spidsaml2_backend.yaml

module: backends.spidsaml2.SpidSAMLBackend

name: spidSaml2
config:
  # idp_blacklist_file: /path/to/blacklist.json

  # error templates
  static_storage_url: "https://spidauth.DOMINIO_ENTE.it/static"
  error_template: "spid_login_error.html"
  template_folder: "templates" # project root

  # make metadata downloadable from entityid url
  entityid_endpoint: true

  spid_allowed_acrs:
    - https://www.spid.gov.it/SpidL1
    - https://www.spid.gov.it/SpidL2
    - https://www.spid.gov.it/SpidL3

  spid_acr_comparison: "minimum"

  acr_mapping:
    "": 'https://www.spid.gov.it/SpidL2'
    # specify AuthnContext per IdP
    # "https://identity.sieltecloud.it": 'https://www.spid.gov.it/SpidL1'
    # "https://idp.namirialtsp.com/idp": 'https://www.spid.gov.it/SpidL1'
    # "https://identity.infocert.it": 'https://www.spid.gov.it/SpidL1'

  sp_config:
    key_file: ./pki_spid/key.pem
    cert_file: ./pki_spid/crt.pem
    encryption_keypairs:
    - {'key_file': ./pki_spid/key.pem, 'cert_file': ./pki_spid/crt.pem}

    attribute_map_dir: 'attributes-map'

    organization: { display_name: [['Ente Authentication Proxy', 'it']], name: [['Ente Authentication Proxy', 'it']],  url: [['https://spidauth.DOMINIO_ENTE.it', 'it']]}

    contact_person:
        - {'contact_type': 'other', 'telephone_number': '+390883000000', 'email_address': 'sistemi.informativi@DOMINIO_ENTE.it', 'VATNumber': 'IT06000000000', 'IPACode': 'asl_bat', 'Public': ''}

    metadata:
      local: [./metadata/idp/]
      # using pyFF or other MDX server
      # mdq:
      #  - url: "http://mdq.auth.unical.it/static/sha1"
          # cert: mdq.pem
    ficep_enable: True
    ficep_entity_id: https://sp-proxy.eid.gov.it/spproxy/idpit
    ficep_default_acs_index: 99

    entityid: '<base_url>/<name>/metadata'
    accepted_time_diff: 10

    service:
      sp:
        ui_info:
          display_name:
            - lang: en
              text: "SPID Authentication Proxy"
          description:
            - lang: en
              text: "SPID Authentication Proxy"
          # information_url:
            # - lang: en
              # text: "http://sp.information.url/"
          #privacy_statement_url:
            #- lang: en
              #text: "https://www.example.org/privacy/"
          keywords:
            - lang: it
              text: ["SPID Authentication Proxy", "SPID Service Provider IT"]
            - lang: en
              text: ["SPID Authentication Proxy", "SPID Service Provider EN"]
          logo:
            text: "https://www.spid.gov.it/assets/img/spid-ico-circle-bb.svg"
            width: "100"
            height: "100"

        # sign dig and enc
        authn_requests_signed: true
        want_response_signed: true
        want_assertions_signed: true

        signing_algorithm: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
        digest_algorithm: "http://www.w3.org/2001/04/xmlenc#sha256"

        # security
        only_use_keys_in_metadata: true

        # it depends by acr level, see spidsaml2.authn_request
        # force_authn: false

        name_id_format_allow_create: false
        name_id_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
        requested_attribute_name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic'
        allow_unknown_attributes: true

        # in production different workers do not share the same storage!
        allow_unsolicited: true

        # this instantiate the attribute_consuming_service
        required_attributes: ['spidCode',
                              'name',
                              'familyName',
                              'fiscalNumber',
                              'email']

        #optional_attributes: ['gender',
        #                      'companyName',
        #                      'registeredOffice',
        #                      'ivaCode',
        #                      'idCard',
        #                      'digitalAddress',
        #                      'placeOfBirth',
        #                      'countyOfBirth',
        #                      'dateOfBirth',
        #                      'address',
        #                      'mobilePhone',
        #                      'expirationDate']

        endpoints:
          assertion_consumer_service:
          - [<base_url>/<name>/acs/post, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
          - [<base_url>/<name>/acs/99/post, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
          - [<base_url>/<name>/acs/100/post, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
          single_logout_service:
          - [<base_url>/<name>/ls/post/, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
          discovery_response:
          - [<base_url>/<name>/disco, 'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol']

  # disco_srv must be defined if there is more than one IdP in the metadata specified above
  disco_srv: "https://spidauth.DOMINIO_ENTE.it/static/disco.html"