Merge pull request #28 from italia/dev

djangosaml2 example sp and a complete gh action CI

.github/release-drafter.yml

@@ -0,0 +1,54 @@
+name-template: 'v$RESOLVED_VERSION'
+tag-template: 'v$RESOLVED_VERSION'
+categories:
+-
+  title: 'Features'
+  labels:
+  - 'enhancement'
+  - 'feat'
+  - 'feature'
+-
+  title: 'Bug Fixes'
+  labels:
+  - 'bug'
+  - 'bugfix'
+  - 'fix'
+-
+  title: 'Maintenance'
+  labels:
+  - 'chore'
+  - 'style'
+change-template: '- $TITLE @$AUTHOR (#$NUMBER)'
+change-title-escapes: '\<*_&' # You can add # and @ to disable mentions, and add ` to disable code blocks.
+version-resolver:
+  major:
+    labels: ['major']
+  minor:
+    labels: ['minor']
+  patch:
+    labels: ['patch']
+  default: patch
+exclude-labels: ['skip']
+autolabeler:
+-
+  label: 'bug'
+  branch:
+  - '/bug\/.+/'
+  - '/bugfix\/.+/'
+  - '/fix\/.+/'
+-
+  label: 'enhancement'
+  branch:
+  - '/dependabot\/.+/'
+  - '/enhancement\/.+/'
+  - '/feat\/.+/'
+  - '/feature\/.+/'
+-
+  label: 'chore'
+  branch:
+  - '/chore\/.+/'
+  - '/style\/.+/'
+template: |
+  ## Release notes
+
+  $CHANGES

.github/workflows/python-app.yml

@@ -0,0 +1,66 @@
+# This workflow will install Python dependencies, run tests and lint with a single version of Python
+# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
+
+name: Satosa-Saml2Spid
+
+on:
+  push:
+    branches: [ master, dev ]
+  pull_request:
+    branches: [ master, dev ]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version:
+          - '3.7'
+          - '3.8'
+          - '3.9'
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Python ${{ matrix.python-version }}
+      uses: actions/setup-python@v2
+      with:
+        python-version: ${{ matrix.python-version }}
+    - name: Install system dependencies
+      run: |
+        sudo apt update
+        sudo apt install -y libffi-dev libssl-dev python3-pip xmlsec1 procps libpcre3 libpcre3-dev
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        if [ -f requirements-dev.txt ]; then pip install -r requirements-dev.txt; fi
+        if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
+        pip install -r example_sp/djangosaml2_sp/requirements.txt
+        pip install spid-sp-test>=0.9.2
+        pip list -v
+    #- name: Lint with flake8
+      #run: |
+        ## stop the build if there are Python syntax errors or undefined names
+        #flake8 oidc_provider --count --select=E9,F63,F7,F82 --show-source --statistics
+        ## exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide
+        #flake8 oidc_provider  --max-line-length 120 --count --exit-zero --statistics
+    - name: run djangosaml2 sp
+      run: |
+        cd example_sp/djangosaml2_sp/
+        bash run.sh &
+        sleep 5
+    - name: run satosa-saml2spid
+      run: |
+        cd example
+        mkdir -p metadata/idp
+        mkdir -p metadata/sp
+        export SATOSA_APP=`python3 -c 'import sysconfig; print(sysconfig.get_paths()["purelib"])'`
+        uwsgi --wsgi-file $SATOSA_APP/satosa/wsgi.py  --https 0.0.0.0:10000,./pki/cert.pem,./pki/privkey.pem --callable app -b 32768 &
+        sleep 5
+    - name: spid-sp-test
+      run: |
+        cd example
+        spid_sp_test --idp-metadata > metadata/idp/spid-sp-test.xml
+        spid_sp_test --metadata-url https://localhost:10000/spidSaml2/metadata --authn-url "http://localhost:8000/saml2/login/?idp=https://localhost:10000/Saml2IDP/metadata&next=/saml2/echo_attributes&idphint=https%253A%252F%252Flocalhost%253A8080" -ap spid_sp_test.plugins.authn_request.SatosaSaml2Spid --extra --debug ERROR -tr

.github/workflows/release-drafter.yml

@@ -0,0 +1,17 @@
+name: Release drafter
+
+on:
+  push:
+    branches: [master, dev]
+  pull_request:
+    types: [opened, reopened, synchronize]
+
+jobs:
+  update_release_draft:
+    name: Update draft release
+    runs-on: ubuntu-latest
+    steps:
+    -
+      uses: release-drafter/release-drafter@v5
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -12,4 +12,4 @@ example/metadata/*.md
 *pyFF_example/.whoosh
 *pyFF_example/garr
 *pyFF_example/entities
-example/pki/*
+example_sp/djangosaml2_sp/sqlite3.db

README.md

@@ -107,7 +107,7 @@ source satosa.env/bin/activate
 
 ###### Dependencies
 ````
-sudo apt install -y libffi-dev libssl-dev xmlsec1 python3-pip xmlsec1 procps libpcre3 libpcre3-dev
+sudo apt install -y libffi-dev libssl-dev python3-pip xmlsec1 procps libpcre3 libpcre3-dev
 
 git clone https://github.com/peppelinux/Satosa-Saml2Spid.git repository
 pip install -r repository/requirements.txt

example/metadata/idp/spid-sp-test.xml

@@ -0,0 +1 @@
+<?xml version="1.0"?><md:EntityDescriptor ID="_3ffef5dca85b4773aaf0c8b4f086d92b1dc5fb4cbb" entityID="https://localhost:8080" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_3ffef5dca85b4773aaf0c8b4f086d92b1dc5fb4cbb"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>yqmXnkQV7s7mz2bcIb4fLiTM/wwLaRmTTjJHW6lkafc=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>BLLJrRnwcYU2dobAKG9DfzyDlHkI7uLH9agT9TOkgwCXqOrhDeN/lFRrqy4gt7oii5uGlnuTmqGUW5hNGUkb6pzETu3WbTVTl8UjvdmsQcNzYNtZPhr00dawgb52j2pPt8KsJKgA4iv8Fl8ALQwVKBlJ2w20d9iWVMJLh/7CHjgzA1TfuGsaKe9vEzqXKDKRDlK614lCAGu/v0kektWtVGECT038dnAuN+KbWqCkojc3nrnAjCm3/pPQ3POzlBdKhRpN55SE29eSd49gm4rDsp9CkRDYYx3IG44ihmBNVONg8zZSp3Jc24TQ/dmS1jDK+LyJvxh6YHhs0I6ejQ6VlA==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIEGDCCAwCgAwIBAgIJAOrYj9oLEJCwMA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNVBAYTAklUMQ4wDAYDVQQIEwVJdGFseTENMAsGA1UEBxMEUm9tZTENMAsGA1UEChMEQWdJRDESMBAGA1UECxMJQWdJRCBURVNUMRQwEgYDVQQDEwthZ2lkLmdvdi5pdDAeFw0xOTA0MTExMDAyMDhaFw0yNTAzMDgxMDAyMDhaMGUxCzAJBgNVBAYTAklUMQ4wDAYDVQQIEwVJdGFseTENMAsGA1UEBxMEUm9tZTENMAsGA1UEChMEQWdJRDESMBAGA1UECxMJQWdJRCBURVNUMRQwEgYDVQQDEwthZ2lkLmdvdi5pdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK8kJVo+ugRrbbv9xhXCuVrqi4B7/MQzQc62ocwlFFujJNd4m1mXkUHFbgvwhRkQqo2DAmFeHiwCkJT3K1eeXIFhNFFroEzGPzONyekLpjNvmYIs1CFvirGOj0bkEiGaKEs+/umzGjxIhy5JQlqXE96y1+Izp2QhJimDK0/KNij8I1bzxseP0Ygc4SFveKS+7QO+PrLzWklEWGMs4DM5Zc3VRK7g4LWPWZhKdImC1rnS+/lEmHSvHisdVp/DJtbSrZwSYTRvTTz5IZDSq4kAzrDfpj16h7b3t3nFGc8UoY2Ro4tRZ3ahJ2r3b79yK6C5phY7CAANuW3gDdhVjiBNYs0CAwEAAaOByjCBxzAdBgNVHQ4EFgQU3/7kV2tbdFtphbSA4LH7+w8SkcwwgZcGA1UdIwSBjzCBjIAU3/7kV2tbdFtphbSA4LH7+w8SkcyhaaRnMGUxCzAJBgNVBAYTAklUMQ4wDAYDVQQIEwVJdGFseTENMAsGA1UEBxMEUm9tZTENMAsGA1UEChMEQWdJRDESMBAGA1UECxMJQWdJRCBURVNUMRQwEgYDVQQDEwthZ2lkLmdvdi5pdIIJAOrYj9oLEJCwMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAJNFqXg/V3aimJKUmUaqmQEEoSc3qvXFITvT5f5bKw9yk/NVhR6wndL+z/24h1OdRqs76blgH8k116qWNkkDtt0AlSjQOx5qvFYh1UviOjNdRI4WkYONSw+vuavcx+fB6O5JDHNmMhMySKTnmRqTkyhjrch7zaFIWUSV7hsBuxpqmrWDoLWdXbV3eFH3mINA5AoIY/m0bZtzZ7YNgiFWzxQgekpxd0vcTseMnCcXnsAlctdir0FoCZztxMuZjlBjwLTtM6Ry3/48LMM8Z+lw7NMciKLLTGQyU8XmKKSSOh0dGh5Lrlt5GxIIJkH81C0YimWebz8464QPL3RbLnTKg+c=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIEGDCCAwCgAwIBAgIJAOrYj9oLEJCwMA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNVBAYTAklUMQ4wDAYDVQQIEwVJdGFseTENMAsGA1UEBxMEUm9tZTENMAsGA1UEChMEQWdJRDESMBAGA1UECxMJQWdJRCBURVNUMRQwEgYDVQQDEwthZ2lkLmdvdi5pdDAeFw0xOTA0MTExMDAyMDhaFw0yNTAzMDgxMDAyMDhaMGUxCzAJBgNVBAYTAklUMQ4wDAYDVQQIEwVJdGFseTENMAsGA1UEBxMEUm9tZTENMAsGA1UEChMEQWdJRDESMBAGA1UECxMJQWdJRCBURVNUMRQwEgYDVQQDEwthZ2lkLmdvdi5pdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK8kJVo+ugRrbbv9xhXCuVrqi4B7/MQzQc62ocwlFFujJNd4m1mXkUHFbgvwhRkQqo2DAmFeHiwCkJT3K1eeXIFhNFFroEzGPzONyekLpjNvmYIs1CFvirGOj0bkEiGaKEs+/umzGjxIhy5JQlqXE96y1+Izp2QhJimDK0/KNij8I1bzxseP0Ygc4SFveKS+7QO+PrLzWklEWGMs4DM5Zc3VRK7g4LWPWZhKdImC1rnS+/lEmHSvHisdVp/DJtbSrZwSYTRvTTz5IZDSq4kAzrDfpj16h7b3t3nFGc8UoY2Ro4tRZ3ahJ2r3b79yK6C5phY7CAANuW3gDdhVjiBNYs0CAwEAAaOByjCBxzAdBgNVHQ4EFgQU3/7kV2tbdFtphbSA4LH7+w8SkcwwgZcGA1UdIwSBjzCBjIAU3/7kV2tbdFtphbSA4LH7+w8SkcyhaaRnMGUxCzAJBgNVBAYTAklUMQ4wDAYDVQQIEwVJdGFseTENMAsGA1UEBxMEUm9tZTENMAsGA1UEChMEQWdJRDESMBAGA1UECxMJQWdJRCBURVNUMRQwEgYDVQQDEwthZ2lkLmdvdi5pdIIJAOrYj9oLEJCwMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAJNFqXg/V3aimJKUmUaqmQEEoSc3qvXFITvT5f5bKw9yk/NVhR6wndL+z/24h1OdRqs76blgH8k116qWNkkDtt0AlSjQOx5qvFYh1UviOjNdRI4WkYONSw+vuavcx+fB6O5JDHNmMhMySKTnmRqTkyhjrch7zaFIWUSV7hsBuxpqmrWDoLWdXbV3eFH3mINA5AoIY/m0bZtzZ7YNgiFWzxQgekpxd0vcTseMnCcXnsAlctdir0FoCZztxMuZjlBjwLTtM6Ry3/48LMM8Z+lw7NMciKLLTGQyU8XmKKSSOh0dGh5Lrlt5GxIIJkH81C0YimWebz8464QPL3RbLnTKg+c=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:8080/samlsso" ResponseLocation="https://localhost:8080/samlsso"/><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:8080/samlsso" ResponseLocation="https://localhost:8080/samlsso"/><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:8080/samlsso"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:8080/samlsso"/></md:IDPSSODescriptor></md:EntityDescriptor>

example/metadata/sp/djangosaml2_sp

@@ -0,0 +1,35 @@
+<md:EntityDescriptor xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://localhost:8000/saml2/metadata/"><md:Extensions><alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#md5" /><alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#ripemd160" /><alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224" /><alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384" /><alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512" /><alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1" /><alg:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256" /><alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1" /><alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224" /><alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256" /><alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384" /><alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512" /><alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-md5" /><alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160" /><alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha224" /><alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384" /><alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512" /></md:Extensions><md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true" WantAssertionsSigned="true"><md:KeyDescriptor use="signing"><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDETCCAfmgAwIBAgIUPw12Gkt4agBtLBntd7RzTWwLKAYwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNc3AxLnVuaWNhbC5pdDAeFw0xOTAzMjAxNDMxMTVaFw0y
+OTAzMTcxNDMxMTVaMBgxFjAUBgNVBAMMDXNwMS51bmljYWwuaXQwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCj0BzOt58ECsSwT049bIhmD0p7q0Y+4L7c
+jrvvJYcMT7HZE+tbO4M6upkXnP+3gvPpRccaEtwJoda3gYzvF35VMzp0fCW7OmXI
+R8cJtySIfzkdmmO385Tbxlp1jRxZyQtc2nPzCKeV4xlQNEinQr94nI7tMFReDejj
+XKwS5RABk8KQMo2M78xa9RQyxqDC1e0ioeVQRR2og99fF3u/WOJ/JB2aETTfvInr
+FIyFA5XB0roBDyM44877nRKYeMBd4kVk+fs4yu6kZm7WOXHUXFLKRuXLeVxEbZYz
+SSMjncsB1U35OAt+Ozkp+12qaqMAVdGKP+xso3zGAr/5AC6CuPnrAgMBAAGjUzBR
+MB0GA1UdDgQWBBR6RRoajGB1UmdiMAKSmgpL3RD0mzAfBgNVHSMEGDAWgBR6RRoa
+jGB1UmdiMAKSmgpL3RD0mzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA
+A4IBAQBzRUa++T0EiR+Fq4iTpKIysigV+1CeMbS+u1JaPOnMXfWmboOOVDrHhnit
+bpfxm+SpbafPTz40THtfw9EKvReMjNa4HQ4vFBMwZtmYZ4piGS5PferFDzYdZG1d
+S/2vcCQA4Dya/R675XKEhBdWO8JfUOL1ImMoJBa5Z+ApU8OCk8hpiJUV0akpw7jA
++VO8+VR2T+SH+3h28KOrNdraWozZ99NKqB7GUFcaxouaOkPE7mi8JyAgLZMZvJae
+QeJEUI9sfavSLmvBsfbusAeCjFYCVM9MM7uZNvK6gI0Dzppl+rN7vRWcBF+oYyiS
+1EX9j2GqG1yWcdGvY60GJu5Er5id
+</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use="encryption"><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDETCCAfmgAwIBAgIUPw12Gkt4agBtLBntd7RzTWwLKAYwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNc3AxLnVuaWNhbC5pdDAeFw0xOTAzMjAxNDMxMTVaFw0y
+OTAzMTcxNDMxMTVaMBgxFjAUBgNVBAMMDXNwMS51bmljYWwuaXQwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCj0BzOt58ECsSwT049bIhmD0p7q0Y+4L7c
+jrvvJYcMT7HZE+tbO4M6upkXnP+3gvPpRccaEtwJoda3gYzvF35VMzp0fCW7OmXI
+R8cJtySIfzkdmmO385Tbxlp1jRxZyQtc2nPzCKeV4xlQNEinQr94nI7tMFReDejj
+XKwS5RABk8KQMo2M78xa9RQyxqDC1e0ioeVQRR2og99fF3u/WOJ/JB2aETTfvInr
+FIyFA5XB0roBDyM44877nRKYeMBd4kVk+fs4yu6kZm7WOXHUXFLKRuXLeVxEbZYz
+SSMjncsB1U35OAt+Ozkp+12qaqMAVdGKP+xso3zGAr/5AC6CuPnrAgMBAAGjUzBR
+MB0GA1UdDgQWBBR6RRoajGB1UmdiMAKSmgpL3RD0mzAfBgNVHSMEGDAWgBR6RRoa
+jGB1UmdiMAKSmgpL3RD0mzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA
+A4IBAQBzRUa++T0EiR+Fq4iTpKIysigV+1CeMbS+u1JaPOnMXfWmboOOVDrHhnit
+bpfxm+SpbafPTz40THtfw9EKvReMjNa4HQ4vFBMwZtmYZ4piGS5PferFDzYdZG1d
+S/2vcCQA4Dya/R675XKEhBdWO8JfUOL1ImMoJBa5Z+ApU8OCk8hpiJUV0akpw7jA
++VO8+VR2T+SH+3h28KOrNdraWozZ99NKqB7GUFcaxouaOkPE7mi8JyAgLZMZvJae
+QeJEUI9sfavSLmvBsfbusAeCjFYCVM9MM7uZNvK6gI0Dzppl+rN7vRWcBF+oYyiS
+1EX9j2GqG1yWcdGvY60GJu5Er5id
+</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8000/saml2/ls/post/" /><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:8000/saml2/ls/" /><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8000/saml2/acs/" index="1" /></md:SPSSODescriptor><md:Organization><md:OrganizationName xml:lang="it">Unical</md:OrganizationName><md:OrganizationName xml:lang="en">Unical</md:OrganizationName><md:OrganizationDisplayName xml:lang="it">Unical</md:OrganizationDisplayName><md:OrganizationDisplayName xml:lang="en">Unical</md:OrganizationDisplayName><md:OrganizationURL xml:lang="it">http://www.unical.it</md:OrganizationURL><md:OrganizationURL xml:lang="en">http://www.unical.it</md:OrganizationURL></md:Organization><md:ContactPerson contactType="administrative"><md:Company>Universita della Calabria</md:Company><md:GivenName>Giuseppe</md:GivenName><md:SurName>De Marco</md:SurName><md:EmailAddress>giuseppe.demarco@unical.it</md:EmailAddress></md:ContactPerson><md:ContactPerson contactType="technical"><md:Company>Universita della Calabria</md:Company><md:GivenName>Giuseppe</md:GivenName><md:SurName>De Marco</md:SurName><md:EmailAddress>giuseppe.demarco@unical.it</md:EmailAddress></md:ContactPerson></md:EntityDescriptor>

example/pki/build_spid_certs.sh

@@ -0,0 +1,118 @@
+#!/bin/sh
+
+set -euo pipefail
+
+openssl_conf=$(mktemp)
+
+# check input parameters
+
+COMMON_NAME=${COMMON_NAME:=""}
+if [ "X${COMMON_NAME}" == "X" ]; then
+    echo "[E] COMMON_NAME must be set"
+    exit 1
+fi
+
+LOCALITY_NAME=${LOCALITY_NAME:=""}
+if [ "X${LOCALITY_NAME}" == "X" ]; then
+    echo "[E] LOCALITY_NAME must be set"
+    exit 1
+fi
+
+ORGANIZATION_IDENTIFIER=${ORGANIZATION_IDENTIFIER:=""}
+if [ "X${ORGANIZATION_IDENTIFIER}" == "X" ]; then
+    echo "[E] ORGANIZATION_IDENTIFIER must be set"
+    exit 1
+fi
+
+if [ $(echo ${ORGANIZATION_IDENTIFIER} | grep -c '^PA:IT-') -ne 1 ]; then
+    echo "[E] ORGANIZATION_IDENTIFIER must be in the format of 'PA:IT-<IPA code>'"
+    exit 1
+fi
+
+ORGANIZATION_NAME=${ORGANIZATION_NAME:=""}
+if [ "X${ORGANIZATION_NAME}" == "X" ]; then
+    echo "[E] ORGANIZATION_NAME must be set"
+    exit 1
+fi
+
+SERIAL_NUMBER=${SERIAL_NUMBER:=""}
+if [ "X${SERIAL_NUMBER}" == "X" ]; then
+    echo "[E] SERIAL_NUMBER must be set"
+    exit 1
+fi
+
+URI=${URI:=""}
+if [ "X${URI}" == "X" ]; then
+    echo "[E] URI must be set"
+    exit 1
+fi
+
+SPID_SECTOR=${SPID_SECTOR:=""}
+if [ "X${SPID_SECTOR}" == "X" ]; then
+    echo "[E] SPID_SECTOR must be set"
+    exit 1
+fi
+
+case ${SPID_SECTOR} in
+    public)
+        POLICY_IDENTIFIER="spid-publicsector-SP"
+        ;;
+    private)
+        POLICY_IDENTIFIER="spid-privatesector-SP"
+        ;;
+    *)
+    echo "[E] SPID_SECTOR must be one of ['public', 'private']"
+    exit 1
+        ;;
+esac
+
+# generate configuration file
+
+cat > ${openssl_conf} <<EOF
+oid_section=spid_oids
+[ req ]
+default_bits=3072
+default_md=sha384
+distinguished_name=dn
+encrypt_key=no
+prompt=no
+req_extensions=req_ext
+[ spid_oids ]
+#organizationIdentifier=2.5.4.97
+spid-privatesector-SP=1.3.76.16.4.3.1
+spid-publicsector-SP=1.3.76.16.4.2.1
+uri=2.5.4.83
+[ dn ]
+commonName=${COMMON_NAME}
+countryName=IT
+localityName=${LOCALITY_NAME}
+organizationIdentifier=${ORGANIZATION_IDENTIFIER}
+organizationName=${ORGANIZATION_NAME}
+serialNumber=${SERIAL_NUMBER}
+uri=${URI}
+[ req_ext ]
+certificatePolicies=@spid_policies
+[ spid_policies ]
+policyIdentifier=${POLICY_IDENTIFIER}
+EOF
+
+# generate selfsigned certificate
+
+openssl req -new -x509 -config ${openssl_conf} \
+    -days ${DAYS:=730} \
+    -keyout privkey.pem -out cert.pem \
+    -extensions req_ext
+
+# dump (text) the certificate
+
+openssl x509 -noout -text -in cert.pem
+
+# dump (ASN.1) the certificate
+
+openssl asn1parse -inform PEM \
+    -oid oids.conf \
+    -i -in cert.pem
+
+# cleanup
+
+rm -fr ${openssl_conf}

example/pki/cert.pem

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE/TCCA2WgAwIBAgIUZYMkZC8ySXs72cH2yj4TGh/T7PgwDQYJKoZIhvcNAQEM
+BQAwgasxGzAZBgNVBAMMElNQSUQgZXhhbXBsZSBwcm94eTELMAkGA1UEBhMCSVQx
+DTALBgNVBAcMBFJvbWExFTATBgNVBGEMDFBBOklULWNfaDUwMTEbMBkGA1UECgwS
+U1BJRCBleGFtcGxlIHByb3h5MRMwEQYDVQQFEwoxMjM0NTY3ODkwMScwJQYDVQRT
+DB5odHRwczovL3NwaWQucHJveHkuZXhhbXBsZS5vcmcwHhcNMjEwNzEzMDkzMDE0
+WhcNNDEwNzA4MDkzMDE0WjCBqzEbMBkGA1UEAwwSU1BJRCBleGFtcGxlIHByb3h5
+MQswCQYDVQQGEwJJVDENMAsGA1UEBwwEUm9tYTEVMBMGA1UEYQwMUEE6SVQtY19o
+NTAxMRswGQYDVQQKDBJTUElEIGV4YW1wbGUgcHJveHkxEzARBgNVBAUTCjEyMzQ1
+Njc4OTAxJzAlBgNVBFMMHmh0dHBzOi8vc3BpZC5wcm94eS5leGFtcGxlLm9yZzCC
+AaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAMX1VVjDx0e9PIq+v1NeHQ8S
+iT6hHJSkMsWYV+JLmLoGcxSV7iMFvBL3KQaokCFAAsl1k5f77PT3WFMFzmVO+0Eq
+SRIM/+7m8IgXP2amBcxJWt5iglG73vVw1cSEovmlDkUR7jP88Q8OfK+RrR1qm7v8
+Nt/AFWGzQL95Ng3Ux7uJ8CwZSZaNdj+nJoEKDG0+c9pfPLcc/QgP7ZrINacUCpUe
+EWcUvR+cJRZip9B15Kk2s+uUYvA9Gns4IpJGgmUXh6JCYwvm5/7l28uxmHzdT1hN
+e1p1f5g5ofnZwFLJI+SCbVNq7q/f2NU8JpQTMCgeyPdnVV5nXxG6sDRDnQIsvnHt
+g6AMUCHYVV+PZroMQtx5TRCeiiA1RRCPnsqhjfPAOOIQopjHIr6MMVvO5WFP+7zG
+1u8tXc6/tl3fSKVuGnpDuXDn8Qj8exoh7A4olzv9PVFMqIRGLhYJ5bHRU1EuU/fA
+RReNYjWU3XYHiQ95xLzHjRjxZkyxvdxb7KCWbyHaOwIDAQABoxcwFTATBgNVHSAE
+DDAKMAgGBitMEAQCATANBgkqhkiG9w0BAQwFAAOCAYEAjT2bIsLUDMHlLW+aCjqw
+fqm9p//cFPzt6jeeZ6MEyIQ9/UVKbucOhgW7zsdKyxFSbZzx27icTUUHuAZV2eiS
+91AA7yhZB46pGfiYmPfbjZgN3EotllgphenDKJZzAZw9bjxASugvT/7faUGxQRQI
+ThwoCvpZr9U1aBKBP+QdE+Ym88h+rLGPokkUEoOfIT+WptE8gUbqPZHAq4ObODiT
+IZDVDflI2k/llS75e6TWBiZSGGdMMfkmDiBM9kW7sREW3HfUsYWx9SXEgtDZ3K8q
+fmhQn6IYLZX10lbk4j5HJTe6PLH+XmYdwIADboAhPDNEFK0E276iiHF/wR6i5WxK
+Bd1bAHLE451W8g3uAjkIhfIZg3i1r9uQXw4D8M1Gsb8OUDK182McqlVEP7HEsBno
+dprUnm3AfbAUjQ0aFRM/DfdKMy+3lYe4A3gBgWbDdliCFlpUUd9MjsYqs/EphcQR
+UNc2uhjHUl49I92V0VWTK4fB1hAXp4pCoAiVJBibMNML
+-----END CERTIFICATE-----