fix:
$metadata['https://sp.simevo.com'] = array (
prototipo:
<?php
// downloads the metadata for all current idps from the registry
// and stores them all in the idp_metadata directory
$idp_list_url = 'https://registry.spid.gov.it/assets/data/idp.json';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $idp_list_url);
curl_setopt($ch, CURLOPT_FAILONERROR, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 15);
echo "Contacting $idp_list_url" . PHP_EOL;
$json = curl_exec($ch);
curl_close($ch);
$idps = json_decode($json);
foreach ($idps->data as $idp) {
$metadata_url = $idp->metadata_url;
$ipa_entity_code = $idp->ipa_entity_code;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $metadata_url);
curl_setopt($ch, CURLOPT_FAILONERROR, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 15);
echo "Contacting $metadata_url" . PHP_EOL;
$xml = curl_exec($ch);
curl_close($ch);
$file = "idp_metadata/$ipa_entity_code.xml";
file_put_contents($file, $xml);
}Chiamando /myservice/module.php/saml/sp/metadata.php/service-l1 ottengo i metadati seguiti da alcuni warning PHP:
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://localhost" ID="pfx68bd64c9-8e41-77cd-e617-6cab6e249040"><ds:Signature>
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#pfx68bd64c9-8e41-77cd-e617-6cab6e249040"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>1BkGBIUqOmnthu5/oQ/xhr8rHyk1W7RsFk7GCOuF6Os=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>AIhk2l2DB61J+QasaYBj93x9txAP7K073M0MFcYv1q0DQTZR2+OgpzxitiFohUCdA40OnzHVCzTUtCrD5uxkJDqGR7uGtI2FDd5rrCzhzzpcH4yTQ7NAfV6cst7RVt2FD/n9oqVPpxTINZhrIztRpnCDy4Z0VgAG07ZMlVYWdDMgGjH28PocRJQfbrsK48Z8suV3N93f7ktoXU7V5qdYpkN5/eNMyqbLccu/1i/4gQ8njPsd0CB31McqLULQ7i/qo1g5Ftjsg7pLkGTjcJWK40UCoEttvC0W7rdkgM9hKz8b7WM7Uu5SCSp43QGwsnY5Z7O5v8zto576WbuzQ/62uA==</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICljCCAX4CCQCVRcWoMpIwkjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQGEwJJVDAeFw0xODA4MjEwNTIxMjRaFw0yODA4MjAwNTIxMjRaMA0xCzAJBgNVBAYTAklUMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzT7QTEchpq1tFbfrIM8zZsTwL/hlg8OoSmW2OgX7aRcuEUTVlJmjSBHRRlH/29TvhZ2GG05oI67jOcH+8vZfs2/3u79JgsQfTdGZdI2nlF22TVBZCICAdjiPfqzzGZyyapWyoMzC6fNA0zCuhOpAMoL3GZVy8sHqszuvbXj2qwW1dwTaLKU0T/nkkxC5RkIxODK5IWyIMw7fVGF012SCWQDMSEQ3cm6gK0LEboIPriYtsvx60C/OzvudOF4bbZFPsURbg62wUc8RiE77F68TAnV5X1J2pa6EfWwtkD6qkH+rMw1DkM3F6WcAcYWKt9F8YB3Qz4EFdhAsvoj1oATjswIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBmvs/5qa0sPgkr3IraXIXYwAkcAGZQYtiGHf8ouVpDoe96qMw5eGbtyFiQk7+/dQjpi2faWhABKi8Zn4FeecG4+mbBML3z7eLNBgLJfkc2giUj9bRXBGOA/1+8KEBf3A8f8lrSWXLDEusjR0PNm9I4MLYYASDTLQzF/07sPQ/GQaUcbx/c+ttUq+HzY2tTRPq03cUZZL9AB45zJa4Q6ONoovUZSXmsO7itTH7adhNdx/aerKhV4VqkRCLzgmXmAXds0LXAvSzhS0TRmEgenfJx2J/1FadrpUKLVP3vlBbFhXMnX4fQIK+Pb8pJgTS6mR+vcBijReYEOvH0vIcs2uOI</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol" AuthnRequestsSigned="true">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIICljCCAX4CCQCVRcWoMpIwkjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQGEwJJVDAeFw0xODA4MjEwNTIxMjRaFw0yODA4MjAwNTIxMjRaMA0xCzAJBgNVBAYTAklUMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzT7QTEchpq1tFbfrIM8zZsTwL/hlg8OoSmW2OgX7aRcuEUTVlJmjSBHRRlH/29TvhZ2GG05oI67jOcH+8vZfs2/3u79JgsQfTdGZdI2nlF22TVBZCICAdjiPfqzzGZyyapWyoMzC6fNA0zCuhOpAMoL3GZVy8sHqszuvbXj2qwW1dwTaLKU0T/nkkxC5RkIxODK5IWyIMw7fVGF012SCWQDMSEQ3cm6gK0LEboIPriYtsvx60C/OzvudOF4bbZFPsURbg62wUc8RiE77F68TAnV5X1J2pa6EfWwtkD6qkH+rMw1DkM3F6WcAcYWKt9F8YB3Qz4EFdhAsvoj1oATjswIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBmvs/5qa0sPgkr3IraXIXYwAkcAGZQYtiGHf8ouVpDoe96qMw5eGbtyFiQk7+/dQjpi2faWhABKi8Zn4FeecG4+mbBML3z7eLNBgLJfkc2giUj9bRXBGOA/1+8KEBf3A8f8lrSWXLDEusjR0PNm9I4MLYYASDTLQzF/07sPQ/GQaUcbx/c+ttUq+HzY2tTRPq03cUZZL9AB45zJa4Q6ONoovUZSXmsO7itTH7adhNdx/aerKhV4VqkRCLzgmXmAXds0LXAvSzhS0TRmEgenfJx2J/1FadrpUKLVP3vlBbFhXMnX4fQIK+Pb8pJgTS6mR+vcBijReYEOvH0vIcs2uOI</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIICljCCAX4CCQCVRcWoMpIwkjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQGEwJJVDAeFw0xODA4MjEwNTIxMjRaFw0yODA4MjAwNTIxMjRaMA0xCzAJBgNVBAYTAklUMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzT7QTEchpq1tFbfrIM8zZsTwL/hlg8OoSmW2OgX7aRcuEUTVlJmjSBHRRlH/29TvhZ2GG05oI67jOcH+8vZfs2/3u79JgsQfTdGZdI2nlF22TVBZCICAdjiPfqzzGZyyapWyoMzC6fNA0zCuhOpAMoL3GZVy8sHqszuvbXj2qwW1dwTaLKU0T/nkkxC5RkIxODK5IWyIMw7fVGF012SCWQDMSEQ3cm6gK0LEboIPriYtsvx60C/OzvudOF4bbZFPsURbg62wUc8RiE77F68TAnV5X1J2pa6EfWwtkD6qkH+rMw1DkM3F6WcAcYWKt9F8YB3Qz4EFdhAsvoj1oATjswIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBmvs/5qa0sPgkr3IraXIXYwAkcAGZQYtiGHf8ouVpDoe96qMw5eGbtyFiQk7+/dQjpi2faWhABKi8Zn4FeecG4+mbBML3z7eLNBgLJfkc2giUj9bRXBGOA/1+8KEBf3A8f8lrSWXLDEusjR0PNm9I4MLYYASDTLQzF/07sPQ/GQaUcbx/c+ttUq+HzY2tTRPq03cUZZL9AB45zJa4Q6ONoovUZSXmsO7itTH7adhNdx/aerKhV4VqkRCLzgmXmAXds0LXAvSzhS0TRmEgenfJx2J/1FadrpUKLVP3vlBbFhXMnX4fQIK+Pb8pJgTS6mR+vcBijReYEOvH0vIcs2uOI</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost/myservice/module.php/saml/sp/saml2-logout.php/service-l1"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost/myservice/module.php/saml/sp/saml2-acs.php/service-l1" index="0"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="http://localhost/myservice/module.php/saml/sp/saml1-acs.php/service-l1" index="1"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
<br />
<b>Warning</b>: session_set_cookie_params(): Cannot change session cookie parameters when headers already sent in <b>/var/www/html/vendor/simplesamlphp/simplesamlphp/lib/SimpleSAML/SessionHandlerPHP.php</b> on line <b>90</b><br />
<br />
<b>Warning</b>: session_id(): Cannot change session id when headers already sent in <b>/var/www/html/vendor/simplesamlphp/simplesamlphp/lib/SimpleSAML/SessionHandlerPHP.php</b> on line <b>195</b><br />
<br />
<b>Warning</b>: session_cache_limiter(): Cannot change cache limiter when headers already sent in <b>/var/www/html/vendor/simplesamlphp/simplesamlphp/lib/SimpleSAML/SessionHandlerPHP.php</b> on line <b>119</b><br />
<br />
<b>Warning</b>: session_cache_limiter(): Cannot change cache limiter when headers already sent in <b>/var/www/html/vendor/simplesamlphp/simplesamlphp/lib/SimpleSAML/SessionHandlerPHP.php</b> on line <b>121</b><br />
<br />
<b>Warning</b>: ini_set(): Headers already sent. You cannot change the session module's ini settings at this time in <b>/var/www/html/vendor/simplesamlphp/simplesamlphp/lib/SimpleSAML/SessionHandlerPHP.php</b> on line <b>247</b><br />
<br />
<b>Warning</b>: session_id(): Cannot change session id when headers already sent in <b>/var/www/html/vendor/simplesamlphp/simplesamlphp/lib/SimpleSAML/SessionHandlerPHP.php</b> on line <b>195</b><br />
<br />
<b>Warning</b>: session_cache_limiter(): Cannot change cache limiter when headers already sent in <b>/var/www/html/vendor/simplesamlphp/simplesamlphp/lib/SimpleSAML/SessionHandlerPHP.php</b> on line <b>119</b><br />
<br />
<b>Warning</b>: session_cache_limiter(): Cannot change cache limiter when headers already sent in <b>/var/www/html/vendor/simplesamlphp/simplesamlphp/lib/SimpleSAML/SessionHandlerPHP.php</b> on line <b>121</b><br />cliccando sullo spid button, mostra correttamente la lista degli IDP, però cambia anche la url, ad esempio:
https://spid.simevo.com/myservice/module.php/saml/disco.php?entityID=https%3A%2F%2Fspid.simevo.com&return=https%3A%2F%2Fspid.simevo.com%2Fmyservice%2Fmodule.php%2Fsaml%2Fsp%2Fdiscoresp.php%3FAuthID%3D_b77a9bf05c24acbcbe6f356be28133423b991dadfa%253Ahttps%253A%252F%252Fspid.simevo.com%252Fmyservice%252Fmodule.php%252Fcore%252Fas_login.php%253FAuthId%253Dservice-l1%2526ReturnTo%253Dhttps%25253A%25252F%25252Fspid.simevo.com%25252F&returnIDParam=idpentityid
ciò non è compliant, quello che vogliamo è che resti sulla stessa pagina
Esplicitare le descrizioni per i codici errore utente, come da tabella anomalie SPID
Rif. https://www.agid.gov.it/sites/default/files/repository_files/tabella-messaggi-spid-v1.3_0.pdf
esporre un endpoint che ritorna il metadata.xml del SP, in modo da non doverlo generare con https://idp.spid.gov.it:8080
assessment della compliance alle regole SPID usando la compliance checklist in https://github.com/italia/spid-docs/tree/master/resources-checklist, e inserire qui nel README
In generated metadata AttributeConsumingService with index = 0 has IsDefault attribute.
Only AssertionConsumerService with index = 0 can (and must) have IsDefault attribute.
l'obiettivo di questo pacchetto composer dovrebbe essere fornire una classe SPID astratta, che maschera SimpleSAMLphp
in questo modo tutti gli applicativi e le librerie basate su spid-php non avranno una dipendenza esplicita dalle API di SimpleSAMLphp
inizialmente spid-php usa SimpleSAMLphp ma è installabile e autoconfigurante con composer install: chi lo usa non dovrebbe mettere le mani in SimpleSAMLphp né usare la sua API
un domani spid-php potrebbe essere re-implementata in modo nativo eliminando la dipendenza da SimpleSAMLphp; se manteniamo costante l’interfaccia, non impatteremo gli utilizzatori
Ciao @damikael , ho implementato la fase di login e sto facendo dei test sul logout, ma SAML va in eccezione richiamando il metodo logout().
Con il metodo getLogoutUrl() riesco a generare il link per effettuare il logout, ma al click si presenta il problema. Ho effettuato il test con Poste ID e Sielte ID e il risultato è identico.
Come posso risolvere?
composer require "squizlabs/php_codesniffer=*"
dopo aver messo a posto l'indentazione per liberarsi dei banali Line indented incorrectly; expected 0 spaces, found 4 per PSR-1 ottengo:
./vendor/squizlabs/php_codesniffer/bin/phpcs --standard=PSR1 spid-php.php
...
---------------------------------------------------------------------------------------------
FOUND 2 ERRORS AND 1 WARNING AFFECTING 2 LINES
---------------------------------------------------------------------------------------------
1 | WARNING | A file should declare new symbols (classes, functions, constants, etc.) and
| | cause no other side effects, or it should execute logic with side effects,
| | but should not do both. The first symbol is defined on line 5 and the first
| | side effect is on line 3.
5 | ERROR | Each class must be in a namespace of at least one level (a top-level vendor
| | name)
5 | ERROR | Class name "SPID_PHP" is not in camel caps format
---------------------------------------------------------------------------------------------
e con PSR2:
./vendor/squizlabs/php_codesniffer/bin/phpcs --standard=PSR2 spid-php.php
---------------------------------------------------------------------------------------------
FOUND 13 ERRORS AND 2 WARNINGS AFFECTING 12 LINES
---------------------------------------------------------------------------------------------
1 | WARNING | [ ] A file should declare new symbols (classes, functions, constants, etc.)
| | and cause no other side effects, or it should execute logic with side
| | effects, but should not do both. The first symbol is defined on line 5
| | and the first side effect is on line 3.
5 | ERROR | [ ] Each class must be in a namespace of at least one level (a top-level
| | vendor name)
5 | ERROR | [ ] Class name "SPID_PHP" is not in camel caps format
5 | ERROR | [x] Opening brace of a class must be on the line after the definition
8 | ERROR | [ ] Visibility must be declared on method "__construct"
8 | ERROR | [x] Opening brace should be on a new line
12 | ERROR | [x] Opening brace should be on a new line
16 | ERROR | [x] Opening brace should be on a new line
20 | ERROR | [x] Opening brace should be on a new line
24 | ERROR | [x] Opening brace should be on a new line
28 | ERROR | [x] Opening brace should be on a new line
33 | ERROR | [x] Opening brace should be on a new line
37 | ERROR | [x] Opening brace should be on a new line
43 | WARNING | [ ] Line exceeds 120 characters; contains 128 characters
54 | ERROR | [x] A closing tag is not permitted at the end of a PHP file
---------------------------------------------------------------------------------------------
PHPCBF CAN FIX THE 10 MARKED SNIFF VIOLATIONS AUTOMATICALLY
---------------------------------------------------------------------------------------------
d'altronde simplesamlphp stesso non è PSR-x compliant ... anche se ci provano
noi che facciamo ?
regole tecniche 1.2.2.4 (page 18):
I metadata Identity Provider ... saranno firmate dell’Agenzia per l’Italia Digitale.
the SP should check this signature; provide exceptions for test IdPs
https://github.com/italia/spid-php/blob/master/composer.json#L9
punta a damikael/spid-smart-button che è "1 commit ahead, 242 commits behind italia:master"
WIP su debian buster:
apt install nginx php7.1-fpm
sudo chown paolog:www-data vendor/simplesamlphp/simplesamlphp/log
sudo chmod g+w vendor/simplesamlphp/simplesamlphp/log
esempio config nginx da mettere in /etc/nginx/sites-enabled:
server {
listen 80 default_server;
listen [::]:80 default_server;
root /home/paolog/public_html;
index login.php;
server_name test;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
}
}
esempio di url:
https://spid.simevo.com/myservice/module.php/saml/disco.php?entityID=https%3A%2F%2Fspid.simevo.com&return=https%3A%2F%2Fspid.simevo.com%2Fmyservice%2Fmodule.php%2Fsaml%2Fsp%2Fdiscoresp.php%3FAuthID%3D_b77a9bf05c24acbcbe6f356be28133423b991dadfa%253Ahttps%253A%252F%252Fspid.simevo.com%252Fmyservice%252Fmodule.php%252Fcore%252Fas_login.php%253FAuthId%253Dservice-l1%2526ReturnTo%253Dhttps%25253A%25252F%25252Fspid.simevo.com%25252F&returnIDParam=idpentityid&idp_https://login.id.tim.it/affwebservices/public/saml2sso=idp_https://login.id.tim.it/affwebservices/public/saml2sso
si noti l'ultimo parametro:
idp_https://login.id.tim.it/affwebservices/public/saml2ssoidp_https://login.id.tim.it/affwebservices/public/saml2ssoBuongiorno,
dopo aver configurato correttamente il servizio ed essere riuscito ad eseguire un login utilizzando la macchina docker predisposta per i test IdP, ho tentato un login tramite servizio esterno (es. poste italiane) ma, indipendentemente dall'IdP selezionato, ottengo sempre il seguente messaggio di errore:
Formato richiesta non corretto - Contattare il gestore del servizio
Mi sarei aspettato un messaggio che avesse a che fare con problematiche inerenti la non validità del service provider che, giustamente, in questo momento non è registrato/validato da AGID. E' normale ricevere questo errore?
creare uno script di continuous integration che in un container vergine, usando ansible:
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.