spid-saml-check icon indicating copy to clipboard operation
spid-saml-check copied to clipboard

Published 20 hours ago verified publisher icon italia

Si è verificato un errore. Reinviare la richiesta dalla pagina del servizio.

Open LColella opened this issue 3 years ago • 2 comments

Salve, per un cliente PA stiamo sviluppando un portale al quale si potrà accedere con SPID, quindi sto facendo dei primi test per integrare questa funzionalità.

Ho installato ed avviato lo SPID Validator con Docker valido con successo il mio file dei metadata, ma poi quando provo a fare login ricevo il seguente errore senza una ulteriore motivazione:

Errore Si è verificato un errore. Reinviare la richiesta dalla pagina del servizio.

Immagine 2021-10-13 161907

QUalcuno riesce a darmi qualche spiegazione?

La mia authnrequest è la seguente: Non codificata:

<samlp:AuthnRequest AssertionConsumerServiceIndex="1" AttributeConsumingServiceIndex="1" Destination="https://localhost:8081/samlsso" ID="_abdd8d0-370e-4f76-b281-8eebb276faef" IsPassive="false" IssueInstant="2021-10-13T14:09:10.490Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="http://spid.w-enterprise.it" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://spid.w-enterprise.it</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">ds:SignedInfo<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_abdd8d0-370e-4f76-b281-8eebb276faef">ds:Transforms<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>ds:DigestValue/</ds:Reference></ds:SignedInfo>ds:SignatureValue/ds:KeyInfods:KeyValueds:RSAKeyValueds:ModulusnyRZeRWZur9++fi33+OmvwCNVkDGwyzrAiqLesuypOrPUm9Ec2kgkOJgfoR4mq62pulh3PeEhSga qdl/sxuKAhNObJMbAf8++Qj+LOVJxcgR6YvD7WkMCueaQ9J5eKDJsHyEwGSLpufGD1zjcxAZTdaj 5EvIyNN0zuPx6SNkb0ebhVzaui8T6VoAxtSUFs65AkiH+UWUnJw7IRBlVfHqVFwJhHhM1mfafXSw CtiGz7I4lnX1Wgp6owFOXQRirRZBe4rXsBwJr80ig4tTlAArcFnDAVA8sdWZobXaNv0xgZu4IvRN +/GiiXF0r13TxY1saswdbdYHzBjEeluOvk2q3w==</ds:Modulus>ds:ExponentAQAB</ds:Exponent></ds:RSAKeyValue></ds:KeyValue>ds:X509Datads:X509CertificateMIIDAzCCAeugAwIBAgIJANkWspLTHos8MA0GCSqGSIb3DQEBBQUAMBgxFjAUBgNVBAMMDXNwaWQu bGVjY2UuaXQwHhcNMTcxMDA3MTU0MzUxWhcNMjcxMDA1MTU0MzUxWjAYMRYwFAYDVQQDDA1zcGlk LmxlY2NlLml0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnyRZeRWZur9++fi33+Om vwCNVkDGwyzrAiqLesuypOrPUm9Ec2kgkOJgfoR4mq62pulh3PeEhSgaqdl/sxuKAhNObJMbAf8+ +Qj+LOVJxcgR6YvD7WkMCueaQ9J5eKDJsHyEwGSLpufGD1zjcxAZTdaj5EvIyNN0zuPx6SNkb0eb hVzaui8T6VoAxtSUFs65AkiH+UWUnJw7IRBlVfHqVFwJhHhM1mfafXSwCtiGz7I4lnX1Wgp6owFO XQRirRZBe4rXsBwJr80ig4tTlAArcFnDAVA8sdWZobXaNv0xgZu4IvRN+/GiiXF0r13TxY1saswd bdYHzBjEeluOvk2q3wIDAQABo1AwTjAdBgNVHQ4EFgQUdyfs1wubmkpmsy4ozv5bG8b74mgwHwYD VR0jBBgwFoAUdyfs1wubmkpmsy4ozv5bG8b74mgwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUF AAOCAQEAnZKa4B3j5RgluVRa6ELL5PbPVzmq0rfLm0n76jiZ0AessvBiY4/HGmhkdRr2FdIm/Ra9 wRsWQE0cho9ZjRV3ha5nocnSmkQ5THzNn+8UafDN+UavpZ8aY0qBUODDMk1pCL3a1Ly56rWElSOT og0O5tyCAEqEsB2LFyKOLGQBvXmwhtCOqXflrzB3yJuHhnHr5pMP0NX8yBtRayuf7j/2H4NAyirv angOc5x7ZcYA9IzTE+t/0cvHKHbmejsUq11yICnD9YSeqOoJ0fgPN2O0BTGyqTmKm/0V0oTtOe3x DCDOyhYQY40b3PXI5ApEWvg2R/QqLY7RQ6ZaaGs3hPCw6A==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"/><saml2p:RequestedAuthnContext Comparison="exact" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://www.spid.gov.it/SpidL2</saml:AuthnContextClassRef></saml2p:RequestedAuthnContext></samlp:AuthnRequest>

Codificata: https://localhost:8081/samlsso?SAMLRequest=pVfZkqpIEH33Kwzvo2FT4G7cdqIAF2wFQVxfJgooFmWTAgG%252FfnBpo%252Fvevj09PW9UZlZmcvJQdfj5V%252Ba55ROOiBP4zxX6CVTK2NcDw%252FGt58pSHdY6lb%252F6pZ8EeW7Yg0ls%252Bwo%252BJpjEZUgIjuJiGxf4JPFwtMDRydGx4Bs4K1JVyjCOI0dLYnyLKFL%252BFsIXmRwfxdfqdhyHpEdRbqAj1w5I3OuADk1dahMSVMoC%252F1z5G2mG0TFArd4GuNYw262axnToWgdjTWPaLRNhs4gkc0SIc8LPFRO5BF8sJCnqkhj58XOFAQxdo0GNrqt0owe6PRo8NbpgVynPoyAO9MBlHf%252BGQRL5vQARh%252FR85GHSi%252FXeAs6mPeYJ9LRbEOmNVXVem0sLtVJevWLJXLAs0PVJ74re56nCe91K%252F4o107s2HJWHQeSh%252BPO9F4tj1MxraC%252BOkE8c7MeVslg45AS5jung6IZvAS8JHeMprRUROAojh%252BAnJ37bKfN5NfQ690r%252Fk4Q%252Fqbev0f9pkN7CsYpJJxG%252B1zLIo6U0TZ%252FS%252BlMQWRQDAKBAlypiDOJYPyqPvdgQfDO4LjnkB75TsMQ5X7kzw7EdGGXoWkHkxLb3h8Q0RYNL4hrO9JpON%252FwfFep9a19OBBqvHda8IMI%252FIoJqxEZMs3VPqWATR8WnhMtLRXiu%252FPgSca871csAL8Mk75f%252F2tU73LB%252Fwm4QYqNGXl%252Fu3tnXE36MF%252FV7j7xjFR%252FyF8F712aBGX3v65ZkhdwE36s8MLwtfyHBY2ivWwrbC84f%252FuL56rmNYwHfrWeBkbgJ6fu5ssPKepdE3WrVdOr1quSdUk5cHfhRmp8j6BynmCR5KEXzpdcd6MzBOkgTywyUhndsMWHi2vU5HtgLC5WOhkuRLHmBtihpk5kGzU61Ku%252BrU2k1yXRLaW1PfHt9mHEJRnJ30sQv%252FISM80E6WkzDxBzx9HmvZ3CnGmhfag5OQi6K4JzMs9ZCPGgAa%252FbqjBKno7ZWAczixXJIWk14cMbV5XrpT9K2oLDuyhwfV8N0Yo%252FtGe2ZyNws0hIXO6NzW2i4%252FoZeW2ErSIfSRlacSNmxuBFtCJtOog5wrEasuhBG%252BtDn4Qp2iLHeBdoGiSeQWbukIZwUsVSlRo6zGYKoOD6zLU0QSQ3N2I7P7H6A3UQ6HZhjPX1%252Bvg7tFegL6IMsDPzimOhDGbJX78Nym%252FfbIVG%252FjnDTBF0exeix4C7nkFkcAzHuzwSBh2eOgzixYCqw0BImUDysSThVxwHpzCAYcYvjaCFodV4esKy8hDPWyoZ7uGQtccXC2YzfiClay0lJG632W2aZoI2cjm1dnKl6NuNhfaYuwey8zNYX2%252F5qox%252B2PdzOlG06hFt%252BJct84TrrI%252FdQmnqZu2VEd%252Bq5oOiSFfZQZK3D0T44o24KWCgPhhBKHJQ78OLnrJfieQA%252FYmbpu9T8iJml71LzI2aWvkvNj5hZ%252Bi41P2Jm6XdqFlQpCBjQMFX30LiMfyw3BkNLXhq5Seg00bxD6JG8EZxPTW3U0doNz0rH6ZYvrRSwZ1krHQbw02D%252BQgMFqCxcpjAdsNT516kvh6Xb2ItR715Qg63vm4rlJisFtQbTaXOuzVdn7wgic%252BoBv93aOzsAMSEn1tk2qPHIsw%252BGEjFDQ%252FAoBXVLqULW8gDodtDd7ZVV3UZNP9D9hXeQm%252Br4LPrVzhKZvFhdolO466AtOLJLiednBzrkpnVET%252FNmK1oP3IWklgILSM045%252BDgOCAsMx3mL9J0JLOnjZfaMScdN6Ybndl6PknGtj%252BOmuFsDsRNJ2djBeWJ2d5TzLghwtyJTiXkW5LezNo7fQu7wlkdVGMK6Kfxy1jz8J4sjzSdC5zPd7cLfJSCCTCtuchIgFVH%252BVH1XjwKrECgxhKuZyWe46Xc3srbBtDq843QhOFgfbIYhZKP021bkVs7hEakbs%252B5tAXvh9Cvp8XDeDtPqLc3B%252FX2armrsbB3kVICPw9cR8%252F%252Fnyh7I7S%252BqgmpRxt38Y2NqxQvdHWMs7jMBV6ICuF1kZ04Q%252Fr3qtyK9N5m5txC7RW38Jt0%252F0kckvvlf1WIVnAqhCG1KJ6nzE0fflisf9eOf3jbu%252Fv930j%252FHw%253D%253D&RelayState=http%3A%2F%2F192.168.1.204%3A8080%2Fportalesismicobat%2F

LColella avatar Oct 13 '21 14:10 LColella

A colpo d'occhio vedo 4 problemi nella tua AuthnRequest:

  • IsPassive non deve essere presente
  • ForceAuthn deve essere presente e valorizzato a true
  • l'EntityID del metadata (e quindi l'issuer dell'AuthnRequest) deve essere in https (in fase di test questo controllo è omesso, in fase di pubblicazione sarà richiesto).
  • Anche il digest deve essere in sha256

AntonioGiovanniSchiavone avatar Oct 20 '21 08:10 AntonioGiovanniSchiavone

A colpo d'occhio vedo 4 problemi nella tua AuthnRequest:

  • IsPassive non deve essere presente
  • ForceAuthn deve essere presente e valorizzato a true
  • l'EntityID del metadata (e quindi l'issuer dell'AuthnRequest) deve essere in https (in fase di test questo controllo è omesso, in fase di pubblicazione sarà richiesto).
  • Anche il digest deve essere in sha256

Grazie, provo subito a correggere, alcune cose le avevo già notate facendo ulteriori ricerche... ma non tutte.

LColella avatar Oct 20 '21 08:10 LColella