Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

authNRequest fixes and other changes #13

Merged
merged 6 commits into from
Jul 15, 2021
Merged

authNRequest fixes and other changes #13

merged 6 commits into from
Jul 15, 2021

Conversation

Nick87
Copy link

@Nick87 Nick87 commented May 16, 2021
edited
Loading

AuthNRequest fixes

see https://docs.italia.it/italia/spid/spid-regole-tecniche/it/stabile/single-sign-on.html

nell’elemento non deve essere presente l’attributo IsPassive (ad indicare false come valore di default)

see https://www.spid.gov.it/assets/download/SPID_QAD.pdf

2.1.11 - The IsPassive attribute must not be present

  • both AssertionConsumerServiceIndex and AssertionConsumerServiceUrl+ProtocolBinding must not be set (partially addresses Elenco problematiche #11)

From spid-testenv2 validation:

"Uno e uno solo uno tra gli attributi o gruppi di attributi devono essere presenti: [AssertionConsumerServiceIndex, [AssertionConsumerServiceUrl, ProtocolBinding]]"

see https://docs.italia.it/italia/spid/spid-regole-tecniche/it/stabile/single-sign-on.html

In alternativa all’attributo AssertionConsumerServiceIndex (scelta sconsigliata) possono essere presenti:
l’attributo AssertionConsumerServiceURL [...]
l’attributo ProtocolBinding [...]

see https://docs.italia.it/italia/spid/spid-regole-tecniche/it/stabile/single-sign-on.html

l’attributo ForceAuthn nel caso in cui si richieda livelli di autenticazione superiori a SpidL1 (SpidL2 o SpidL3)

  • Issuer must be set to "urn:oasis:names:tc:SAML:2.0:nameid-format:entity" not to "urn:oasis:names:tc:SAML:2.0:nameid-format:transient" (partially addresses Elenco problematiche #11)

see https://docs.italia.it/italia/spid/spid-regole-tecniche/it/stabile/single-sign-on.html

L’elemento deve riportare gli attributi: Format fissato al valore urn:oasis:names:tc:SAML:2.0:nameid-format:entity

see https://www.spid.gov.it/assets/download/SPID_QAD.pdf

2.2.4 - The Format attribute must be urn:oasis:names:tc:SAML:2.0:nameidformat:entity

  • The same public key info is provided twice in getSignature() (explicitly and via certificate), resulting in having both KeyValue and X509Data elements present in the AuthnRequest, making signxml throwing an exception when using spid-testenv2. Fixes Elemento SignatureValue vuoto #10.

see XML-Security/signxml#143

As a fix, public key info is now only added via certificate (commenting KeyInfoHelper.addPublicKey(keyInfo, certificate.getPublicKey()); in getSignature()) and adding Signer.signObject(authnRequest.getSignature()); to printAuthnRequest

see italia/spid-testenv2#325

Other minor changes:

  • added maven generated dirs to .gitignore
  • privateKey must not be logged
  • option to not compress authnrequest when using POST binding (partially addresses Elenco problematiche #11)
  • added lombok

authNRequest fixes
6f20880 
	- isPassive is not allowed
	- both AssertionConsumerServiceIndex and AssertionConsumerServiceUrl+ProtocolBinding must not be set
	- ForceAuthn attribute must be present if SPID level > 1
	- Issuer must be set to "urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
	- The same public key info is provided twice in getSignature()

other minor changes:
	- added maven generated dirs to .gitignore
	- privateKey must not be logged
	- option to not compress authnrequest when using POST binding
@Nick87 Nick87 changed the title authNRequest fixes and other minor changes authNRequest fixes and other changes May 16, 2021
@Nick87 Nick87 marked this pull request as ready for review May 16, 2021 13:43
@Nick87 Nick87 closed this May 17, 2021
@Nick87 Nick87 reopened this May 17, 2021
polarene
polarene approved these changes May 18, 2021
View reviewed changes
Copy link

@polarene polarene left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left just an observation, nice PR!

...ntegration/src/main/java/it/italia/developers/spid/integration/util/SPIDIntegrationUtil.java Outdated Show resolved Hide resolved
@peppelinux
Copy link
Member

thank you @Nick87 @polarene

@peppelinux peppelinux merged commit 2c98940 into italia:master Jul 15, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@polarene polarene polarene approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Elemento SignatureValue vuoto
3 participants
@Nick87 @peppelinux @polarene