Shibboleth IDP con possibilità di delegare l'autenticazione ad un IDP SPID.
License: Creative Commons Zero v1.0 Universal
Shibboleth IDP con possibilità di delegare l'autenticazione ad un IDP SPID/CIE/eIDAS.
Lo scenario di base prevede che un ente abbia un proprio Identity Provider sul quale voglia implementare la possibilità di fornire autenticazione tramite SPID, CIE o eIDAS.
Il setup dimostrativo contiene i seguenti elementi:
It would be awesome to have a Dockerfile to a fast deployment as container of this solution!
Utilizzando lo spid-saml-check sulla configurazione di Shibboleth utilizzando la guida descritta in italia/spid-idp-proxy-shibboleth, non risultano soddisfatti i seguenti controlli:
43. Assertion - Elemento NameID non specificato | FAIL
44. Assertion - Elemento NameID mancante | FAIL
45. Assertion - Attributo Format di NameID non specificato | FAIL
46. Assertion - Attributo Format di NameID mancante | FAIL
47. Assertion - Attributo Format di NameID diverso | FAIL
48. Assertion - Attributo NameQualifier di NameID non specificato | FAIL
49. Assertion - Attributo NameQualifier di NameID mancante | FAIL
70. Assertion - Attributo Format di Issuer non specificato | FAIL
71. Assertion - Attributo Format di Issuer mancante | FAIL
73. Assertion - Elemento Conditions non specificato | FAIL
74. Assertion - Elemento Conditions mancante | FAIL
75. Assertion - Attributo NotBefore di Condition non specificato | FAIL
76. Assertion - Attributo NotBefore di Condition mancante | FAIL
79. Assertion - Attributo NotOnOrAfter di Condition non specificato | FAIL
80. Assertion - Attributo NotOnOrAfter di Condition mancante | FAIL
84. Assertion - Elemento AudienceRestriction di Condition mancante | FAIL
Utilizziamo le ultime versioni di shibboleth SP e IDP, qualcuno può fornire indicazioni in merito?
Grazie
Salve,
ho seguito la documentazione per la configurazione, sono riuscito a fare tutto il giro fino all'invocazione dell'idp demo.
Il problema è nel messaggio AuthnRequest, risultano i seguenti errori:
{
test_id: '',
result: 'failure',
test: 'The Destination attribute SHOULD be the address to which the request has been sent but can also be the EntityID of IdP (Av. SPID n.11)',
value: 'https://localhost:8443/demo/samlsso',
references: [],
method: ''
}
{
test_id: '',
result: 'failure',
test: 'The Format attribute MUST be present',
value: '{}',
references: [],
method: ''
}
{
test_id: '',
result: 'failure',
test: 'The Format attribute MUST have a value',
value: 'None',
references: [],
method: ''
}
{
test_id: '',
result: 'failure',
test: 'The Format attribute MUST be urn:oasis:names:tc:SAML:2.0:nameid-format:entity',
value: 'None',
references: [],
method: ''
}
{
test_id: '',
result: 'failure',
test: 'The NameQualifier attribute MUST be present',
value: '{}',
references: [],
method: ''
}
{
test_id: '',
result: 'failure',
test: 'The NameQualifier attribute MUST have a value',
value: 'None',
references: [],
method: ''
}
{
test_id: '',
result: 'failure',
test: 'The ForceAuthn attribute MUST be present if SPID level > 1',
value: "['https://www.spid.gov.it/SpidL2']",
references: [],
method: ''
}
{
test_id: '',
result: 'failure',
test: 'The AttributeConsumingServiceIndex attribute MUST be present',
value: "{'AssertionConsumerServiceURL': 'https://spid.xxx.it/Shibboleth.sso/SAML2/POST', 'Destination': 'https://localhost:8443/demo/samlsso', 'ID': '_be906f743edc7a55943f27f90f87f5f7', 'IssueInstant': '2021-11-06T15:07:26Z', 'ProtocolBinding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', 'Version': '2.0'}",
references: [],
method: ''
}
{
test_id: '',
result: 'failure',
test: 'The AllowCreate attribute MUST not be present',
value: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
references: [],
method: ''
}
Ho configurato shibboleth SP come indicato nella documentazione all'indirizzo https://github.com/italia/spid-sp-shibboleth, questo comportamento differente può dipendere dalla versione utilizzata?
shibboleth-embedded-ds-1.2.2-3.1.noarch
shibboleth-3.2.3-3.1.x86_64
Grazie dell'aiuto
Editing the xml $IDP_HOME/conf/authn/mfa-authn-config.xml, starting with a comment before xml header, starting shibboleth idp generate an exception:
2022-10-27 13:43:30,261 - ERROR [org.springframework.webflow.execution.FlowExecutionException:91] -
org.springframework.webflow.execution.FlowExecutionException: Exception thrown in state 'CallAuthenticationFlow' of flow 'authn'
Caused by: org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 3 in XML document from net.shibboleth.ext.spring.resource.ConditionalResource@3c24836 is invalid; nested exception is org.xml.sax.SAXParseException; lineNumber: 3; columnNumber: 6; The processing instruction target matching "[xX][mM][lL]" is not allowed.
net.shibboleth.ext.spring.resource.ConditionalResource@3c24836 is invalid; nested exception is org.xml.sax.SAXParseException;
Le versioni utilizzate sono queste qui:
Shibbolleth IDP: 4.2.1
Jetty 10
Apache 2.4
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.