Closed dassocec closed 3 years ago
Potresti dirmi, utilizzando questo tool (https://redkestrel.co.uk/products/decoder/), quale valore per "Sig. Algorithm" è riportato all'interno del certificato?
Il certificato autofirmato riporta "sha256WithRSAEncryption" e l'altro certificato emesso da Aruba per il dominio riporta anche "sha256WithRSAEncryption".
Potresti incollare una request di esempio che fallisce la validazione?
è possibile avere riscontro dell'errore (la firma del messaggio non risulta corretta) anche provando a validare la request al seguente tool: https://www.samltool.com/validate_authn_req.php
Ciao, sto cercando di risalire all'origine di questo problema, il tool di validazione usato da spid-saml-check è spid-sp-test
per una corretta validazione della request serve anche il metadata. Il comando da fare è il seguente, si può eseguire direttamente all'interno del container docker di spid-saml-check.
spid_sp_test --metadata-url https://localhost:8000/spid/metadata/ --extra --authn-url https://localhost:8000/spid/login/?idp=https://localhost:8080 --debug ERROR
in caso di file si può usare l'url file://
spid_sp_test --metadata-url c_m093__80002630624.xml --extra --authn-url file:///home/utente/Downloads/AuthRequest.txt --debug ERROR --profile spid-sp-ag-public-full
la validazione avviene mediante xmlsec1, ovvero con questo comando:
xmlsec1 --verify --insecure --id-attr:ID "urn:oasis:names:tc:SAML:2.0:protocol:AuthnRequest" --pubkey-pem /tmp/tmpwy3k37d1.crt /tmp/tmpq_wn5v8f.xml
dove /tmp/tmpwy3k37d1.crt è il certificato estratto dal metadata, esempio qui:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyFPFTcDe6UcZj+S6BC8W
p7vWy/PoyKEMEXySAPzUxS0lu2Z4ae9CBSB8YG3Ub+RnkgPhF1cWkM+ZZ7F15cWJ
w1/6FVwmhccPmCOSZuqqcP4n/fmkr98tW7Cqd88hlJD4mi3X1Rc/1bmWb8/Is4wE
1NRCgE9fVyk3YBv0oxoGHM6Lki+TILhnf6Fp85+U6coxlpOjcleslR3KltkKEs4X
6jralHnc0QAvrveOmULXjbMHCbiVievrss4i66xOjKYcD/gC8lpFA2lf+2INvmp4
PP89OdV1xXnJEOS+2P6OtBmud7GlhVapO3/MHxOepKp5zWjz+XIqNmFXYo7DODIs
cQIDAQAB
-----END PUBLIC KEY-----
mentre /tmp/tmpq_wn5v8f.xml è la request. Sono file temporanei quindi vengono nominati randomicamente da spid-sp-test.
Ora ... su spid-sp-test abbiamo irrobustito la verifica della firma, aggiungendo il paramento --pubkey-pem
, questo mancava nella precedente implementazione dei test, come vedete qui:
in spid-sp-test è stata aggiunta la validazione usando il certificato del metadata (altrimenti avrebbe validato una firma autoreferenziale). Questo mediante l'argomento --pubkey-pem
.
Perché --pubkey-pem
e non --pubkey-cert-pem
?
Perché qui noi convertiamo pem in x509:
https://github.com/italia/spid-sp-test/blob/7790a429ed78ccef504a19437f614c52feefb9d7/src/spid_sp_test/authn_request.py#L325
questo è il codice di spid-sp-test, è aperto, possiamo studiarlo e capire come migliorarlo, fare proposte. Io tendo a non fidarmi dei servizi di validazione di terze parti, perché non ho il loro codice sorgente e SAML2 è ... "ricco" di opzioni!
Vi consiglio di validare manualmente con xmlsec1 la vs request, esattamente come da codice e fornire qui o su slack developers italia un report.
Ad essere sincero tanti SP validano bene e pochi di questi incorrono in questa eccezione, non escludo che si possa fare un workaround ma dobbiamo essere certi di quello che facciamo. Sono a vs completa disposizione per analizzare il problema, qui o su slack, questa storia mi incuriosisce parecchio!
usando l'ultima versione su main branch di spid-sp-test ho aggiunto dei messaggi di DEBUG più eloquenti rispetto a prima, -l seleziona esclusivamente il test da eseguire, DEBUG stampa nel dettaglio le problematiche.
Dal log otteniamo il comando da eseguire e il certificato utilizzato per la validazione, questo dovrebbe facilitarvi la vita nella validazione "offline" delle vostre authn request.
Se scoprite utilizzi alternativi di xmlsec1 analizzeremo insieme eventuali impatti e possibilità di migliorare spid-sp-test
spid_sp_test --metadata-url file://c_m093__80002630624.xml --extra --authn-url file:///home/utente/Downloads/AuthRequest.txt --debug DEBUG -l test_xmldsig
DEBUG:spid_sp_test.authn_request:Running authn request signature validation:
xmlsec1 --verify --insecure --id-attr:ID "urn:oasis:names:tc:SAML:2.0:protocol:AuthnRequest" --pubkey-pem /tmp/tmp73c3dm7w.crt /tmp/tmpf1nwv7xp.xml
DEBUG:spid_sp_test.authn_request:/tmp/tmp73c3dm7w.crt:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4bh8zI2gyF6Vh7TnUxzG
7EfxKnr5IIpjTFZNSg1UF+UhHM12aI+DZDJNzcz6w6kBNuuxwXjB7bzruGXTcYuq
NhacxhJpOsMdlCTOStPrtJnc6OeTD+3U3J2VShUOQ0wOZ/Gj3eo7GtIyhW1oWIUC
5IOnUjPz99UjQy9bC+AdAhcro6gNCD2ftesCQF[ ... ]SSTeLv7Edz8qTwByBQ5NO
gVHpV9ml8xMD8qFSrMtYtarKFGfv4JzVkaRQpPUfYNSSf/mM0P9Ul/Um9MIO0THZ
ldyhl/rfKztSYULZ3e45WXq494T9Z7LcwkJfx+BkYdfG+6KJDuyXzOWBq8BZynZW
ZwIDAQAB
-----END PUBLIC KEY-----
DEBUG:spid_sp_test.authn_request:The AuthnRequest MUST validate against XSD and MUST have a valid signature
stderr: func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=279:obj=sha512:subj=unknown:error=12:invalid data:data and digest do not match
FAIL
SignedInfo References (ok/all): 0/1
Manifests References (ok/all): 0/0
Error: failed to verify file "/tmp/tmpf1nwv7xp.xml"
ERROR:spid_sp_test.authn_request:SpidSpAuthnReqCheckExtra.test_xmldsig: AuthnRequest Signature validation failed
ERROR:spid_sp_test.authn_request:AuthnRequest Signature validation failed
Spid QA: executed 2 tests, 1 failed. 0 warnings.
@dassocec prova ad aggiornare a questa release
https://pypi.org/project/spid-sp-test/0.9.20/
basta fare un attach di una bash nel container di spid-saml-check e pip install --upgrade spid-sp-test
attendiamo tuo feedback
Ok. Per effettuare i test in locale uso l'immagine Docker. Comunque ci provo.
Puoi utilizzare https://demo.spid.gov.it/validator Oggi è stata pubblicata la versione che incorpora la versione 0.9.20 di spid-sp-test. Facci sapere se il test 34 sulla request ora viene validato con successo
utilizzando l'ambiente da Lei segnalato, si ottengono vari altri problemi (non legati a questa implementazione ma dallo stesso validator)
Comunque, anche aggiornando l'immagine che uso in locale con l'ultima versione di spid_sp_test, la validazione del punto 34 va sempre in errore - ma non so quanto possa essere un problema di creazione della request e non della validazione stessa.
Per esempio, se si va ad utilizzare l'ambiente https://www.spid-validator.it/metadata.xml (che è una vecchia versione) - la request viene data per buona.
Puoi postare il metadata e la request con i quali ottieni questi errori? Grazie
Confermo lo stesso comportamento per quanto detto da link-santesem
ok, allego varie info.
Log dal container docker contenente spid-saml-check
env IDP_ENTITYID="https://localhost:8080" spid_sp_test --metadata-url file://../data/https___localhost_44369/sp-metadata.xml --authn-url file://../data/https___localhost_44369/authn-request.dump -rf json -o ../data/https___localhost_44369/sp-authn-request-strict.json
Spid QA: executed 144 tests, 3 failed. 0 warnings.
{
test_id: '',
result: 'failure',
test: 'AuthnRequest Signature validation failed',
value: 'The AuthnRequest MUST validate against XSD and MUST have a valid signature\n' +
'stderr: func=xmlSecOpenSSLAppKeyLoadBIO:file=app.c:line=268:obj=unknown:subj=PEM_read_bio_PrivateKey and PEM_read_bio_PUBKEY:error=4:crypto library function failed:openssl error: 151584876: PEM routines: get_name no start line\n' +
'func=xmlSecOpenSSLAppKeyLoad:file=app.c:line=172:obj=unknown:subj=xmlSecOpenSSLAppKeyLoadBIO:error=1:xmlsec library function failed:filename=/tmp/tmpf5g2ihhr.crt\n' +
'Error: xmlSecCryptoAppKeyLoad failed: file=/tmp/tmpf5g2ihhr.crt\n' +
'Error: failed to load public key from "/tmp/tmpf5g2ihhr.crt".\n' +
'Error: keys manager creation failed\n' +
'Unknown command\n' +
'\n' +
'stdout: Usage: xmlsec <command> [<options>] [<files>]\n' +
'\n' +
'xmlsec is a command line tool for signing, verifying, encrypting and\n' +
'decrypting XML documents. The allowed <command> values are:\n' +
' --help \tdisplay this help information and exit\n' +
' --help-all \tdisplay help information for all commands/options and exit\n' +
' --help-<cmd>\tdisplay help information for command <cmd> and exit\n' +
' --version \tprint version information and exit\n' +
' --keys \tkeys XML file manipulation\n' +
' --sign \tsign data and output XML document\n' +
' --verify \tverify signed document\n' +
' --sign-tmpl \tcreate and sign dynamicaly generated signature template\n' +
' --encrypt \tencrypt data and output XML document\n' +
' --decrypt \tdecrypt data from XML document\n' +
'\n' +
'\n' +
'Report bugs to http://www.aleksey.com/xmlsec/bugs.html\n' +
'\n' +
'Written by Aleksey Sanin <aleksey@aleksey.com>.\n' +
'\n' +
'Copyright (C) 2002-2016 Aleksey Sanin <aleksey@aleksey.com>. All Rights Reserved..\n' +
'This is free software: see the source for copying information.\n' +
'\n',
references: [],
method: ''
}
Questa è la request:
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_67ebe9ee-eb58-4d6c-9eaa-43a2ddb5d24f" Version="2.0" IssueInstant="2021-09-30T06:56:23.898Z" Destination="https://localhost:8080/samlsso" ForceAuthn="true" AssertionConsumerServiceIndex="0" AttributeConsumingServiceIndex="0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer NameQualifier="https://localhost:44369" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
https://localhost:44369
</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="#_67ebe9ee-eb58-4d6c-9eaa-43a2ddb5d24f">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>
vRihWk+RTAXPRb8SYjFdO0TjBYox17Yr6EELfiRVJvM=
</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
jk/Ee0yQIDPaG4yrSL/tx1OYFYVPAVjkHMnNbMBpLRrN5u2ZGHZkDR8gBXlPjEw1Ncuc8P6Ulzd1tTUbBqzqCjFiOd10GLyi7/neAy1VbQ5y5ZMUJckBa8ZIp6JJN53oVQu0+vbd/VC7cF3tJkLsVtj+BkA5i1XyE1GuAKNQwoDATA4bQMX/7BfSL4lHOpcaNFwmucKcKcJqYysvjOEVTsOXuDZxMNGfVbUhWvXKMZy9A+KvJHwn3vY+qtVLi4NJEUQ1HLL4Iu3AWmCQQENqWnZJyGfAU3wa0O4eKmDi86CyW7WTc8mqOrySh8UEzTzeD7wXio+jDWaboqvbeczmm4HK4AqdH41sKfp6Jmo9aocO/+5XuHvtHjUBgZvmpwnLyTLYnMKZ+bShA5BidDm81BFbIHeODzDv9nTcMbHpjenIJtf5uBVCRsmAcXB/57z5rFlIEUxn5zYn96GiX/7diqNkDp4IdNlW9+GQjIyothBw4NX4P7/SFSzQaDDz97ov1URIxVz0+3XAkcvkGReM0l0TcjqvSN7vmcqSFDeMelx1kzbRD1fb6AGJT7jvXfXQN8gBh7zIk26FBQEPtxjUIa+oIoch8ykP7mveqgRpxFkfxcQaAIqLGzp4AzKwrkpzSBov4p91zmp2G3q2OWnIMVYmeYQ5l1hf3kHEuh1XuBE=
</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>
MIIGQjCCBCqgAwIBAgIJAJmwYjNvjrCTMA0GCSqGSIb3DQEBCwUAMIG1MQswCQYDVQQGEwJJVDEYMBYGA1UECAwPTW9uemEgZSBCcmlhbnphMQ4wDAYDVQQHDAVEZXNpbzEkMCIGA1UECgwbQmFuY28gRGVzaW8gZSBkZWxsYSBCcmlhbnphMQ0wCwYDVQQLDARTcGlkMR8wHQYDVQQDDBZwc2QtY29sbC5iYW5jb2Rlc2lvLml0MSYwJAYJKoZIhvcNAQkBFhdzcGlkLnRlY2hAYmFuY29kZXNpby5pdDAeFw0yMTA5MjMxNTQzNTZaFw0yNDA5MjIxNTQzNTZaMIG1MQswCQYDVQQGEwJJVDEYMBYGA1UECAwPTW9uemEgZSBCcmlhbnphMQ4wDAYDVQQHDAVEZXNpbzEkMCIGA1UECgwbQmFuY28gRGVzaW8gZSBkZWxsYSBCcmlhbnphMQ0wCwYDVQQLDARTcGlkMR8wHQYDVQQDDBZwc2QtY29sbC5iYW5jb2Rlc2lvLml0MSYwJAYJKoZIhvcNAQkBFhdzcGlkLnRlY2hAYmFuY29kZXNpby5pdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALyl3yRngpOlQRDdzj9HjE1UqFmI9OjKSZVdDVIOpcuNSdvfAXGrhXyGZCewjSAmIUrf6dWrO/5tIZALk2HMO42LP4Awo5W/dlDhmt1/pGoxMepGAAPafctA/Fyj7Gsi2xxksitjdp7SVFsF8ucDgHNZLFazEjkt+CJopLO6oMW0y3wwe3b1RdGXClzK1HpfRFeQZImQEniQd5OmNNRD/zxRUZqtRtd3tRFPAtvZKHAqD7IWiSsVvvWLibj8dSKuoCfj/CIH+WPXJsUGhcDhRvhqgMmaIm1RyLjZohAMuSZEGXdils4TeaoWln/G64R3fP+fCWxya+UOEZgBUgJdFRmlfFp0rXM1oI2BnKWVFLwTJ1rxrzyIp5YcQhAZxxjTm1zzy2jUSm44H2idLxSGfDwEl6MCdYz7HsvMQtEGN818AdSQsZudW9c/ULpCyz+TVR0vMp0KteFWsy8FeAQq9zkkPSpiLFGdBXXnpqO1G9GzntsunDwwPCeEuhFU7RzY3M5SOXsCnZDF7leQNTphzFzbQAytev4MVt6FAyNIys5eO8I1Mw/+14cOGnjp/PipwMlPWVCV7rFJ1/NtICv/2SEHiY1xa5EFQwRzW1+zxYcxHOh6ibJFtvMm33sBkJU5aNx/7cThzFfHDB4rLHhWEg77tp0ntt1iFqfTpaI5Qy/9AgMBAAGjUzBRMB0GA1UdDgQWBBQogcz80jb43VQDFpd2xdbhHmQcizAfBgNVHSMEGDAWgBQogcz80jb43VQDFpd2xdbhHmQcizAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQAFNB9UurknL+Yc/p35d5K6D2uDMbC3bxZNP9MFaM8wrTjKeUF18AW8+k/CaqHA2xJ2wT4DXEL68VYr3HsG8b0ULwrwJO7/UsdzSy/TNnbTcyMGoeVNy9FQrYBloJB8Akc/K7vU70xf/UynWHYEepo2tQwxKyDKxlW/xkfEszuzNCBKWtLcCcPiqg73n3PKD+yn07tqN1uKVa6fu/DGqYwfJi+nRTIuaTtNYxVvI/+/8/c0zQOlGELyCIct3uPsMsD5ecyaStVW3o7z1EBVnoCKNUc6YgimWs4ygXzDYPWCGhUzKPMcWmrGE/TndKh9WBtM/FNr+0g7btDq8GRzbHFlPTLn2odiI9bn9Xr9JYjXeUrgOAUG0No8375yWWk4K6Hguo3+JzGQaufhzSlof/iTY7ReJ1/qQMbgrmWiDZHVR09x+GqD3XDwmCrjyYaPhwOsriME9OznwPm/0zqhwHFhpoYt4GU+tw0u+RFfjDiHXziFcKtN/7oL2C3RShQScHwoRlNuza9uFrShOjFo3juATstzV9wC6fa35GyGMjXd7vwe/jan7dPNaeqX0Pnquk2udHW7Iy7yOmduj6Q5KS2s7QACeQHXUEooXfCBs+eRL87+/K37/uYWqX0aJ760IJewE7BJFxiLkZnvmPt/xlUrQ55+F+AjhiMVQCTIMGV8YA==
</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
<saml:Conditions NotBefore="2021-09-30T06:56:23.898Z" NotOnOrAfter="2021-09-30T07:06:23.898Z"/>
<samlp:RequestedAuthnContext Comparison="minimum">
<saml:AuthnContextClassRef>
https://www.spid.gov.it/SpidL2
</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
Questo è il metadata (dove ho cancellato i dati sensibili)
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:spid="https://spid.gov.it/saml-extensions" ID="_8EEB1A1D-597F-405F-89C1-EDF69BB8021A" entityID="https://localhost:44369">
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_8EEB1A1D-597F-405F-89C1-EDF69BB8021A">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>
Xhrd1DBaXDPx+VX1QAMay8EuVIoZLtonQ2SL3qUu+Z8=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
qESaqpvfGcVc/3BdjJuenJmUgMnqPJa5NBx+//X4uNB1h7MPOVTSLqqw1+M52K2yk8tc/Kd0htHB
tZee0wSHTh+caE41038NS1bDRx0CiaacDzSnQu8mNzHlGOQqHofAjG/F8kOB8O4/kGrmsF5SltZ4
kRBxPZogfhcJqgLoUNpO9qJJ5Usc8CRoBOIaPqG1rF3ab8XLZSbfwfJlMzl4yH5cG1r5GkxWradM
LwMk6+QdgbMMOVwpn+IMVD1XZeXXpRzsKCUHy+eubmc76ctvSDsi16x499jTk8qmfWGP5F+DhrZ9
gDOJiYyd3kuueKdzX8ElS7IAI7dLfSOoNicX0DdEOYJo7aV6pEzpsZB4Y/DvufX8TEhWkrB+Ty3P
mp8cr+PEdBDEcJznai5AXClOl/3/UU6Ss+QEJmIIyyKJwishG/ljB7AxLI/XASLjqQuHlU1VURAu
xL7ZiIomzAC03DEmKk2S1AZFq0wZqcW3ETzTQcXClhdyCKdj3tMwBXNdiHf3G2G7W0Um5mIptKe3
hkGFU4WVIS1JNUq2Ki2gnOHYGvE7kRHlVue3QtFDWAa6CMKOLFJjUIvIZxyLcoY+0qSgbIJCaDSs
7qBhm54+vE11k4XEQV6aQfDbyuASFgMWmp3FRg4PDkzirenArvSQesX51aRvI/p+ZvzwUrfvxPI=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
vKXfJGeCk6VBEN3OP0eMTVSoWYj06MpJlV0NUg6ly41J298BcauFfIZkJ7CNICYhSt/p1as7/m0h
kAuTYcw7jYs/gDCjlb92UOGa3X+kajEx6kYAA9p9y0D8XKPsayLbHGSyK2N2ntJUWwXy5wOAc1ks
VrMSOS34Imiks7qgxbTLfDB7dvVF0ZcKXMrUel9EV5BkiZASeJB3k6Y01EP/PFFRmq1G13e1EU8C
29kocCoPshaJKxW+9YuJuPx1Iq6gJ+P8Igf5Y9cmxQaFwOFG+GqAyZoibVHIuNmiEAy5JkQZd2KW
zhN5qhaWf8brhHd8/58JbHJr5Q4RmAFSAl0VGaV8WnStczWgjYGcpZUUvBMnWvGvPIinlhxCEBnH
GNObXPPLaNRKbjgfaJ0vFIZ8PASXowJ1jPsey8xC0QY3zXwB1JCxm51b1z9QukLLP5NVHS8ynQq1
4VazLwV4BCr3OSQ9KmIsUZ0Fdeemo7Ub0bOe2y6cPDA8J4S6EVTtHNjczlI5ewKdkMXuV5A1OmHM
XNtADK16/gxW3oUDI0jKzl47wjUzD/7Xhw4aeOn8+KnAyU9ZUJXusUnX820gK//ZIQeJjXFrkQVD
BHNbX7PFhzEc6HqJskW28ybfewGQlTlo3H/txOHMV8cMHisseFYSDvu2nSe23WIWp9OlojlDL/0=
</ds:Modulus>
<ds:Exponent>
AQAB
</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
<ds:X509Data>
<ds:X509Certificate>
MIIGQjCCBCqgAwIBAgIJAJmwYjNvjrCTMA0GCSqGSIb3DQEBCwUAMIG1MQswCQYDVQQGEwJJVDEY
MBYGA1UECAwPTW9uemEgZSBCcmlhbnphMQ4wDAYDVQQHDAVEZXNpbzEkMCIGA1UECgwbQmFuY28g
RGVzaW8gZSBkZWxsYSBCcmlhbnphMQ0wCwYDVQQLDARTcGlkMR8wHQYDVQQDDBZwc2QtY29sbC5i
YW5jb2Rlc2lvLml0MSYwJAYJKoZIhvcNAQkBFhdzcGlkLnRlY2hAYmFuY29kZXNpby5pdDAeFw0y
MTA5MjMxNTQzNTZaFw0yNDA5MjIxNTQzNTZaMIG1MQswCQYDVQQGEwJJVDEYMBYGA1UECAwPTW9u
emEgZSBCcmlhbnphMQ4wDAYDVQQHDAVEZXNpbzEkMCIGA1UECgwbQmFuY28gRGVzaW8gZSBkZWxs
YSBCcmlhbnphMQ0wCwYDVQQLDARTcGlkMR8wHQYDVQQDDBZwc2QtY29sbC5iYW5jb2Rlc2lvLml0
MSYwJAYJKoZIhvcNAQkBFhdzcGlkLnRlY2hAYmFuY29kZXNpby5pdDCCAiIwDQYJKoZIhvcNAQEB
BQADggIPADCCAgoCggIBALyl3yRngpOlQRDdzj9HjE1UqFmI9OjKSZVdDVIOpcuNSdvfAXGrhXyG
ZCewjSAmIUrf6dWrO/5tIZALk2HMO42LP4Awo5W/dlDhmt1/pGoxMepGAAPafctA/Fyj7Gsi2xxk
sitjdp7SVFsF8ucDgHNZLFazEjkt+CJopLO6oMW0y3wwe3b1RdGXClzK1HpfRFeQZImQEniQd5Om
NNRD/zxRUZqtRtd3tRFPAtvZKHAqD7IWiSsVvvWLibj8dSKuoCfj/CIH+WPXJsUGhcDhRvhqgMma
Im1RyLjZohAMuSZEGXdils4TeaoWln/G64R3fP+fCWxya+UOEZgBUgJdFRmlfFp0rXM1oI2BnKWV
FLwTJ1rxrzyIp5YcQhAZxxjTm1zzy2jUSm44H2idLxSGfDwEl6MCdYz7HsvMQtEGN818AdSQsZud
W9c/ULpCyz+TVR0vMp0KteFWsy8FeAQq9zkkPSpiLFGdBXXnpqO1G9GzntsunDwwPCeEuhFU7RzY
3M5SOXsCnZDF7leQNTphzFzbQAytev4MVt6FAyNIys5eO8I1Mw/+14cOGnjp/PipwMlPWVCV7rFJ
1/NtICv/2SEHiY1xa5EFQwRzW1+zxYcxHOh6ibJFtvMm33sBkJU5aNx/7cThzFfHDB4rLHhWEg77
tp0ntt1iFqfTpaI5Qy/9AgMBAAGjUzBRMB0GA1UdDgQWBBQogcz80jb43VQDFpd2xdbhHmQcizAf
BgNVHSMEGDAWgBQogcz80jb43VQDFpd2xdbhHmQcizAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
DQEBCwUAA4ICAQAFNB9UurknL+Yc/p35d5K6D2uDMbC3bxZNP9MFaM8wrTjKeUF18AW8+k/CaqHA
2xJ2wT4DXEL68VYr3HsG8b0ULwrwJO7/UsdzSy/TNnbTcyMGoeVNy9FQrYBloJB8Akc/K7vU70xf
/UynWHYEepo2tQwxKyDKxlW/xkfEszuzNCBKWtLcCcPiqg73n3PKD+yn07tqN1uKVa6fu/DGqYwf
Ji+nRTIuaTtNYxVvI/+/8/c0zQOlGELyCIct3uPsMsD5ecyaStVW3o7z1EBVnoCKNUc6YgimWs4y
gXzDYPWCGhUzKPMcWmrGE/TndKh9WBtM/FNr+0g7btDq8GRzbHFlPTLn2odiI9bn9Xr9JYjXeUrg
OAUG0No8375yWWk4K6Hguo3+JzGQaufhzSlof/iTY7ReJ1/qQMbgrmWiDZHVR09x+GqD3XDwmCrj
yYaPhwOsriME9OznwPm/0zqhwHFhpoYt4GU+tw0u+RFfjDiHXziFcKtN/7oL2C3RShQScHwoRlNu
za9uFrShOjFo3juATstzV9wC6fa35GyGMjXd7vwe/jan7dPNaeqX0Pnquk2udHW7Iy7yOmduj6Q5
KS2s7QACeQHXUEooXfCBs+eRL87+/K37/uYWqX0aJ760IJewE7BJFxiLkZnvmPt/xlUrQ55+F+Aj
hiMVQCTIMGV8YA==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIJKgIBAAKCAgEAvKXfJGeCk6VBEN3OP0eMTVSoWYj06MpJlV0NUg6ly41J298B
cauFfIZkJ7CNICYhSt/p1as7/m0hkAuTYcw7jYs/gDCjlb92UOGa3X+kajEx6kYA
A9p9y0D8XKPsayLbHGSyK2N2ntJUWwXy5wOAc1ksVrMSOS34Imiks7qgxbTLfDB7
dvVF0ZcKXMrUel9EV5BkiZASeJB3k6Y01EP/PFFRmq1G13e1EU8C29kocCoPshaJ
KxW+9YuJuPx1Iq6gJ+P8Igf5Y9cmxQaFwOFG+GqAyZoibVHIuNmiEAy5JkQZd2KW
zhN5qhaWf8brhHd8/58JbHJr5Q4RmAFSAl0VGaV8WnStczWgjYGcpZUUvBMnWvGv
PIinlhxCEBnHGNObXPPLaNRKbjgfaJ0vFIZ8PASXowJ1jPsey8xC0QY3zXwB1JCx
m51b1z9QukLLP5NVHS8ynQq14VazLwV4BCr3OSQ9KmIsUZ0Fdeemo7Ub0bOe2y6c
PDA8J4S6EVTtHNjczlI5ewKdkMXuV5A1OmHMXNtADK16/gxW3oUDI0jKzl47wjUz
D/7Xhw4aeOn8+KnAyU9ZUJXusUnX820gK//ZIQeJjXFrkQVDBHNbX7PFhzEc6HqJ
skW28ybfewGQlTlo3H/txOHMV8cMHisseFYSDvu2nSe23WIWp9OlojlDL/0CAwEA
AQKCAgEApr4aQOw5D1XG8CiNb4NHMOb+Mr2Kc+SxK5Nm/buysft9aBlyBk3sHAgR
qL81zk/Fp4/I+LJ0wcsmGlMQ/yVtEgwdoancPbVQ1+bBYry6z54SF5et1boe7DPR
m/TMOFpDv5IFpbIxm+oe46GbdLO0qsAMH8oB9oZ6R7ektLPl/TpzjZ6w0pGzF7Fg
WGpzaoKgPqGDK9Arc2OGPfxvv5smk+LwtT4pWrQVWGo1BaupQZL78pZWwb1j31dp
8Rc8Vd5x8zBhoJbZyXTXcNj2CmlUuKgyk39opKXgO/spcvQ8BuW0eMCsuROfu0Zh
2ikx7RFMbAjfZHqygXBw/qFUIoCx70UC8QKQJRiQthk3DpjGAIVSX1Nn7rHzPdQK
CuMJOxqs6pzmjK/+UoPUe61vOhsYk9aMZLVl5ge673SbFf09qFeTw8UoOIg4sfER
5cldTWhQrQufvYVObe8ZKSSFJz+kqApaCe70afl7YrZPezyAx3Z8SleBQhefhaJ6
B7673M36UiH7DZpDZWFKNK1RfmyzvIvGbW8PwjGalAp4f0lvkAb3wsNVqKjGJsr0
Y7JpPHk5JQpWcjSmNEonD6Pgurtg9JbTetmmYumdkiqOAgM2IUBlHNxV5r/cZNDN
EurQPgHv8SXF9Vijqpnu9Ld7hZj1YXVOUsjJh0zcyEIV4KFdpuUCggEBAPegVmNE
+VHIdBATB3ToMhm5WGtR3X8REhS0ZiezcBAmo3GireMCx17vyL+Uaa6Kylzx0rdN
IwHegGJvQRe0ZzrlSxdXVrxAfwRmhqiqepMgJJ5AC/y37KFCj8PJV7osnzWAoRwA
edDQUmVav+x2k1CMoKD05lEpsg/WqBaR5FM3XHmOeQGuKUmLpWNEpVpZqdMDeirC
hM1CD2aFU4LIDtDQQAEa6C3xeahQyqVCKzibv3+3r1KHRGNLNgvohY0HBdf3ZZwu
0kz9OD9J0ZPUWtar7Ts1djRfaON3m78hUhddIXaZPAQMmm4o50ThHTTxW/KShTpF
ykpPKALrNi5Jg/8CggEBAMMG967H2gwxlqGDbnELqFxCn0fG1HJtuL4JuEt/XNto
pTBlWRLPOxzXikFfHTlOrw6NJwrCwO42NXOC4T3xpGBNhQUJBCNjJk0h1CEre6nN
wVzaZYKy1ao0nFCPnGh3PGj+QDM5VMXprojOKB2sfvqn+9f1QmDMsHa90/MwcqjN
O09oCw2Xm0KQhBn4nP3tlBOlwskW0kFKvpPGO4/Vo0nOBGkZJmC385evmol0lFeE
viLk8FD5Wk+qwKVbmDM1vH0kwGAR/nyXbtbryg3/tfzEXn7KwumDm16pEDIOR8Ab
1Hd4CysTCx3LPJAyBz5V2V7eXU51W0bjpmkAPGEJXAMCggEBAMe4QDTMmrIFlOaq
EmeOJ2pr/Q6B9r3XjNe6MHJw3T+JimXKqajgwuClUSqDj0FBm7mfKS7CPivxw2ah
CMUPsfrkmM34mXI4Krnn31AGP9qOIDqquYBY77eYsc9dgy4bc0V5u3eUQqvSecJZ
kVYsxOBArAVlwKVRldYEcYnSnW8oxaMc8CgUyiQRR5Fq+lqG2tvggBYg0W+jijxL
6HEg3iI49IZvpzf2/QJuNyNW3PlJVQizo+pSQyw6qxqrrZtzQJlRZlizwtZpnYYe
CbTLn4BpJmuM0QuosDZWb/2V6FoDuUuoh6lUaPHUd8MsNZxP1rMszduUEnYgpcrE
3uwySw0CggEAG7tW5uSGLeuzNp5AyxRUSWIz0foE5YySk3tAWIPwyUY1Dw+qPdF3
318Kysbime6FV/VcUtxkoLrWmOlIbA17STJcst2YWAvWO2uPBXRwbjHSyAhKHO6f
EUfP3mi9XeFulqNor5/8XPQgnFVsQOPxXmUam5fFa4xPn2LYy6Dc/QHJ6D2sLK+d
JTb1gdfnQvhQcQbGDuAO37foJ40tlQNU577Cw8sOuPwPSEdxGxCXs2Ytvzp8rZb3
b5KhOCIxHz8J4WWjcUW9wSurWCZJIfp1f07Q/QiJ9LiBFFHH+sYrD7clXCOWuvZH
Q2JN51clzohYk3PdIrXvV8IxPIcLDuVMzwKCAQEAk+9fD6GZaaKqdSX7OF+JZltS
UQXbk3XusIrShl0eAmKvmnLqZNVr3NW+qUdbHmyaNBCNM0KXJyX4lwHV2CTxT+rg
8c1F5VhmE1IIX9KaYrrsY8uqRHcRy/k2aKBbZD5ex2HUkU6KRJJnElieXTrlgErQ
57Meo5sXnsDzQadRFgyhmJ4aAK4SEIaOOLkFKE81TICrDaqWq+8T5oHSStCisSdv
iN6jkX1W8NS3GskYJuEA1+ckeJSy2ebD+6JC8e740YVp1gnFmbqThh9PeSEoQY+/
3uCRTECnA0xs6oH+mchs/dx5WKy0k8pXb7TUKLWoPrTRAefWl4JmWiEeCUMiig==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIJKgIBAAKCAgEAvKXfJGeCk6VBEN3OP0eMTVSoWYj06MpJlV0NUg6ly41J298B
cauFfIZkJ7CNICYhSt/p1as7/m0hkAuTYcw7jYs/gDCjlb92UOGa3X+kajEx6kYA
A9p9y0D8XKPsayLbHGSyK2N2ntJUWwXy5wOAc1ksVrMSOS34Imiks7qgxbTLfDB7
dvVF0ZcKXMrUel9EV5BkiZASeJB3k6Y01EP/PFFRmq1G13e1EU8C29kocCoPshaJ
KxW+9YuJuPx1Iq6gJ+P8Igf5Y9cmxQaFwOFG+GqAyZoibVHIuNmiEAy5JkQZd2KW
zhN5qhaWf8brhHd8/58JbHJr5Q4RmAFSAl0VGaV8WnStczWgjYGcpZUUvBMnWvGv
PIinlhxCEBnHGNObXPPLaNRKbjgfaJ0vFIZ8PASXowJ1jPsey8xC0QY3zXwB1JCx
m51b1z9QukLLP5NVHS8ynQq14VazLwV4BCr3OSQ9KmIsUZ0Fdeemo7Ub0bOe2y6c
PDA8J4S6EVTtHNjczlI5ewKdkMXuV5A1OmHMXNtADK16/gxW3oUDI0jKzl47wjUz
D/7Xhw4aeOn8+KnAyU9ZUJXusUnX820gK//ZIQeJjXFrkQVDBHNbX7PFhzEc6HqJ
skW28ybfewGQlTlo3H/txOHMV8cMHisseFYSDvu2nSe23WIWp9OlojlDL/0CAwEA
AQKCAgEApr4aQOw5D1XG8CiNb4NHMOb+Mr2Kc+SxK5Nm/buysft9aBlyBk3sHAgR
qL81zk/Fp4/I+LJ0wcsmGlMQ/yVtEgwdoancPbVQ1+bBYry6z54SF5et1boe7DPR
m/TMOFpDv5IFpbIxm+oe46GbdLO0qsAMH8oB9oZ6R7ektLPl/TpzjZ6w0pGzF7Fg
WGpzaoKgPqGDK9Arc2OGPfxvv5smk+LwtT4pWrQVWGo1BaupQZL78pZWwb1j31dp
8Rc8Vd5x8zBhoJbZyXTXcNj2CmlUuKgyk39opKXgO/spcvQ8BuW0eMCsuROfu0Zh
2ikx7RFMbAjfZHqygXBw/qFUIoCx70UC8QKQJRiQthk3DpjGAIVSX1Nn7rHzPdQK
CuMJOxqs6pzmjK/+UoPUe61vOhsYk9aMZLVl5ge673SbFf09qFeTw8UoOIg4sfER
5cldTWhQrQufvYVObe8ZKSSFJz+kqApaCe70afl7YrZPezyAx3Z8SleBQhefhaJ6
B7673M36UiH7DZpDZWFKNK1RfmyzvIvGbW8PwjGalAp4f0lvkAb3wsNVqKjGJsr0
Y7JpPHk5JQpWcjSmNEonD6Pgurtg9JbTetmmYumdkiqOAgM2IUBlHNxV5r/cZNDN
EurQPgHv8SXF9Vijqpnu9Ld7hZj1YXVOUsjJh0zcyEIV4KFdpuUCggEBAPegVmNE
+VHIdBATB3ToMhm5WGtR3X8REhS0ZiezcBAmo3GireMCx17vyL+Uaa6Kylzx0rdN
IwHegGJvQRe0ZzrlSxdXVrxAfwRmhqiqepMgJJ5AC/y37KFCj8PJV7osnzWAoRwA
edDQUmVav+x2k1CMoKD05lEpsg/WqBaR5FM3XHmOeQGuKUmLpWNEpVpZqdMDeirC
hM1CD2aFU4LIDtDQQAEa6C3xeahQyqVCKzibv3+3r1KHRGNLNgvohY0HBdf3ZZwu
0kz9OD9J0ZPUWtar7Ts1djRfaON3m78hUhddIXaZPAQMmm4o50ThHTTxW/KShTpF
ykpPKALrNi5Jg/8CggEBAMMG967H2gwxlqGDbnELqFxCn0fG1HJtuL4JuEt/XNto
pTBlWRLPOxzXikFfHTlOrw6NJwrCwO42NXOC4T3xpGBNhQUJBCNjJk0h1CEre6nN
wVzaZYKy1ao0nFCPnGh3PGj+QDM5VMXprojOKB2sfvqn+9f1QmDMsHa90/MwcqjN
O09oCw2Xm0KQhBn4nP3tlBOlwskW0kFKvpPGO4/Vo0nOBGkZJmC385evmol0lFeE
viLk8FD5Wk+qwKVbmDM1vH0kwGAR/nyXbtbryg3/tfzEXn7KwumDm16pEDIOR8Ab
1Hd4CysTCx3LPJAyBz5V2V7eXU51W0bjpmkAPGEJXAMCggEBAMe4QDTMmrIFlOaq
EmeOJ2pr/Q6B9r3XjNe6MHJw3T+JimXKqajgwuClUSqDj0FBm7mfKS7CPivxw2ah
CMUPsfrkmM34mXI4Krnn31AGP9qOIDqquYBY77eYsc9dgy4bc0V5u3eUQqvSecJZ
kVYsxOBArAVlwKVRldYEcYnSnW8oxaMc8CgUyiQRR5Fq+lqG2tvggBYg0W+jijxL
6HEg3iI49IZvpzf2/QJuNyNW3PlJVQizo+pSQyw6qxqrrZtzQJlRZlizwtZpnYYe
CbTLn4BpJmuM0QuosDZWb/2V6FoDuUuoh6lUaPHUd8MsNZxP1rMszduUEnYgpcrE
3uwySw0CggEAG7tW5uSGLeuzNp5AyxRUSWIz0foE5YySk3tAWIPwyUY1Dw+qPdF3
318Kysbime6FV/VcUtxkoLrWmOlIbA17STJcst2YWAvWO2uPBXRwbjHSyAhKHO6f
EUfP3mi9XeFulqNor5/8XPQgnFVsQOPxXmUam5fFa4xPn2LYy6Dc/QHJ6D2sLK+d
JTb1gdfnQvhQcQbGDuAO37foJ40tlQNU577Cw8sOuPwPSEdxGxCXs2Ytvzp8rZb3
b5KhOCIxHz8J4WWjcUW9wSurWCZJIfp1f07Q/QiJ9LiBFFHH+sYrD7clXCOWuvZH
Q2JN51clzohYk3PdIrXvV8IxPIcLDuVMzwKCAQEAk+9fD6GZaaKqdSX7OF+JZltS
UQXbk3XusIrShl0eAmKvmnLqZNVr3NW+qUdbHmyaNBCNM0KXJyX4lwHV2CTxT+rg
8c1F5VhmE1IIX9KaYrrsY8uqRHcRy/k2aKBbZD5ex2HUkU6KRJJnElieXTrlgErQ
57Meo5sXnsDzQadRFgyhmJ4aAK4SEIaOOLkFKE81TICrDaqWq+8T5oHSStCisSdv
iN6jkX1W8NS3GskYJuEA1+ckeJSy2ebD+6JC8e740YVp1gnFmbqThh9PeSEoQY+/
3uCRTECnA0xs6oH+mchs/dx5WKy0k8pXb7TUKLWoPrTRAefWl4JmWiEeCUMiig==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:44369/signout-spid"/>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:44369/signin-spid" index="0" isDefault="true"/>
<md:AttributeConsumingService index="0">
<md:ServiceName xml:lang="it">
Set Attributi 1 - ID Cittadini minimo
</md:ServiceName>
<md:ServiceDescription xml:lang="it">
Set Attributi 1 - ID Cittadini minimo
</md:ServiceDescription>
<md:RequestedAttribute Name="spidCode"/>
<md:RequestedAttribute Name="name"/>
<md:RequestedAttribute Name="familyName"/>
<md:RequestedAttribute Name="fiscalNumber"/>
<md:RequestedAttribute Name="gender"/>
<md:RequestedAttribute Name="dateOfBirth"/>
</md:AttributeConsumingService>
</md:SPSSODescriptor>
<md:Organization>
<md:OrganizationName xml:lang="it">
Banca S.p.A.
</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="it">
BDB
</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="it">
https://www.bancosa.it
</md:OrganizationURL>
</md:Organization>
<md:ContactPerson contactType="other">
<md:Extensions>
<spid:VATNumber>
IT01234567890
</spid:VATNumber>
<spid:FiscalCode>
01234567890
</spid:FiscalCode>
<spid:Private/>
</md:Extensions>
<md:Company>
Banca S.p.A.
</md:Company>
<md:EmailAddress>
spid.tech@bancasa.it
</md:EmailAddress>
<md:TelephoneNumber>
+3901234567890
</md:TelephoneNumber>
</md:ContactPerson>
<md:ContactPerson contactType="billing">
<md:Extensions xmlns:fpa="https://spid.gov.it/invoicing-extensions">
<fpa:CessionarioCommittente>
<fpa:DatiAnagrafici>
<fpa:IdFiscaleIVA>
<fpa:IdPaese>
IT
</fpa:IdPaese>
<fpa:IdCodice>
+3901234567890
</fpa:IdCodice>
</fpa:IdFiscaleIVA>
<fpa:Anagrafica>
<fpa:Denominazione>
Banca S.p.A.
</fpa:Denominazione>
</fpa:Anagrafica>
</fpa:DatiAnagrafici>
<fpa:Sede>
<fpa:Indirizzo>
via dei pini
</fpa:Indirizzo>
<fpa:NumeroCivico>
1
</fpa:NumeroCivico>
<fpa:CAP>
00000
</fpa:CAP>
<fpa:Comune>
Milano
</fpa:Comune>
<fpa:Provincia>
MI
</fpa:Provincia>
<fpa:Nazione>
IT
</fpa:Nazione>
</fpa:Sede>
</fpa:CessionarioCommittente>
</md:Extensions>
<md:Company>
Banca S.p.A.
</md:Company>
<md:EmailAddress>
spid.amm@bancasa.it
</md:EmailAddress>
<md:TelephoneNumber>
+3901234567890
</md:TelephoneNumber>
</md:ContactPerson>
</md:EntityDescriptor>
All'interno del metadata, i certificati riportati nelle sezioni "signing" ed "encryption" sono corrotti, non riesco a decodificarli con nessuno dei tool online, e comunque sono diversi dal certificato usato per la firma del metadata stesso (c'è un motivo per questo?), che invece risulta corretto. Verifica il metadata e riprova ad effettuare i test.
Sicuramente è dovuto al merge involontario fra i vari tentativi.
Riporto il solito errore anche dopo aver sistemato la questione dei certificati.
Metadata - ho tolto la parte di organization e contanct (le info comunque sono nel certificato)
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:spid="https://spid.gov.it/saml-extensions" ID="_8EEB1A1D-597F-405F-89C1-EDF69BB8021A" entityID="https://localhost:44369">
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_8EEB1A1D-597F-405F-89C1-EDF69BB8021A">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>
VYr0Ja7BPRp5sO6gIbHSZYC1Ss7HZ6Q+Eh4FwxPEL44=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
KCKqeZUfapRbXDCkfBXEtWb67xouw9bUB0EdG3Wk04zcpP/u7h6pD7FWdvnfZYg+nM5gNVdbbmeW
ZyB6QPR+U43pnP8SWGKY7lWdVnm0/8ls5uKrreLAs6x9097q4U+YsRiZYBtJO8CWctjIHnoIOMqE
Xdf9GU3w/uw3UyZ/7rthGcZJmozLohxwNdKMBCYRTGrvTvCrKqEZen4ShcrowHe7Iz4jMxUAFp3K
RNBsuMLbDrZj5fKo27kRyvnXzsZa7h9qq98+Lmceq4RMxH2gGRoODjA8TDhw1Y1K4W/NRspIyOto
tnp1P9TMMHEpu0tOqLX229oXwmFZWrl8e/MiAvsRWCthpshpSMnMCH3mX68+O6G5zb8l5F8Q1d93
OrXeRZY5RBpTCDe/9mGbncEb0ac8tUcZhsWreWrUyYCwe/FG3ETY0wsxMvNyAIVmbaj6l5qUD0mI
yHA4Q18wLMigoRvfsxBI7D2ApwQ+0gQW2cDWAcbxlQsGo8Arh8UkaAhUoXojxOJk5Fuxj2ZX1ny7
0ZMVabFZXiuyW51J7BAmP7MDJVdhL0kYSNa7gvQmjTwCW7Kxnk5K6t+rmZpoKBRhSuwi5bqyuuvR
RwldMlRpJDvt2bgRTaVJxv4XANUkdxA5IjWv/ewyneKGzUeAK7KlA9fpd2ho0wDIPUjzScw8IVc=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
vKXfJGeCk6VBEN3OP0eMTVSoWYj06MpJlV0NUg6ly41J298BcauFfIZkJ7CNICYhSt/p1as7/m0h
kAuTYcw7jYs/gDCjlb92UOGa3X+kajEx6kYAA9p9y0D8XKPsayLbHGSyK2N2ntJUWwXy5wOAc1ks
VrMSOS34Imiks7qgxbTLfDB7dvVF0ZcKXMrUel9EV5BkiZASeJB3k6Y01EP/PFFRmq1G13e1EU8C
29kocCoPshaJKxW+9YuJuPx1Iq6gJ+P8Igf5Y9cmxQaFwOFG+GqAyZoibVHIuNmiEAy5JkQZd2KW
zhN5qhaWf8brhHd8/58JbHJr5Q4RmAFSAl0VGaV8WnStczWgjYGcpZUUvBMnWvGvPIinlhxCEBnH
GNObXPPLaNRKbjgfaJ0vFIZ8PASXowJ1jPsey8xC0QY3zXwB1JCxm51b1z9QukLLP5NVHS8ynQq1
4VazLwV4BCr3OSQ9KmIsUZ0Fdeemo7Ub0bOe2y6cPDA8J4S6EVTtHNjczlI5ewKdkMXuV5A1OmHM
XNtADK16/gxW3oUDI0jKzl47wjUzD/7Xhw4aeOn8+KnAyU9ZUJXusUnX820gK//ZIQeJjXFrkQVD
BHNbX7PFhzEc6HqJskW28ybfewGQlTlo3H/txOHMV8cMHisseFYSDvu2nSe23WIWp9OlojlDL/0=
</ds:Modulus>
<ds:Exponent>
AQAB
</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
<ds:X509Data>
<ds:X509Certificate>
MIIGQjCCBCqgAwIBAgIJAJmwYjNvjrCTMA0GCSqGSIb3DQEBCwUAMIG1MQswCQYDVQQGEwJJVDEY
MBYGA1UECAwPTW9uemEgZSBCcmlhbnphMQ4wDAYDVQQHDAVEZXNpbzEkMCIGA1UECgwbQmFuY28g
RGVzaW8gZSBkZWxsYSBCcmlhbnphMQ0wCwYDVQQLDARTcGlkMR8wHQYDVQQDDBZwc2QtY29sbC5i
YW5jb2Rlc2lvLml0MSYwJAYJKoZIhvcNAQkBFhdzcGlkLnRlY2hAYmFuY29kZXNpby5pdDAeFw0y
MTA5MjMxNTQzNTZaFw0yNDA5MjIxNTQzNTZaMIG1MQswCQYDVQQGEwJJVDEYMBYGA1UECAwPTW9u
emEgZSBCcmlhbnphMQ4wDAYDVQQHDAVEZXNpbzEkMCIGA1UECgwbQmFuY28gRGVzaW8gZSBkZWxs
YSBCcmlhbnphMQ0wCwYDVQQLDARTcGlkMR8wHQYDVQQDDBZwc2QtY29sbC5iYW5jb2Rlc2lvLml0
MSYwJAYJKoZIhvcNAQkBFhdzcGlkLnRlY2hAYmFuY29kZXNpby5pdDCCAiIwDQYJKoZIhvcNAQEB
BQADggIPADCCAgoCggIBALyl3yRngpOlQRDdzj9HjE1UqFmI9OjKSZVdDVIOpcuNSdvfAXGrhXyG
ZCewjSAmIUrf6dWrO/5tIZALk2HMO42LP4Awo5W/dlDhmt1/pGoxMepGAAPafctA/Fyj7Gsi2xxk
sitjdp7SVFsF8ucDgHNZLFazEjkt+CJopLO6oMW0y3wwe3b1RdGXClzK1HpfRFeQZImQEniQd5Om
NNRD/zxRUZqtRtd3tRFPAtvZKHAqD7IWiSsVvvWLibj8dSKuoCfj/CIH+WPXJsUGhcDhRvhqgMma
Im1RyLjZohAMuSZEGXdils4TeaoWln/G64R3fP+fCWxya+UOEZgBUgJdFRmlfFp0rXM1oI2BnKWV
FLwTJ1rxrzyIp5YcQhAZxxjTm1zzy2jUSm44H2idLxSGfDwEl6MCdYz7HsvMQtEGN818AdSQsZud
W9c/ULpCyz+TVR0vMp0KteFWsy8FeAQq9zkkPSpiLFGdBXXnpqO1G9GzntsunDwwPCeEuhFU7RzY
3M5SOXsCnZDF7leQNTphzFzbQAytev4MVt6FAyNIys5eO8I1Mw/+14cOGnjp/PipwMlPWVCV7rFJ
1/NtICv/2SEHiY1xa5EFQwRzW1+zxYcxHOh6ibJFtvMm33sBkJU5aNx/7cThzFfHDB4rLHhWEg77
tp0ntt1iFqfTpaI5Qy/9AgMBAAGjUzBRMB0GA1UdDgQWBBQogcz80jb43VQDFpd2xdbhHmQcizAf
BgNVHSMEGDAWgBQogcz80jb43VQDFpd2xdbhHmQcizAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
DQEBCwUAA4ICAQAFNB9UurknL+Yc/p35d5K6D2uDMbC3bxZNP9MFaM8wrTjKeUF18AW8+k/CaqHA
2xJ2wT4DXEL68VYr3HsG8b0ULwrwJO7/UsdzSy/TNnbTcyMGoeVNy9FQrYBloJB8Akc/K7vU70xf
/UynWHYEepo2tQwxKyDKxlW/xkfEszuzNCBKWtLcCcPiqg73n3PKD+yn07tqN1uKVa6fu/DGqYwf
Ji+nRTIuaTtNYxVvI/+/8/c0zQOlGELyCIct3uPsMsD5ecyaStVW3o7z1EBVnoCKNUc6YgimWs4y
gXzDYPWCGhUzKPMcWmrGE/TndKh9WBtM/FNr+0g7btDq8GRzbHFlPTLn2odiI9bn9Xr9JYjXeUrg
OAUG0No8375yWWk4K6Hguo3+JzGQaufhzSlof/iTY7ReJ1/qQMbgrmWiDZHVR09x+GqD3XDwmCrj
yYaPhwOsriME9OznwPm/0zqhwHFhpoYt4GU+tw0u+RFfjDiHXziFcKtN/7oL2C3RShQScHwoRlNu
za9uFrShOjFo3juATstzV9wC6fa35GyGMjXd7vwe/jan7dPNaeqX0Pnquk2udHW7Iy7yOmduj6Q5
KS2s7QACeQHXUEooXfCBs+eRL87+/K37/uYWqX0aJ760IJewE7BJFxiLkZnvmPt/xlUrQ55+F+Aj
hiMVQCTIMGV8YA==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIGQjCCBCqgAwIBAgIJAJmwYjNvjrCTMA0GCSqGSIb3DQEBCwUAMIG1MQswCQYDVQQGEwJJVDEY
MBYGA1UECAwPTW9uemEgZSBCcmlhbnphMQ4wDAYDVQQHDAVEZXNpbzEkMCIGA1UECgwbQmFuY28g
RGVzaW8gZSBkZWxsYSBCcmlhbnphMQ0wCwYDVQQLDARTcGlkMR8wHQYDVQQDDBZwc2QtY29sbC5i
YW5jb2Rlc2lvLml0MSYwJAYJKoZIhvcNAQkBFhdzcGlkLnRlY2hAYmFuY29kZXNpby5pdDAeFw0y
MTA5MjMxNTQzNTZaFw0yNDA5MjIxNTQzNTZaMIG1MQswCQYDVQQGEwJJVDEYMBYGA1UECAwPTW9u
emEgZSBCcmlhbnphMQ4wDAYDVQQHDAVEZXNpbzEkMCIGA1UECgwbQmFuY28gRGVzaW8gZSBkZWxs
YSBCcmlhbnphMQ0wCwYDVQQLDARTcGlkMR8wHQYDVQQDDBZwc2QtY29sbC5iYW5jb2Rlc2lvLml0
MSYwJAYJKoZIhvcNAQkBFhdzcGlkLnRlY2hAYmFuY29kZXNpby5pdDCCAiIwDQYJKoZIhvcNAQEB
BQADggIPADCCAgoCggIBALyl3yRngpOlQRDdzj9HjE1UqFmI9OjKSZVdDVIOpcuNSdvfAXGrhXyG
ZCewjSAmIUrf6dWrO/5tIZALk2HMO42LP4Awo5W/dlDhmt1/pGoxMepGAAPafctA/Fyj7Gsi2xxk
sitjdp7SVFsF8ucDgHNZLFazEjkt+CJopLO6oMW0y3wwe3b1RdGXClzK1HpfRFeQZImQEniQd5Om
NNRD/zxRUZqtRtd3tRFPAtvZKHAqD7IWiSsVvvWLibj8dSKuoCfj/CIH+WPXJsUGhcDhRvhqgMma
Im1RyLjZohAMuSZEGXdils4TeaoWln/G64R3fP+fCWxya+UOEZgBUgJdFRmlfFp0rXM1oI2BnKWV
FLwTJ1rxrzyIp5YcQhAZxxjTm1zzy2jUSm44H2idLxSGfDwEl6MCdYz7HsvMQtEGN818AdSQsZud
W9c/ULpCyz+TVR0vMp0KteFWsy8FeAQq9zkkPSpiLFGdBXXnpqO1G9GzntsunDwwPCeEuhFU7RzY
3M5SOXsCnZDF7leQNTphzFzbQAytev4MVt6FAyNIys5eO8I1Mw/+14cOGnjp/PipwMlPWVCV7rFJ
1/NtICv/2SEHiY1xa5EFQwRzW1+zxYcxHOh6ibJFtvMm33sBkJU5aNx/7cThzFfHDB4rLHhWEg77
tp0ntt1iFqfTpaI5Qy/9AgMBAAGjUzBRMB0GA1UdDgQWBBQogcz80jb43VQDFpd2xdbhHmQcizAf
BgNVHSMEGDAWgBQogcz80jb43VQDFpd2xdbhHmQcizAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
DQEBCwUAA4ICAQAFNB9UurknL+Yc/p35d5K6D2uDMbC3bxZNP9MFaM8wrTjKeUF18AW8+k/CaqHA
2xJ2wT4DXEL68VYr3HsG8b0ULwrwJO7/UsdzSy/TNnbTcyMGoeVNy9FQrYBloJB8Akc/K7vU70xf
/UynWHYEepo2tQwxKyDKxlW/xkfEszuzNCBKWtLcCcPiqg73n3PKD+yn07tqN1uKVa6fu/DGqYwf
Ji+nRTIuaTtNYxVvI/+/8/c0zQOlGELyCIct3uPsMsD5ecyaStVW3o7z1EBVnoCKNUc6YgimWs4y
gXzDYPWCGhUzKPMcWmrGE/TndKh9WBtM/FNr+0g7btDq8GRzbHFlPTLn2odiI9bn9Xr9JYjXeUrg
OAUG0No8375yWWk4K6Hguo3+JzGQaufhzSlof/iTY7ReJ1/qQMbgrmWiDZHVR09x+GqD3XDwmCrj
yYaPhwOsriME9OznwPm/0zqhwHFhpoYt4GU+tw0u+RFfjDiHXziFcKtN/7oL2C3RShQScHwoRlNu
za9uFrShOjFo3juATstzV9wC6fa35GyGMjXd7vwe/jan7dPNaeqX0Pnquk2udHW7Iy7yOmduj6Q5
KS2s7QACeQHXUEooXfCBs+eRL87+/K37/uYWqX0aJ760IJewE7BJFxiLkZnvmPt/xlUrQ55+F+Aj
hiMVQCTIMGV8YA==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIGQjCCBCqgAwIBAgIJAJmwYjNvjrCTMA0GCSqGSIb3DQEBCwUAMIG1MQswCQYDVQQGEwJJVDEY
MBYGA1UECAwPTW9uemEgZSBCcmlhbnphMQ4wDAYDVQQHDAVEZXNpbzEkMCIGA1UECgwbQmFuY28g
RGVzaW8gZSBkZWxsYSBCcmlhbnphMQ0wCwYDVQQLDARTcGlkMR8wHQYDVQQDDBZwc2QtY29sbC5i
YW5jb2Rlc2lvLml0MSYwJAYJKoZIhvcNAQkBFhdzcGlkLnRlY2hAYmFuY29kZXNpby5pdDAeFw0y
MTA5MjMxNTQzNTZaFw0yNDA5MjIxNTQzNTZaMIG1MQswCQYDVQQGEwJJVDEYMBYGA1UECAwPTW9u
emEgZSBCcmlhbnphMQ4wDAYDVQQHDAVEZXNpbzEkMCIGA1UECgwbQmFuY28gRGVzaW8gZSBkZWxs
YSBCcmlhbnphMQ0wCwYDVQQLDARTcGlkMR8wHQYDVQQDDBZwc2QtY29sbC5iYW5jb2Rlc2lvLml0
MSYwJAYJKoZIhvcNAQkBFhdzcGlkLnRlY2hAYmFuY29kZXNpby5pdDCCAiIwDQYJKoZIhvcNAQEB
BQADggIPADCCAgoCggIBALyl3yRngpOlQRDdzj9HjE1UqFmI9OjKSZVdDVIOpcuNSdvfAXGrhXyG
ZCewjSAmIUrf6dWrO/5tIZALk2HMO42LP4Awo5W/dlDhmt1/pGoxMepGAAPafctA/Fyj7Gsi2xxk
sitjdp7SVFsF8ucDgHNZLFazEjkt+CJopLO6oMW0y3wwe3b1RdGXClzK1HpfRFeQZImQEniQd5Om
NNRD/zxRUZqtRtd3tRFPAtvZKHAqD7IWiSsVvvWLibj8dSKuoCfj/CIH+WPXJsUGhcDhRvhqgMma
Im1RyLjZohAMuSZEGXdils4TeaoWln/G64R3fP+fCWxya+UOEZgBUgJdFRmlfFp0rXM1oI2BnKWV
FLwTJ1rxrzyIp5YcQhAZxxjTm1zzy2jUSm44H2idLxSGfDwEl6MCdYz7HsvMQtEGN818AdSQsZud
W9c/ULpCyz+TVR0vMp0KteFWsy8FeAQq9zkkPSpiLFGdBXXnpqO1G9GzntsunDwwPCeEuhFU7RzY
3M5SOXsCnZDF7leQNTphzFzbQAytev4MVt6FAyNIys5eO8I1Mw/+14cOGnjp/PipwMlPWVCV7rFJ
1/NtICv/2SEHiY1xa5EFQwRzW1+zxYcxHOh6ibJFtvMm33sBkJU5aNx/7cThzFfHDB4rLHhWEg77
tp0ntt1iFqfTpaI5Qy/9AgMBAAGjUzBRMB0GA1UdDgQWBBQogcz80jb43VQDFpd2xdbhHmQcizAf
BgNVHSMEGDAWgBQogcz80jb43VQDFpd2xdbhHmQcizAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
DQEBCwUAA4ICAQAFNB9UurknL+Yc/p35d5K6D2uDMbC3bxZNP9MFaM8wrTjKeUF18AW8+k/CaqHA
2xJ2wT4DXEL68VYr3HsG8b0ULwrwJO7/UsdzSy/TNnbTcyMGoeVNy9FQrYBloJB8Akc/K7vU70xf
/UynWHYEepo2tQwxKyDKxlW/xkfEszuzNCBKWtLcCcPiqg73n3PKD+yn07tqN1uKVa6fu/DGqYwf
Ji+nRTIuaTtNYxVvI/+/8/c0zQOlGELyCIct3uPsMsD5ecyaStVW3o7z1EBVnoCKNUc6YgimWs4y
gXzDYPWCGhUzKPMcWmrGE/TndKh9WBtM/FNr+0g7btDq8GRzbHFlPTLn2odiI9bn9Xr9JYjXeUrg
OAUG0No8375yWWk4K6Hguo3+JzGQaufhzSlof/iTY7ReJ1/qQMbgrmWiDZHVR09x+GqD3XDwmCrj
yYaPhwOsriME9OznwPm/0zqhwHFhpoYt4GU+tw0u+RFfjDiHXziFcKtN/7oL2C3RShQScHwoRlNu
za9uFrShOjFo3juATstzV9wC6fa35GyGMjXd7vwe/jan7dPNaeqX0Pnquk2udHW7Iy7yOmduj6Q5
KS2s7QACeQHXUEooXfCBs+eRL87+/K37/uYWqX0aJ760IJewE7BJFxiLkZnvmPt/xlUrQ55+F+Aj
hiMVQCTIMGV8YA==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:44369/signout-spid"/>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:44369/signin-spid" index="0" isDefault="true"/>
<md:AttributeConsumingService index="0">
<md:ServiceName xml:lang="it">
Set Attributi 1 - ID Cittadini minimo
</md:ServiceName>
<md:ServiceDescription xml:lang="it">
Set Attributi 1 - ID Cittadini minimo
</md:ServiceDescription>
<md:RequestedAttribute Name="spidCode"/>
<md:RequestedAttribute Name="name"/>
<md:RequestedAttribute Name="familyName"/>
<md:RequestedAttribute Name="fiscalNumber"/>
<md:RequestedAttribute Name="gender"/>
<md:RequestedAttribute Name="dateOfBirth"/>
</md:AttributeConsumingService>
</md:SPSSODescriptor>
</md:EntityDescriptor>
Request
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_e27bf1c3-6289-44d9-9bc5-ea3190e6cfed" Version="2.0" IssueInstant="2021-09-30T08:10:04.036Z" Destination="https://localhost:8080/samlsso" ForceAuthn="true" AssertionConsumerServiceIndex="0" AttributeConsumingServiceIndex="0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer NameQualifier="https://localhost:44369" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
https://localhost:44369
</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="#_e27bf1c3-6289-44d9-9bc5-ea3190e6cfed">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>
+1VQTTSBHwlxHgSchhWGDdQhd+e/yLkYXX676CiY4OQ=
</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
EWmaprPWJaEXG8GrRYjJ3BuaL3ZnA1/mqdJod2bLBUZ/xwygrOUb013cUKSoKPH4WqQ/KBGTXMMHi9MAwWe9jybjY9UDVukru5feV5hRrEoeVkunDUa6SHInccQfw6ct3WLsG+8YB4rNzjKofWaOj9/x1jWYlt+PWSA1iXo7plXiRiXU/4yPQh+la1zdEXdEgj8EhzZu1I4BvkW1alrxrg/k5mrwWAQuAbmX5X807dRaL9hGeEd1mzIPNqS5MiGbgYXjoTkwQ+qnzUxfmgjuN8iLA3AP8i4btKryMMSOibG67XHIfP2dHMPxrPGucxyRKejJaIkIJVB0pophahEevP//2oJ1syq875w61sFIL2iIaj15dRlfYXaHmeMtqI9boYxNyNRCJtugAUCt8pFYwG6pVdffDxwQJXtEGDS+qgy0rGbANLCNqSEzyU/8NsqRVTuXZd+9dN08tech9chlyC7+lVzoB9Mhd+FHMgDQJ6wVH49VMgEVrIYieCM14+m9FJqyt4PSjmllI3CAhgsPHToss0NJG/1O1eL0whh1ebReu0BKA+mKor3l2ENehH98GFoyDVT/w7LZGfeC6PCEKacZHjHFsrJlbSZg4uTlq8t7vbioc7bmqu+LsD6OG1IjIyvDvU0woi8EIjzYL+cta6q7QNlAl677ewYPDsnXN3M=
</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>
MIIGQjCCBCqgAwIBAgIJAJmwYjNvjrCTMA0GCSqGSIb3DQEBCwUAMIG1MQswCQYDVQQGEwJJVDEYMBYGA1UECAwPTW9uemEgZSBCcmlhbnphMQ4wDAYDVQQHDAVEZXNpbzEkMCIGA1UECgwbQmFuY28gRGVzaW8gZSBkZWxsYSBCcmlhbnphMQ0wCwYDVQQLDARTcGlkMR8wHQYDVQQDDBZwc2QtY29sbC5iYW5jb2Rlc2lvLml0MSYwJAYJKoZIhvcNAQkBFhdzcGlkLnRlY2hAYmFuY29kZXNpby5pdDAeFw0yMTA5MjMxNTQzNTZaFw0yNDA5MjIxNTQzNTZaMIG1MQswCQYDVQQGEwJJVDEYMBYGA1UECAwPTW9uemEgZSBCcmlhbnphMQ4wDAYDVQQHDAVEZXNpbzEkMCIGA1UECgwbQmFuY28gRGVzaW8gZSBkZWxsYSBCcmlhbnphMQ0wCwYDVQQLDARTcGlkMR8wHQYDVQQDDBZwc2QtY29sbC5iYW5jb2Rlc2lvLml0MSYwJAYJKoZIhvcNAQkBFhdzcGlkLnRlY2hAYmFuY29kZXNpby5pdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALyl3yRngpOlQRDdzj9HjE1UqFmI9OjKSZVdDVIOpcuNSdvfAXGrhXyGZCewjSAmIUrf6dWrO/5tIZALk2HMO42LP4Awo5W/dlDhmt1/pGoxMepGAAPafctA/Fyj7Gsi2xxksitjdp7SVFsF8ucDgHNZLFazEjkt+CJopLO6oMW0y3wwe3b1RdGXClzK1HpfRFeQZImQEniQd5OmNNRD/zxRUZqtRtd3tRFPAtvZKHAqD7IWiSsVvvWLibj8dSKuoCfj/CIH+WPXJsUGhcDhRvhqgMmaIm1RyLjZohAMuSZEGXdils4TeaoWln/G64R3fP+fCWxya+UOEZgBUgJdFRmlfFp0rXM1oI2BnKWVFLwTJ1rxrzyIp5YcQhAZxxjTm1zzy2jUSm44H2idLxSGfDwEl6MCdYz7HsvMQtEGN818AdSQsZudW9c/ULpCyz+TVR0vMp0KteFWsy8FeAQq9zkkPSpiLFGdBXXnpqO1G9GzntsunDwwPCeEuhFU7RzY3M5SOXsCnZDF7leQNTphzFzbQAytev4MVt6FAyNIys5eO8I1Mw/+14cOGnjp/PipwMlPWVCV7rFJ1/NtICv/2SEHiY1xa5EFQwRzW1+zxYcxHOh6ibJFtvMm33sBkJU5aNx/7cThzFfHDB4rLHhWEg77tp0ntt1iFqfTpaI5Qy/9AgMBAAGjUzBRMB0GA1UdDgQWBBQogcz80jb43VQDFpd2xdbhHmQcizAfBgNVHSMEGDAWgBQogcz80jb43VQDFpd2xdbhHmQcizAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQAFNB9UurknL+Yc/p35d5K6D2uDMbC3bxZNP9MFaM8wrTjKeUF18AW8+k/CaqHA2xJ2wT4DXEL68VYr3HsG8b0ULwrwJO7/UsdzSy/TNnbTcyMGoeVNy9FQrYBloJB8Akc/K7vU70xf/UynWHYEepo2tQwxKyDKxlW/xkfEszuzNCBKWtLcCcPiqg73n3PKD+yn07tqN1uKVa6fu/DGqYwfJi+nRTIuaTtNYxVvI/+/8/c0zQOlGELyCIct3uPsMsD5ecyaStVW3o7z1EBVnoCKNUc6YgimWs4ygXzDYPWCGhUzKPMcWmrGE/TndKh9WBtM/FNr+0g7btDq8GRzbHFlPTLn2odiI9bn9Xr9JYjXeUrgOAUG0No8375yWWk4K6Hguo3+JzGQaufhzSlof/iTY7ReJ1/qQMbgrmWiDZHVR09x+GqD3XDwmCrjyYaPhwOsriME9OznwPm/0zqhwHFhpoYt4GU+tw0u+RFfjDiHXziFcKtN/7oL2C3RShQScHwoRlNuza9uFrShOjFo3juATstzV9wC6fa35GyGMjXd7vwe/jan7dPNaeqX0Pnquk2udHW7Iy7yOmduj6Q5KS2s7QACeQHXUEooXfCBs+eRL87+/K37/uYWqX0aJ760IJewE7BJFxiLkZnvmPt/xlUrQ55+F+AjhiMVQCTIMGV8YA==
</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
<saml:Conditions NotBefore="2021-09-30T08:10:04.036Z" NotOnOrAfter="2021-09-30T08:20:04.036Z"/>
<samlp:RequestedAuthnContext Comparison="minimum">
<saml:AuthnContextClassRef>
https://www.spid.gov.it/SpidL2
</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
Sempre solito errore sul punto 34 della validazione
Non posso validare un metadata incompleto. Ad ogni modo, il metadata completo viene validato da spid_sp_test o da https://demo.spid.gov.it/validator#/metadata-sp-download ?
sì, il metadato non ha nessun problema - almeno il tool lo valida correttamente.
Nella request, il punto 34 da errore Ecco il metadato. metadata.zip .
Anche in questo caso credo che l'unico che possa darci supporto è @peppelinux , dal momento che l'anomalia riguarda l'integrazione con spid_sp_test
cari, basta eseguire spid-sp-test sul metadata incriminato.
se il profilo cambia basta specificarlo con --profile
se non avete l'ultima versione aggiornata di spid-saml-check, aggiornatela
Con -rf json
si ottiene il report come spid-saml-check, enjoy
spid_sp_test --metadata-url file:///home/wert/Scaricati/metadata\ \(1\).xml
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.xsd_check: SpidSpMetadataCheck.xsd_check
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_EntityDescriptor: Only one EntityDescriptor element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_EntityDescriptor: The entityID attribute MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_EntityDescriptor: The entityID attribute MUST have a value
ERROR:spid_sp_test.metadata:SpidSpMetadataCheck.test_SPSSODescriptor: Only one SPSSODescriptor element MUST be present
ERROR:spid_sp_test.metadata:Only one SPSSODescriptor element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_xmldsig: the metadata signature MUST be valid
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Signature: The Signature element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Signature: The SignatureMethod element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Signature: The Algorithm attribute MUST be present in SignatureMethod element
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Signature: The signature algorithm MUST be valid
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Signature: The DigestMethod element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Signature: The Algorithm attribute MUST be present in DigestMethod element
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Signature: The digest algorithm MUST be valid
ERROR:spid_sp_test.metadata:SpidSpMetadataCheck.test_KeyDescriptor: At least one signing KeyDescriptor MUST be present
ERROR:spid_sp_test.metadata:At least one signing KeyDescriptor MUST be present
ERROR:spid_sp_test.metadata:SpidSpMetadataCheck.test_SingleLogoutService: One or more SingleLogoutService elements MUST be present
ERROR:spid_sp_test.metadata:One or more SingleLogoutService elements MUST be present
ERROR:spid_sp_test.metadata:SpidSpMetadataCheck.test_AssertionConsumerService: At least one AssertionConsumerService MUST be present
ERROR:spid_sp_test.metadata:At least one AssertionConsumerService MUST be present
ERROR:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService: One or more AttributeConsumingService elements MUST be present
ERROR:spid_sp_test.metadata:One or more AttributeConsumingService elements MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: Only one Organization element can be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: One or more OrganizationName elements MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: The lang attribute in OrganizationName element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: The OrganizationName element MUST have a value
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: One or more OrganizationDisplayName elements MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: The lang attribute in OrganizationDisplayName element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: The OrganizationDisplayName element MUST have a value
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: One or more OrganizationURL elements MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: The lang attribute in OrganizationURL element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: The OrganizationURL element MUST have a value
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: The elements OrganizationName, OrganizationDisplayName and OrganizationURL MUST have the same number of lang attributes
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: The elements OrganizationName, OrganizationDisplayName and OrganizationURL MUST have at least an it language enabled
ERROR:spid_sp_test.metadata:Test file:///home/wert/Scaricati/metadata (1).xml with saml-schema-metadata-sp-spid.xsd: failed validating <Element '{urn:oasis:names:tc:SAML:2.0:metadata}EntityDescriptor' at 0x7f90638a7e00> with XsdGroup(model='sequence', occurs=[1, 1]):
Reason: Unexpected child with tag 'md:IDPSSODescriptor' at position 2. Tag 'md:SPSSODescriptor' expected.
Schema:
<complexType xmlns="http://www.w3.org/2001/XMLSchema" name="EntityDescriptorType">
<sequence>
<element ref="ds:Signature" minOccurs="0" />
<element ref="md:Extensions" minOccurs="0" />
<choice>
<choice maxOccurs="unbounded">
<element ref="md:SPSSODescriptor" />
</choice>
</choice>
<element ref="md:Organization" minOccurs="0" />
<element ref="md:ContactPerson" minOccurs="0" maxOccurs="unbounded" />
<element ref="md:AdditionalMetadataLocation" minOccurs="0" maxOccurs="unbounded" />
</sequence>
<attribute name="entityID" type="md:entityIDType" use="required" />
<attribute name="validUntil" type="dateTime" use="optional" />
<attribute name="cacheDuration" type="duration" use="optional" />
<attribute name="ID" type="ID" use="optional" />
<anyAttribute namespace="##other" processContents="lax" />
</complexType>
Instance:
<md:EntityDescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_c1f6200e-02e7-4870-9855-90f2685c8cb1" cacheDuration="P0Y0M30DT0H0M0.000S" entityID="https://posteid.poste.it"><ds:Signature><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_c1f6200e-02e7-4870-9855-90f2685c8cb1"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>iA8AbNQxrVU7FZvci3hpejhOKi7OIAFxCwYtGZ5znpM=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>kSmSGTQvM/V1ts5KSP/xcVNzngQHZ6vZyv+/fgKuDClSP+XYi5w8XGg0eLcBb8x1ZvuP9cV0zVLG
9RP7gTUfrR6SJQo8VM5bmhxPs6+mOlfe/+dSbjIDynW9Ui6zjEtpMV3+9qP9Ko7ewmFMuMB9zh3q
L1Ea+XCKwnfp9M55/xq7jO0bWErlL6VlgFqfAAHHeeL3QyBE+DWQY6XFQUMGxzuLVfb7Pu4quKLB
yitXBiWhdfsluGx3yI6Z01eWJ62+3b4yV74tLdkF+z4ogxtwUo6R/DK66xEFmt15a6MwORZ/Yhxy
pAJPv7wabL0dffxE2IR3S4i67vxR+5r6Nh9OGw==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIFgzCCA2ugAwIBAgIIJSppAZKg/XQwDQYJKoZIhvcNAQELBQAwZTELMAkGA1UEBhMCSVQxHjAc
BgNVBAoMFVBvc3RlIEl0YWxpYW5lIFMucC5BLjEaMBgGA1UEYQwRVkFUSVQtMDExMTQ2MDEwMDYx
GjAYBgNVBAMMEVBvc3RlIEl0YWxpYW5lIENBMB4XDTIxMDIxODExNDYzMVoXDTI0MDIxOTExNDYz
MVowQzELMAkGA1UEBhMCSVQxHjAcBgNVBAoMFVBvc3RlIEl0YWxpYW5lIFMucC5BLjEUMBIGA1UE
AwwLaWRwLXBvc3RlaWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZFEtJoEHFAjpC
aZcj5DVWrRDyaLZyu31XApslbo87CyWz61OJMtw6QQU0MdCtrYbtSJ6vJwx7/6EUjsZ3u4x3EPLd
lkyiGOqukPwATv4c7TVOUVs5onIqTphM9b+AHRg4ehiMGesm/9d7RIaLuN79iPUvdLn6WP3idAfE
w+rhJ/wYEQ0h1Xm5osNUgtWcBGavZIjLssWNrDDfJYxXH3QZ0kI6feEvLCJwgjXLGkBuhFehNhM4
fhbX9iUCWwwkJ3JsP2++Rc/iTA0LZhiUsXNNq7gBcLAJ9UX2V1dWjTzBHevfHspzt4e0VgIIwbDR
qsRtF8VUPSDYYbLoqwbLt18XAgMBAAGjggFXMIIBUzA/BggrBgEFBQcBAQQzMDEwLwYIKwYBBQUH
MAGGI2h0dHA6Ly9wb3N0ZWNlcnQucG9zdGUuaXQvcGktb2NzcENBMB0GA1UdDgQWBBRL64pGUJHw
Y7ok6cRMUgXvMBoLMjAfBgNVHSMEGDAWgBRs0025F7hHd0d+ULyAaELPZ7w/eTA+BgNVHSAENzA1
MDMGCCtMMAEFAQEEMCcwJQYIKwYBBQUHAgEWGWh0dHA6Ly9wb3N0ZWNlcnQucG9zdGUuaXQwOAYD
VR0fBDEwLzAtoCugKYYnaHR0cDovL3Bvc3RlY2VydC5wb3N0ZS5pdC9waS1DQS9jcmwuY3JsMA4G
A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwJwYDVR0RBCAwHoEc
aWRwLXBvc3RlaWRAcG9zdGVpdGFsaWFuZS5pdDANBgkqhkiG9w0BAQsFAAOCAgEAp0EhITlTx+cO
...
...
TSb9K/wCuiHiuoSB54rzJoQxz90gS868r/+JGahYwHY5dUh1RbA4g5N8H3TDThc=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://posteid.poste.it/jod-fs/sloservicepost" ResponseLocation="https://posteid.poste.it/jod-fs/sloserviceresponsepost" /><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://posteid.poste.it/jod-fs/sloserviceredirect" ResponseLocation="https://posteid.poste.it/jod-fs/sloserviceresponseredirect" /><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://posteid.poste.it/jod-fs/ssoservicepost" /><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://posteid.poste.it/jod-fs/ssoserviceredirect" /><saml2:Attribute Name="familyName" NameFormat="xsi:string" /><saml2:Attribute Name="name" NameFormat="xsi:string" /><saml2:Attribute Name="spidCode" NameFormat="xsi:string" /><saml2:Attribute Name="fiscalNumber" NameFormat="xsi:string" /><saml2:Attribute Name="gender" NameFormat="xsi:string" /><saml2:Attribute Name="dateOfBirth" NameFormat="xsi:string" /><saml2:Attribute Name="placeOfBirth" NameFormat="xsi:string" /><saml2:Attribute Name="countyOfBirth" NameFormat="xsi:string" /><saml2:Attribute Name="idCard" NameFormat="xsi:string" /><saml2:Attribute Name="address" NameFormat="xsi:string" /><saml2:Attribute Name="domicileStreetAddress" NameFormat="xsi:string" /><saml2:Attribute Name="domicilePostalCode" NameFormat="xsi:string" /><saml2:Attribute Name="domicileMunicipality" NameFormat="xsi:string" /><saml2:Attribute Name="domicileProvince" NameFormat="xsi:string" /><saml2:Attribute Name="domicileNation" NameFormat="xsi:string" /><saml2:Attribute Name="digitalAddress" NameFormat="xsi:string" /><saml2:Attribute Name="expirationDate" NameFormat="xsi:string" /><saml2:Attribute Name="email" NameFormat="xsi:string" /><saml2:Attribute Name="mobilePhone" NameFormat="xsi:string" /></md:IDPSSODescriptor><md:Organization><md:OrganizationName xml:lang="it">Poste Italiane SpA</md:OrganizationName><md:OrganizationDisplayName xml:lang="it">Poste Italiane SpA</md:OrganizationDisplayName><md:OrganizationURL xml:lang="it">https://www.poste.it</md:OrganizationURL></md:Organization></md:EntityDescriptor>
Path: /md:EntityDescriptor
ERROR:spid_sp_test.metadata:SpidSpMetadataCheck.xsd_check: Test file:///home/wert/Scaricati/metadata (1).xml with saml-schema-metadata-sp-spid.xsd
ERROR:spid_sp_test.metadata:Test file:///home/wert/Scaricati/metadata (1).xml with saml-schema-metadata-sp-spid.xsd
ERROR:spid_sp_test.metadata:Test file:///home/wert/Scaricati/metadata (1).xml with saml-schema-metadata-sp-spid.xsd: [Errno 2] No such file or directory: 'saml-schema-metadata-sp-spid-av29.xsd'
ERROR:spid_sp_test.metadata:SpidSpMetadataCheck.xsd_check: Test file:///home/wert/Scaricati/metadata (1).xml with saml-schema-metadata-sp-spid.xsd
ERROR:spid_sp_test.metadata:Test file:///home/wert/Scaricati/metadata (1).xml with saml-schema-metadata-sp-spid.xsd
ERROR:spid_sp_test.metadata:SpidSpMetadataCheck.test_SPSSODescriptor_SPID: SPSSODescriptor element not found
ERROR:spid_sp_test.metadata:SPSSODescriptor element not found
ERROR:spid_sp_test.metadata:SpidSpMetadataCheck.test_AssertionConsumerService_SPID: Only one default AssertionConsumerService MUST be present
ERROR:spid_sp_test.metadata:Only one default AssertionConsumerService MUST be present
ERROR:spid_sp_test.metadata:SpidSpMetadataCheck.test_AssertionConsumerService_SPID: Must be present the default AssertionConsumerService with index = 0
ERROR:spid_sp_test.metadata:Must be present the default AssertionConsumerService with index = 0
ERROR:spid_sp_test.metadata:SpidSpMetadataCheck.test_contactperson_email: The //ContactPerson/EmailAddress element MUST be present
ERROR:spid_sp_test.metadata:The //ContactPerson/EmailAddress element MUST be present
ERROR:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_PubPriv: ContactPerson MUST be present
ERROR:spid_sp_test.metadata:ContactPerson MUST be present
ERROR:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_PubPriv: Only one ContactPerson element of contactType "other" MUST be present
ERROR:spid_sp_test.metadata:Only one ContactPerson element of contactType "other" MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_VATFC: only one VATNumber element must be present
ERROR:spid_sp_test.metadata:SpidSpMetadataCheck.test_extensions_public_private: Missing ContactPerson/Extensions/Public, this element MUST be present
ERROR:spid_sp_test.metadata:Missing ContactPerson/Extensions/Public, this element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_extensions_public_private: The Private element MUST not be present
Spid QA: executed 40 tests, 14 failed. 0 warnings.
Grazie per la risposta, ho scaricato e stavo usando l'ultima versione di "italia/spid-saml-check" ed ottengo lo stesso errore sulla validazione 34 della request.
I check del metadata passano, almeno sul validator.
Tu hai fatto una validazione manuale, usando la libreria utilizzata all'interno di questo validator, vero?
Mi commento solo - ho effettuato il comando
spid_sp_test --metadata-url https://xxxx/spidpage/metadata --profile spid-sp-private
ed ho:
Quindi non vedo errori sul metadato
Ok, step successivo è validare una request usando il parametro --authn-url
Perfetto, ho fatto quanto mi hai segnalato.
comando:
spid_sp_test --metadata-url file://../data/https___localhost_44369/sp-metadata.xml --authn-url file://../data/https___localhost_44369/authn-request.dump --profile spid-sp-private -rf json
risultato
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.xsd_check: SpidSpMetadataCheck.xsd_check
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_EntityDescriptor: Only one EntityDescriptor element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_EntityDescriptor: The entityID attribute MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_EntityDescriptor: The entityID attribute MUST have a value
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_SPSSODescriptor: Only one SPSSODescriptor element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_NameIDFormat_Transient: The NameIDFormat MUST be urn:oasis:names:tc:SAML:2.0:nameid-format:transient
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_xmldsig: the metadata signature MUST be valid
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Signature: The Signature element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Signature: The SignatureMethod element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Signature: The Algorithm attribute MUST be present in SignatureMethod element
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Signature: The signature algorithm MUST be valid
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Signature: The DigestMethod element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Signature: The Algorithm attribute MUST be present in DigestMethod element
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Signature: The digest algorithm MUST be valid
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_KeyDescriptor: At least one signing KeyDescriptor MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_KeyDescriptor: At least one signing x509 MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_KeyDescriptor: At least one encryption x509 MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_SingleLogoutService: One or more SingleLogoutService elements MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_SingleLogoutService: The Binding attribute in SingleLogoutService element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_SingleLogoutService: The Binding attribute in SingleLogoutService element MUST have a value
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_SingleLogoutService: The Binding attribute in SingleLogoutService element MUST be one of [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect]
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_SingleLogoutService: The Location attribute in SingleLogoutService element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_SingleLogoutService: The Location attribute in SingleLogoutService element MUST have a value
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_SingleLogoutService: The Location attribute in SingleLogoutService element MUST be a valid HTTP URL
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AssertionConsumerService: At least one AssertionConsumerService MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AssertionConsumerService: The index attribute MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AssertionConsumerService: The index attribute MUST be >= 0
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AssertionConsumerService: The Binding attribute MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AssertionConsumerService: The Binding attribute MUST be one of [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect]
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AssertionConsumerService: The Location attribute MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService: One or more AttributeConsumingService elements MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: Only one Organization element can be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: One or more OrganizationName elements MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: The lang attribute in OrganizationName element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: The OrganizationName element MUST have a value
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: One or more OrganizationDisplayName elements MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: The lang attribute in OrganizationDisplayName element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: The OrganizationDisplayName element MUST have a value
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: One or more OrganizationURL elements MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: The lang attribute in OrganizationURL element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: The OrganizationURL element MUST have a value
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: The elements OrganizationName, OrganizationDisplayName and OrganizationURL MUST have the same number of lang attributes
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: The elements OrganizationName, OrganizationDisplayName and OrganizationURL MUST have at least an it language enabled
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.xsd_check: SpidSpMetadataCheck.xsd_check
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_SPSSODescriptor_SPID: The protocolSupportEnumeration attribute MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_SPSSODescriptor_SPID: The protocolSupportEnumeration attribute MUST have a value
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_SPSSODescriptor_SPID: The AuthnRequestsSigned attribute MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_SPSSODescriptor_SPID: The AuthnRequestsSigned attribute MUST have a value
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_SPSSODescriptor_SPID: The AuthnRequestsSigned attribute MUST be true
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AssertionConsumerService_SPID: Only one default AssertionConsumerService MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AssertionConsumerService_SPID: Must be present the default AssertionConsumerService with index = 0
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService_SPID: The index attribute in AttributeConsumigService element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService_SPID: The index attribute in AttributeConsumigService element MUST be >= 0
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService_SPID: The ServiceName element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService_SPID: The ServiceName element MUST have a value
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService_SPID: One or more RequestedAttribute elements MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService_SPID: The Name attribute in RequestedAttribute element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService_SPID: The "spidCode" attribute in RequestedAttribute element MUST be valid
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService_SPID: The Name attribute in RequestedAttribute element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService_SPID: The "name" attribute in RequestedAttribute element MUST be valid
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService_SPID: The Name attribute in RequestedAttribute element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService_SPID: The "familyName" attribute in RequestedAttribute element MUST be valid
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService_SPID: The Name attribute in RequestedAttribute element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService_SPID: The "fiscalNumber" attribute in RequestedAttribute element MUST be valid
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService_SPID: The Name attribute in RequestedAttribute element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService_SPID: The "gender" attribute in RequestedAttribute element MUST be valid
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService_SPID: The Name attribute in RequestedAttribute element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService_SPID: The "dateOfBirth" attribute in RequestedAttribute element MUST be valid
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService_SPID: AttributeConsumigService MUST not contain duplicated RequestedAttribute
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_contactperson_email: The //ContactPerson/EmailAddress element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_contactperson_email: The //ContactPerson/EmailAddress element MUST have a value
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_contactperson_email: The //ContactPerson/EmailAddress element MUST be a valid email address
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_contactperson_phone: The //ContactPerson/TelephoneNumber element MUST have a value
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_contactperson_phone: The //ContactPerson/TelephoneNumber element MUST not contain spaces
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_contactperson_phone: The //ContactPerson/TelephoneNumber element MUST start with "+39"
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_PubPriv: ContactPerson MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_PubPriv: ("Missing contactType in {'contactType': 'other'}: The contactType attribute MUST be present",)
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_PubPriv: The contactType attribute MUST have a value
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_PubPriv: The contactType must be "other"
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_PubPriv: Only one ContactPerson element of contactType "other" MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_PubPriv: ContactPerson MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_PubPriv: ("Missing contactType in {'contactType': 'billing'}: The contactType attribute MUST be present",)
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_PubPriv: The contactType attribute MUST have a value
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_PubPriv: The contactType must be "billing"
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_PubPriv: Only one ContactPerson element of contactType "billing" MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Extensions_PubPriv: Only one Extensions element inside ContactPerson element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Extensions_PubPriv: Only one Extensions element inside ContactPerson element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_extensions_public_private: Missing ContactPerson/Extensions/Private, this element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_extensions_public_private: The Private element MUST be empty
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_extensions_public_private: The Public element MUST not be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_VATFC: only one VATNumber element must be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_VATFC: The VATNumber element MUST have a value
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_VATFC: The VATNumber element MUST start with a valid ISO3166 Code
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_VATFC: only one FiscalCode element must be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_VATFC: The FiscalCode element MUST have a value
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_Priv: The IPACode element MUST NOT be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_Priv: The CessionarioCommittente element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.xsd_check: SpidSpMetadataCheck.xsd_check
INFO:spid_sp_test.authn_request:T e s t a u t h n _ r e q u e s t w i t h s a m l - s c h e m a - p r o t o c o l - 2 . 0 . x s d
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_AuthnRequest: One AuthnRequest element MUST be present
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_AuthnRequest: The ID attribute MUST be present
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_AuthnRequest: The ID attribute MUST have a value
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_AuthnRequest: The Version attribute MUST be present
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_AuthnRequest: The Version attribute MUST be 2.0
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_AuthnRequest: The IssueInstant attribute MUST be present
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_AuthnRequest: The IssueInstant attribute MUST have a value
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_AuthnRequest: The IssueInstant attribute MUST be a valid UTC string
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_AuthnRequest: The Destination attribute MUST be present
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_AuthnRequest: The Destination attribute MUST have a value
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_AuthnRequest: The Destination attribute SHOULD be the address to which the request has been sent but can also be the EnityID of IdP (Av. SPID n.11)
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_AuthnRequest: The IsPassive attribute MUST not be present - TR pag. 9
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Issuer: One Issuer element MUST be present
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Issuer: The Issuer element MUST have a value
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Issuer: The Issuer's value MUST be equal to entityID
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Issuer: The Format attribute MUST be present
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Issuer: The Format attribute MUST have a value
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Issuer: The Format attribute MUST be urn:oasis:names:tc:SAML:2.0:nameid-format:entity
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Issuer: The NameQualifier attribute MUST be present
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Issuer: The NameQualifier attribute MUST have a value
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Conditions: The NotBefore attribute MUST be present
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Conditions: The NotBefore attribute MUST have a value
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Conditions: The NotBefore attribute MUST have avalid UTC string
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Conditions: The NotOnOrAfter attribute MUST be present
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Conditions: The NotOnOrAfter attribute MUST have a value
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Conditions: The NotOnOrAfter attribute MUST have avalid UTC string
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_RelayState: RelayState MUST not be immediately intelligible
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Signature: The Signature element MUST be present
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Signature: The SignatureMethod element MUST be present
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Signature: The Algorithm attribute MUST be present in SignatureMethod element
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Signature: The signature algorithm MUST be valid
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Signature: The DigestMethod element MUST be present
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Signature: The Algorithm attribute MUST be present in DigestMethod element
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Signature: The digest algorithm MUST be one of [http://www.w3.org/2001/04/xmlenc#sha256, http://www.w3.org/2001/04/xmlenc#sha384, http://www.w3.org/2001/04/xmlenc#sha512]
ERROR:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_xmldsig: AuthnRequest Signature validation failed
ERROR:spid_sp_test.authn_request:AuthnRequest Signature validation failed
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_AuthnRequest_SPID: The ForceAuthn attribute MUST be present if SPID level > 1
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_AuthnRequest_SPID: The ForceAuthn attribute MUST be true or 1 - TR pag. 8
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_AuthnRequest_SPID: The AssertionConsumerServiceIndex attribute MUST be equal to an AssertionConsumerService index
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_AuthnRequest_SPID: The AssertionConsumerServiceIndex attribute MUST have a value
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_AuthnRequest_SPID: The AssertionConsumerServiceIndex attribute MUST be >= 0
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_AuthnRequest_SPID: The AttributeConsumingServiceIndex attribute MUST have a value
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_AuthnRequest_SPID: The AttributeConsumingServiceIndex attribute MUST be >= 0
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_AuthnRequest_SPID: The AttributeConsumingServiceIndex attribute MUST be equal to an AttributeConsumingService index
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_NameIDPolicy: One NameIDPolicy element MUST be present
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_NameIDPolicy: The Format attribute MUST be present
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_NameIDPolicy: The Format attribute MUST have a value
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_NameIDPolicy: The Format attribute MUST be urn:oasis:names:tc:SAML:2.0:nameid-format:transient
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_NameIDPolicy: The AllowCreate attribute MUST not be present
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_RequestedAuthnContext: Only one RequestedAuthnContext element MUST be present
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_RequestedAuthnContext: The Comparison attribute MUST be present
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_RequestedAuthnContext: The Comparison attribute MUST have a value
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_RequestedAuthnContext: Attribute not valid
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_RequestedAuthnContext: Only one AuthnContexClassRef element MUST be present
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_RequestedAuthnContext: The AuthnContexClassRef element MUST have a value
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_RequestedAuthnContext: The AuthnContextClassRef element MUST have a valid SPID level
{
"test": {
"sp": {
"metadata_strict": {
"SpidSpMetadataCheck": [
{
"test_id": [
"1.0.0"
],
"test": "SpidSpMetadataCheck.xsd_check",
"value": "Test file://../data/https___localhost_44369/sp-metadata.xml with saml-schema-metadata-2.0.xsd",
"references": [],
"method": "SpidSpMetadataCheck.xsd_check",
"result": "success"
},
{
"test_id": [
"1.3.0"
],
"test": "Only one EntityDescriptor element MUST be present",
"value": "['<EntityDescriptor ID=\"_8EEB1A1D-597F-405F-89C1-EDF69BB8021A\" entityID=\"https://localhost:44369\"><Signature>\\n<SignedInfo>\\n<Canoni']",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_EntityDescriptor",
"result": "success"
},
{
"test_id": [
"1.3.1"
],
"test": "The entityID attribute MUST be present",
"value": "{'ID': '_8EEB1A1D-597F-405F-89C1-EDF69BB8021A', 'entityID': 'https://localhost:44369'}",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_EntityDescriptor",
"result": "success"
},
{
"test_id": [
"1.3.2"
],
"test": "The entityID attribute MUST have a value",
"value": "https://localhost:44369",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_EntityDescriptor",
"result": "success"
},
{
"test_id": [
"1.6.0"
],
"test": "Only one SPSSODescriptor element MUST be present",
"value": "['<SPSSODescriptor AuthnRequestsSigned=\"true\" WantAssertionsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:']",
"references": [
""
],
"method": "SpidSpMetadataCheck.test_SPSSODescriptor",
"result": "success"
},
{
"test_id": "",
"test": "The NameIDFormat MUST be urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
"value": "['<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>\\n\\n ']",
"references": [
"TR pag. ..."
],
"method": "SpidSpMetadataCheck.test_NameIDFormat_Transient",
"result": "success"
},
{
"test_id": [
"1.9.0"
],
"test": "the metadata signature MUST be valid",
"value": "xmlsec1 --verify --insecure --id-attr:ID urn:oasis:names:tc:SAML:2.0:metadata:EntityDescriptor /tmp/tmpwc3on5xj.xml",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_xmldsig",
"result": "success"
},
{
"test_id": [
"1.7.0"
],
"test": "The Signature element MUST be present",
"value": "<Signature>\n<SignedInfo>\n<CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>\n<SignatureMethod Algorith",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_Signature",
"result": "success"
},
{
"test_id": [
"1.7.1"
],
"test": "The SignatureMethod element MUST be present",
"value": "<SignatureMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\"/>\n",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_Signature",
"result": "success"
},
{
"test_id": "",
"test": "The Algorithm attribute MUST be present in SignatureMethod element",
"value": "<SignatureMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\"/>\n",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_Signature",
"result": "success"
},
{
"test_id": [
"1.7.3"
],
"test": "The signature algorithm MUST be valid",
"value": "One of http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256, http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384, http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512, http://www.w3.org/2001/04/xmldsig-more#hmac-sha256, http://www.w3.org/2001/04/xmldsig-more#hmac-sha384, http://www.w3.org/2001/04/xmldsig-more#hmac-sha512, http://www.w3.org/2001/04/xmldsig-more#rsa-sha256, http://www.w3.org/2001/04/xmldsig-more#rsa-sha384, http://www.w3.org/2001/04/xmldsig-more#rsa-sha512",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_Signature",
"result": "success"
},
{
"test_id": [
"1.7.4"
],
"test": "The DigestMethod element MUST be present",
"value": "",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_Signature",
"result": "success"
},
{
"test_id": [
"1.7.5"
],
"test": "The Algorithm attribute MUST be present in DigestMethod element",
"value": "",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_Signature",
"result": "success"
},
{
"test_id": [
"1.7.6"
],
"test": "The digest algorithm MUST be valid",
"value": "One of http://www.w3.org/2001/04/xmlenc#sha256, http://www.w3.org/2001/04/xmlenc#sha384, http://www.w3.org/2001/04/xmlenc#sha512",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_Signature",
"result": "success"
},
{
"test_id": [
"1.4.0"
],
"test": "At least one signing KeyDescriptor MUST be present",
"value": "",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_KeyDescriptor",
"result": "success"
},
{
"test_id": [
"1.4.1"
],
"test": "At least one signing x509 MUST be present",
"value": "<KeyDescriptor use=\"signing\">\n <KeyInfo>\n <X509Data>\n <X509Certificate>\nMIIGQjCCBCqgAwIBAgIJAJmwYjNvjrCTMA0",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_KeyDescriptor",
"result": "success"
},
{
"test_id": [
"1.4.2"
],
"test": "At least one encryption x509 MUST be present",
"value": "",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_KeyDescriptor",
"result": "success"
},
{
"test_id": [
"1.8.0"
],
"test": "One or more SingleLogoutService elements MUST be present",
"value": "<SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://localhost:44369/signout-spid\"/>\n",
"references": [
"AV n. 3"
],
"method": "SpidSpMetadataCheck.test_SingleLogoutService",
"result": "success"
},
{
"test_id": [
"1.8.1",
"1.8.4"
],
"test": "The Binding attribute in SingleLogoutService element MUST be present",
"value": "<SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://localhost:44369/signout-spid\"/>\n",
"references": [
"AV n. 3"
],
"method": "SpidSpMetadataCheck.test_SingleLogoutService",
"result": "success"
},
{
"test_id": [
"1.8.2",
"1.8.5"
],
"test": "The Binding attribute in SingleLogoutService element MUST have a value",
"value": "<SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://localhost:44369/signout-spid\"/>\n",
"references": [
"AV n. 3"
],
"method": "SpidSpMetadataCheck.test_SingleLogoutService",
"result": "success"
},
{
"test_id": [
"1.8.3"
],
"test": "The Binding attribute in SingleLogoutService element MUST be one of [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect]",
"value": "<SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://localhost:44369/signout-spid\"/>\n",
"references": [
"AV n. 3"
],
"method": "SpidSpMetadataCheck.test_SingleLogoutService",
"result": "success"
},
{
"test_id": [
"1.8.1",
"1.8.4"
],
"test": "The Location attribute in SingleLogoutService element MUST be present",
"value": "<SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://localhost:44369/signout-spid\"/>\n",
"references": [
"AV n. 3"
],
"method": "SpidSpMetadataCheck.test_SingleLogoutService",
"result": "success"
},
{
"test_id": [
"1.8.2",
"1.8.5"
],
"test": "The Location attribute in SingleLogoutService element MUST have a value",
"value": "<SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://localhost:44369/signout-spid\"/>\n",
"references": [
"AV n. 3"
],
"method": "SpidSpMetadataCheck.test_SingleLogoutService",
"result": "success"
},
{
"test_id": "",
"test": "The Location attribute in SingleLogoutService element MUST be a valid HTTP URL",
"value": "<SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://localhost:44369/signout-spid\"/>\n",
"references": [
"AV n. 3"
],
"method": "SpidSpMetadataCheck.test_SingleLogoutService",
"result": "success"
},
{
"test_id": [
"1.1.0"
],
"test": "At least one AssertionConsumerService MUST be present",
"value": "<AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://localhost:44369/signin-spid",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AssertionConsumerService",
"result": "success"
},
{
"test_id": [
"1.1.1",
"1.1.3",
"1.1.5"
],
"test": "The index attribute MUST be present",
"value": "<AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://localhost:44369/signin-spid",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AssertionConsumerService",
"result": "success"
},
{
"test_id": [
"1.1.2"
],
"test": "The index attribute MUST be >= 0",
"value": "<AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://localhost:44369/signin-spid",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AssertionConsumerService",
"result": "success"
},
{
"test_id": [
"1.1.1",
"1.1.3",
"1.1.5"
],
"test": "The Binding attribute MUST be present",
"value": "<AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://localhost:44369/signin-spid",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AssertionConsumerService",
"result": "success"
},
{
"test_id": [
"1.1.4"
],
"test": "The Binding attribute MUST be one of [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect]",
"value": "<AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://localhost:44369/signin-spid",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AssertionConsumerService",
"result": "success"
},
{
"test_id": [
"1.1.1",
"1.1.3",
"1.1.5"
],
"test": "The Location attribute MUST be present",
"value": "<AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://localhost:44369/signin-spid",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AssertionConsumerService",
"result": "success"
},
{
"test_id": [
"1.2.0"
],
"test": "One or more AttributeConsumingService elements MUST be present",
"value": "<AttributeConsumingService index=\"0\">\n <ServiceName xml:lang=\"it\">Set Attributi 1 - ID Cittadini minimo</ServiceName>\n ",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AttributeConsumingService",
"result": "success"
},
{
"test_id": [
"1.5.0"
],
"test": "Only one Organization element can be present",
"value": "['<Organization>\\n <OrganizationName xml:lang=\"it\">Banco Desio e della Brianza S.p.A.</OrganizationName>\\n <OrganizationDisplayName xml:lang=\"it\">BDB</OrganizationDisplayName>\\n <OrganizationURL xml:lang=\"it\">https://www.bancodesio.it</OrganizationURL>\\n </Organization>\\n\\n ']",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_Organization",
"result": "success"
},
{
"test_id": [
"1.5.1",
"1.5.4"
],
"test": "One or more OrganizationName elements MUST be present",
"value": "['<Organization>\\n <OrganizationName xml:lang=\"it\">Banco Desio e della Brianza S.p.A.</OrganizationName>\\n <OrganizationDisplayName xml:lang=\"it\">BDB</OrganizationDisplayName>\\n <OrganizationURL xml:lang=\"it\">https://www.bancodesio.it</OrganizationURL>\\n </Organization>\\n\\n ']",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_Organization",
"result": "success"
},
{
"test_id": [
"1.5.2",
"1.5.5",
"1.5.8"
],
"test": "The lang attribute in OrganizationName element MUST be present",
"value": "['<Organization>\\n <OrganizationName xml:lang=\"it\">Banco Desio e della Brianza S.p.A.</OrganizationName>\\n <OrganizationDisplayName xml:lang=\"it\">BDB</OrganizationDisplayName>\\n <OrganizationURL xml:lang=\"it\">https://www.bancodesio.it</OrganizationURL>\\n </Organization>\\n\\n ']",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_Organization",
"result": "success"
},
{
"test_id": [
"1.5.3",
"1.5.7",
"1.5.9"
],
"test": "The OrganizationName element MUST have a value",
"value": "['<Organization>\\n <OrganizationName xml:lang=\"it\">Banco Desio e della Brianza S.p.A.</OrganizationName>\\n <OrganizationDisplayName xml:lang=\"it\">BDB</OrganizationDisplayName>\\n <OrganizationURL xml:lang=\"it\">https://www.bancodesio.it</OrganizationURL>\\n </Organization>\\n\\n ']",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_Organization",
"result": "success"
},
{
"test_id": [
"1.5.1",
"1.5.4"
],
"test": "One or more OrganizationDisplayName elements MUST be present",
"value": "['<Organization>\\n <OrganizationName xml:lang=\"it\">Banco Desio e della Brianza S.p.A.</OrganizationName>\\n <OrganizationDisplayName xml:lang=\"it\">BDB</OrganizationDisplayName>\\n <OrganizationURL xml:lang=\"it\">https://www.bancodesio.it</OrganizationURL>\\n </Organization>\\n\\n ']",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_Organization",
"result": "success"
},
{
"test_id": [
"1.5.2",
"1.5.5",
"1.5.8"
],
"test": "The lang attribute in OrganizationDisplayName element MUST be present",
"value": "['<Organization>\\n <OrganizationName xml:lang=\"it\">Banco Desio e della Brianza S.p.A.</OrganizationName>\\n <OrganizationDisplayName xml:lang=\"it\">BDB</OrganizationDisplayName>\\n <OrganizationURL xml:lang=\"it\">https://www.bancodesio.it</OrganizationURL>\\n </Organization>\\n\\n ']",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_Organization",
"result": "success"
},
{
"test_id": [
"1.5.3",
"1.5.7",
"1.5.9"
],
"test": "The OrganizationDisplayName element MUST have a value",
"value": "['<Organization>\\n <OrganizationName xml:lang=\"it\">Banco Desio e della Brianza S.p.A.</OrganizationName>\\n <OrganizationDisplayName xml:lang=\"it\">BDB</OrganizationDisplayName>\\n <OrganizationURL xml:lang=\"it\">https://www.bancodesio.it</OrganizationURL>\\n </Organization>\\n\\n ']",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_Organization",
"result": "success"
},
{
"test_id": [
"1.5.1",
"1.5.4"
],
"test": "One or more OrganizationURL elements MUST be present",
"value": "['<Organization>\\n <OrganizationName xml:lang=\"it\">Banco Desio e della Brianza S.p.A.</OrganizationName>\\n <OrganizationDisplayName xml:lang=\"it\">BDB</OrganizationDisplayName>\\n <OrganizationURL xml:lang=\"it\">https://www.bancodesio.it</OrganizationURL>\\n </Organization>\\n\\n ']",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_Organization",
"result": "success"
},
{
"test_id": [
"1.5.2",
"1.5.5",
"1.5.8"
],
"test": "The lang attribute in OrganizationURL element MUST be present",
"value": "['<Organization>\\n <OrganizationName xml:lang=\"it\">Banco Desio e della Brianza S.p.A.</OrganizationName>\\n <OrganizationDisplayName xml:lang=\"it\">BDB</OrganizationDisplayName>\\n <OrganizationURL xml:lang=\"it\">https://www.bancodesio.it</OrganizationURL>\\n </Organization>\\n\\n ']",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_Organization",
"result": "success"
},
{
"test_id": [
"1.5.3",
"1.5.7",
"1.5.9"
],
"test": "The OrganizationURL element MUST have a value",
"value": "['<Organization>\\n <OrganizationName xml:lang=\"it\">Banco Desio e della Brianza S.p.A.</OrganizationName>\\n <OrganizationDisplayName xml:lang=\"it\">BDB</OrganizationDisplayName>\\n <OrganizationURL xml:lang=\"it\">https://www.bancodesio.it</OrganizationURL>\\n </Organization>\\n\\n ']",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_Organization",
"result": "success"
},
{
"test_id": [
"1.5.5",
"1.5.8"
],
"test": "The elements OrganizationName, OrganizationDisplayName and OrganizationURL MUST have the same number of lang attributes",
"value": "['<Organization>\\n <OrganizationName xml:lang=\"it\">Banco Desio e della Brianza S.p.A.</OrganizationName>\\n <OrganizationDisplayName xml:lang=\"it\">BDB</OrganizationDisplayName>\\n <OrganizationURL xml:lang=\"it\">https://www.bancodesio.it</OrganizationURL>\\n </Organization>\\n\\n ']",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_Organization",
"result": "success"
},
{
"test_id": "",
"test": "The elements OrganizationName, OrganizationDisplayName and OrganizationURL MUST have at least an it language enabled",
"value": "['<Organization>\\n <OrganizationName xml:lang=\"it\">Banco Desio e della Brianza S.p.A.</OrganizationName>\\n <OrganizationDisplayName xml:lang=\"it\">BDB</OrganizationDisplayName>\\n <OrganizationURL xml:lang=\"it\">https://www.bancodesio.it</OrganizationURL>\\n </Organization>\\n\\n ']",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_Organization",
"result": "success"
},
{
"test_id": [
"1.0.0"
],
"test": "SpidSpMetadataCheck.xsd_check",
"value": "Test file://../data/https___localhost_44369/sp-metadata.xml with saml-schema-metadata-sp-spid.xsd",
"references": [],
"method": "SpidSpMetadataCheck.xsd_check",
"result": "success"
},
{
"test_id": [
"1.6.1",
"1.6.3"
],
"test": "The protocolSupportEnumeration attribute MUST be present",
"value": "['<SPSSODescriptor AuthnRequestsSigned=\"true\" WantAssertionsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:']",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_SPSSODescriptor_SPID",
"result": "success"
},
{
"test_id": [
"1.6.2",
"1.6.4"
],
"test": "The protocolSupportEnumeration attribute MUST have a value",
"value": "['<SPSSODescriptor AuthnRequestsSigned=\"true\" WantAssertionsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:']",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_SPSSODescriptor_SPID",
"result": "success"
},
{
"test_id": [
"1.6.1",
"1.6.3"
],
"test": "The AuthnRequestsSigned attribute MUST be present",
"value": "['<SPSSODescriptor AuthnRequestsSigned=\"true\" WantAssertionsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:']",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_SPSSODescriptor_SPID",
"result": "success"
},
{
"test_id": [
"1.6.2",
"1.6.4"
],
"test": "The AuthnRequestsSigned attribute MUST have a value",
"value": "['<SPSSODescriptor AuthnRequestsSigned=\"true\" WantAssertionsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:']",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_SPSSODescriptor_SPID",
"result": "success"
},
{
"test_id": [
"1.6.5"
],
"test": "The AuthnRequestsSigned attribute MUST be true",
"value": "['<SPSSODescriptor AuthnRequestsSigned=\"true\" WantAssertionsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:']",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_SPSSODescriptor_SPID",
"result": "success"
},
{
"test_id": [
"1.1.7"
],
"test": "Only one default AssertionConsumerService MUST be present",
"value": "<AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://localhost:44369/signin-spid",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AssertionConsumerService_SPID",
"result": "success"
},
{
"test_id": [
"1.1.8"
],
"test": "Must be present the default AssertionConsumerService with index = 0",
"value": "<AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://localhost:44369/signin-spid",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AssertionConsumerService_SPID",
"result": "success"
},
{
"test_id": [
"1.2.1"
],
"test": "The index attribute in AttributeConsumigService element MUST be present",
"value": "<AttributeConsumingService index=\"0\">\n <ServiceName xml:lang=\"it\">Set Attributi 1 - ID Cittadini minimo</ServiceName>\n ",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AttributeConsumingService_SPID",
"result": "success"
},
{
"test_id": [
"1.2.2"
],
"test": "The index attribute in AttributeConsumigService element MUST be >= 0",
"value": "<AttributeConsumingService index=\"0\">\n <ServiceName xml:lang=\"it\">Set Attributi 1 - ID Cittadini minimo</ServiceName>\n ",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AttributeConsumingService_SPID",
"result": "success"
},
{
"test_id": [
"1.2.3"
],
"test": "The ServiceName element MUST be present",
"value": "<AttributeConsumingService index=\"0\">\n <ServiceName xml:lang=\"it\">Set Attributi 1 - ID Cittadini minimo</ServiceName>\n ",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AttributeConsumingService_SPID",
"result": "success"
},
{
"test_id": [
"1.2.4"
],
"test": "The ServiceName element MUST have a value",
"value": "<AttributeConsumingService index=\"0\">\n <ServiceName xml:lang=\"it\">Set Attributi 1 - ID Cittadini minimo</ServiceName>\n ",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AttributeConsumingService_SPID",
"result": "success"
},
{
"test_id": [
"1.2.5"
],
"test": "One or more RequestedAttribute elements MUST be present",
"value": "<AttributeConsumingService index=\"0\">\n <ServiceName xml:lang=\"it\">Set Attributi 1 - ID Cittadini minimo</ServiceName>\n ",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AttributeConsumingService_SPID",
"result": "success"
},
{
"test_id": [
"1.2.6"
],
"test": "The Name attribute in RequestedAttribute element MUST be present",
"value": "<AttributeConsumingService index=\"0\">\n <ServiceName xml:lang=\"it\">Set Attributi 1 - ID Cittadini minimo</ServiceName>\n ",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AttributeConsumingService_SPID",
"result": "success"
},
{
"test_id": [
"1.2.7"
],
"test": "The \"spidCode\" attribute in RequestedAttribute element MUST be valid",
"value": "one of [address, companyName, companyFiscalNumber, countyOfBirth, dateOfBirth, digitalAddress, email, expirationDate, familyName, fiscalNumber, gender, idCard, ivaCode, mobilePhone, name, placeOfBirth, registeredOffice, spidCode, domicileStreetAddress, domicilePostalCode, domicileMunicipality, domicileProvince, domicileNation]",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AttributeConsumingService_SPID",
"result": "success"
},
{
"test_id": [
"1.2.6"
],
"test": "The Name attribute in RequestedAttribute element MUST be present",
"value": "<AttributeConsumingService index=\"0\">\n <ServiceName xml:lang=\"it\">Set Attributi 1 - ID Cittadini minimo</ServiceName>\n ",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AttributeConsumingService_SPID",
"result": "success"
},
{
"test_id": [
"1.2.7"
],
"test": "The \"name\" attribute in RequestedAttribute element MUST be valid",
"value": "one of [address, companyName, companyFiscalNumber, countyOfBirth, dateOfBirth, digitalAddress, email, expirationDate, familyName, fiscalNumber, gender, idCard, ivaCode, mobilePhone, name, placeOfBirth, registeredOffice, spidCode, domicileStreetAddress, domicilePostalCode, domicileMunicipality, domicileProvince, domicileNation]",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AttributeConsumingService_SPID",
"result": "success"
},
{
"test_id": [
"1.2.6"
],
"test": "The Name attribute in RequestedAttribute element MUST be present",
"value": "<AttributeConsumingService index=\"0\">\n <ServiceName xml:lang=\"it\">Set Attributi 1 - ID Cittadini minimo</ServiceName>\n ",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AttributeConsumingService_SPID",
"result": "success"
},
{
"test_id": [
"1.2.7"
],
"test": "The \"familyName\" attribute in RequestedAttribute element MUST be valid",
"value": "one of [address, companyName, companyFiscalNumber, countyOfBirth, dateOfBirth, digitalAddress, email, expirationDate, familyName, fiscalNumber, gender, idCard, ivaCode, mobilePhone, name, placeOfBirth, registeredOffice, spidCode, domicileStreetAddress, domicilePostalCode, domicileMunicipality, domicileProvince, domicileNation]",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AttributeConsumingService_SPID",
"result": "success"
},
{
"test_id": [
"1.2.6"
],
"test": "The Name attribute in RequestedAttribute element MUST be present",
"value": "<AttributeConsumingService index=\"0\">\n <ServiceName xml:lang=\"it\">Set Attributi 1 - ID Cittadini minimo</ServiceName>\n ",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AttributeConsumingService_SPID",
"result": "success"
},
{
"test_id": [
"1.2.7"
],
"test": "The \"fiscalNumber\" attribute in RequestedAttribute element MUST be valid",
"value": "one of [address, companyName, companyFiscalNumber, countyOfBirth, dateOfBirth, digitalAddress, email, expirationDate, familyName, fiscalNumber, gender, idCard, ivaCode, mobilePhone, name, placeOfBirth, registeredOffice, spidCode, domicileStreetAddress, domicilePostalCode, domicileMunicipality, domicileProvince, domicileNation]",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AttributeConsumingService_SPID",
"result": "success"
},
{
"test_id": [
"1.2.6"
],
"test": "The Name attribute in RequestedAttribute element MUST be present",
"value": "<AttributeConsumingService index=\"0\">\n <ServiceName xml:lang=\"it\">Set Attributi 1 - ID Cittadini minimo</ServiceName>\n ",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AttributeConsumingService_SPID",
"result": "success"
},
{
"test_id": [
"1.2.7"
],
"test": "The \"gender\" attribute in RequestedAttribute element MUST be valid",
"value": "one of [address, companyName, companyFiscalNumber, countyOfBirth, dateOfBirth, digitalAddress, email, expirationDate, familyName, fiscalNumber, gender, idCard, ivaCode, mobilePhone, name, placeOfBirth, registeredOffice, spidCode, domicileStreetAddress, domicilePostalCode, domicileMunicipality, domicileProvince, domicileNation]",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AttributeConsumingService_SPID",
"result": "success"
},
{
"test_id": [
"1.2.6"
],
"test": "The Name attribute in RequestedAttribute element MUST be present",
"value": "<AttributeConsumingService index=\"0\">\n <ServiceName xml:lang=\"it\">Set Attributi 1 - ID Cittadini minimo</ServiceName>\n ",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AttributeConsumingService_SPID",
"result": "success"
},
{
"test_id": [
"1.2.7"
],
"test": "The \"dateOfBirth\" attribute in RequestedAttribute element MUST be valid",
"value": "one of [address, companyName, companyFiscalNumber, countyOfBirth, dateOfBirth, digitalAddress, email, expirationDate, familyName, fiscalNumber, gender, idCard, ivaCode, mobilePhone, name, placeOfBirth, registeredOffice, spidCode, domicileStreetAddress, domicilePostalCode, domicileMunicipality, domicileProvince, domicileNation]",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AttributeConsumingService_SPID",
"result": "success"
},
{
"test_id": "",
"test": "AttributeConsumigService MUST not contain duplicated RequestedAttribute",
"value": "<AttributeConsumingService index=\"0\">\n <ServiceName xml:lang=\"it\">Set Attributi 1 - ID Cittadini minimo</ServiceName>\n ",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AttributeConsumingService_SPID",
"result": "success"
},
{
"test_id": [
"1.10.4"
],
"test": "The //ContactPerson/EmailAddress element MUST be present",
"value": "['<EmailAddress>spid.tech@bancodesio.it</EmailAddress>\\n ', '<EmailAddress>spid.amm@bancodesio.it</EmailAddress>\\n ']",
"references": [
""
],
"method": "SpidSpMetadataCheck.test_contactperson_email",
"result": "success"
},
{
"test_id": [
"1.10.5"
],
"test": "The //ContactPerson/EmailAddress element MUST have a value",
"value": "['<EmailAddress>spid.tech@bancodesio.it</EmailAddress>\\n ', '<EmailAddress>spid.amm@bancodesio.it</EmailAddress>\\n ']",
"references": [
""
],
"method": "SpidSpMetadataCheck.test_contactperson_email",
"result": "success"
},
{
"test_id": [
"1.10.6"
],
"test": "The //ContactPerson/EmailAddress element MUST be a valid email address",
"value": "['<EmailAddress>spid.tech@bancodesio.it</EmailAddress>\\n ', '<EmailAddress>spid.amm@bancodesio.it</EmailAddress>\\n ']",
"references": [
""
],
"method": "SpidSpMetadataCheck.test_contactperson_email",
"result": "success"
},
{
"test_id": "",
"test": "The //ContactPerson/TelephoneNumber element MUST have a value",
"value": "",
"references": [
""
],
"method": "SpidSpMetadataCheck.test_contactperson_phone",
"result": "success"
},
{
"test_id": [
"1.10.8"
],
"test": "The //ContactPerson/TelephoneNumber element MUST not contain spaces",
"value": "+390362613340",
"references": [
""
],
"method": "SpidSpMetadataCheck.test_contactperson_phone",
"result": "success"
},
{
"test_id": [
"1.10.9"
],
"test": "The //ContactPerson/TelephoneNumber element MUST start with \"+39\"",
"value": "+390362613340",
"references": [
""
],
"method": "SpidSpMetadataCheck.test_contactperson_phone",
"result": "success"
},
{
"test_id": "",
"test": "ContactPerson MUST be present",
"value": "",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_Contacts_PubPriv",
"result": "success"
},
{
"test_id": "",
"test": [
"Missing contactType in {'contactType': 'other'}: The contactType attribute MUST be present"
],
"value": "",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_Contacts_PubPriv",
"result": "success"
},
{
"test_id": "",
"test": "The contactType attribute MUST have a value",
"value": "",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_Contacts_PubPriv",
"result": "success"
},
{
"test_id": "",
"test": "The contactType must be \"other\"",
"value": "other",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_Contacts_PubPriv",
"result": "success"
},
{
"test_id": [
"1.10.0"
],
"test": "Only one ContactPerson element of contactType \"other\" MUST be present",
"value": "",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_Contacts_PubPriv",
"result": "success"
},
{
"test_id": "",
"test": "ContactPerson MUST be present",
"value": "",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_Contacts_PubPriv",
"result": "success"
},
{
"test_id": "",
"test": [
"Missing contactType in {'contactType': 'billing'}: The contactType attribute MUST be present"
],
"value": "",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_Contacts_PubPriv",
"result": "success"
},
{
"test_id": "",
"test": "The contactType attribute MUST have a value",
"value": "",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_Contacts_PubPriv",
"result": "success"
},
{
"test_id": "",
"test": "The contactType must be \"billing\"",
"value": "billing",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_Contacts_PubPriv",
"result": "success"
},
{
"test_id": [
"1.10.0"
],
"test": "Only one ContactPerson element of contactType \"billing\" MUST be present",
"value": "",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_Contacts_PubPriv",
"result": "success"
},
{
"test_id": [
"1.10.1"
],
"test": "Only one Extensions element inside ContactPerson element MUST be present",
"value": "<ContactPerson contactType=\"other\">\n <Extensions>\n <VATNumber>IT10537880964</VATNumber>\n <FiscalCode>01181770155</FiscalCode>\n <Private/>\n </Extensions>\n <Company>Banco Desio e della Brianza S.p.A.</Company>\n <EmailAddress>spid.tech@bancodesio.it</EmailAddress>\n <TelephoneNumber>+390362613340</TelephoneNumber>\n </ContactPerson>\n ",
"references": [
""
],
"method": "SpidSpMetadataCheck.test_Extensions_PubPriv",
"result": "success"
},
{
"test_id": [
"1.10.1"
],
"test": "Only one Extensions element inside ContactPerson element MUST be present",
"value": "<ContactPerson contactType=\"billing\">\n <Extensions>\n <CessionarioCommittente>\n <DatiAnagrafici>\n <IdFiscaleIVA>\n <IdPaese>IT</IdPaese>\n <IdCodice>+390123456789</IdCodice>\n </IdFiscaleIVA>\n <Anagrafica>\n <Denominazione>\n Banco Desio e della Brianza S.p.A.\n </Denominazione>\n </Anagrafica>\n </DatiAnagrafici>\n <Sede>\n <Indirizzo>via E. Rovagnati</Indirizzo>\n <NumeroCivico>1</NumeroCivico>\n <CAP>20832</CAP>\n <Comune>Desio</Comune>\n <Provincia>MB</Provincia>\n <Nazione>IT</Nazione>\n </Sede>\n </CessionarioCommittente>\n </Extensions>\n <Company>Banco Desio e della Brianza S.p.A.</Company>\n <EmailAddress>spid.amm@bancodesio.it</EmailAddress>\n <TelephoneNumber>+390362613656</TelephoneNumber>\n </ContactPerson>\n",
"references": [
""
],
"method": "SpidSpMetadataCheck.test_Extensions_PubPriv",
"result": "success"
},
{
"test_id": [
"1.11.7",
"1.12.5"
],
"test": "Missing ContactPerson/Extensions/Private, this element MUST be present",
"value": "",
"references": [
""
],
"method": "SpidSpMetadataCheck.test_extensions_public_private",
"result": "success"
},
{
"test_id": [
"1.11.8",
"1.12.6"
],
"test": "The Private element MUST be empty",
"value": "",
"references": [
""
],
"method": "SpidSpMetadataCheck.test_extensions_public_private",
"result": "success"
},
{
"test_id": [
"1.11.9",
"1.12.7"
],
"test": "The Public element MUST not be present",
"value": "",
"references": [
""
],
"method": "SpidSpMetadataCheck.test_extensions_public_private",
"result": "success"
},
{
"test_id": "",
"test": "only one VATNumber element must be present",
"value": "['<VATNumber>IT10537880964</VATNumber>\\n ']",
"references": [
""
],
"method": "SpidSpMetadataCheck.test_Contacts_VATFC",
"result": "success"
},
{
"test_id": [
"1.11.4"
],
"test": "The VATNumber element MUST have a value",
"value": "",
"references": [
""
],
"method": "SpidSpMetadataCheck.test_Contacts_VATFC",
"result": "success"
},
{
"test_id": "",
"test": "The VATNumber element MUST start with a valid ISO3166 Code",
"value": "",
"references": [
""
],
"method": "SpidSpMetadataCheck.test_Contacts_VATFC",
"result": "success"
},
{
"test_id": "",
"test": "only one FiscalCode element must be present",
"value": "['<FiscalCode>01181770155</FiscalCode>\\n ']",
"references": [
""
],
"method": "SpidSpMetadataCheck.test_Contacts_VATFC",
"result": "success"
},
{
"test_id": [
"1.11.6"
],
"test": "The FiscalCode element MUST have a value",
"value": "",
"references": [
""
],
"method": "SpidSpMetadataCheck.test_Contacts_VATFC",
"result": "success"
},
{
"test_id": [
"1.12.0"
],
"test": "The IPACode element MUST NOT be present",
"value": "[]",
"references": [],
"method": "SpidSpMetadataCheck.test_Contacts_Priv",
"result": "success"
},
{
"test_id": [
"1.14.4"
],
"test": "The CessionarioCommittente element MUST be present",
"value": "[<Element CessionarioCommittente at 0x7f4d5ac67788>]",
"references": [],
"method": "SpidSpMetadataCheck.test_Contacts_Priv",
"result": "success"
},
{
"test_id": [
"1.0.0"
],
"test": "SpidSpMetadataCheck.xsd_check",
"value": "Test file://../data/https___localhost_44369/sp-metadata.xml with saml-schema-metadata-2.0.xsd",
"references": [],
"method": "SpidSpMetadataCheck.xsd_check",
"result": "success"
}
]
},
"authnrequest_strict": {
"SpidSpAuthnReqCheck": [
{
"test_id": "",
"test": "One AuthnRequest element MUST be present",
"value": "",
"references": [
"TR pag. 8"
],
"method": "SpidSpAuthnReqCheck.test_AuthnRequest",
"result": "success"
},
{
"test_id": "",
"test": "The ID attribute MUST be present",
"value": "ID",
"references": [
"TR pag. 8"
],
"method": "SpidSpAuthnReqCheck.test_AuthnRequest",
"result": "success"
},
{
"test_id": "",
"test": "The ID attribute MUST have a value",
"value": "_668b41c5-ccbc-4d77-ba98-84462272ed42",
"references": [
"TR pag. 8"
],
"method": "SpidSpAuthnReqCheck.test_AuthnRequest",
"result": "success"
},
{
"test_id": "",
"test": "The Version attribute MUST be present",
"value": "Version",
"references": [
"TR pag. 8"
],
"method": "SpidSpAuthnReqCheck.test_AuthnRequest",
"result": "success"
},
{
"test_id": "",
"test": "The Version attribute MUST be 2.0",
"value": "2.0",
"references": [
"TR pag. 8"
],
"method": "SpidSpAuthnReqCheck.test_AuthnRequest",
"result": "success"
},
{
"test_id": "",
"test": "The IssueInstant attribute MUST be present",
"value": "IssueInstant",
"references": [
"TR pag. 8"
],
"method": "SpidSpAuthnReqCheck.test_AuthnRequest",
"result": "success"
},
{
"test_id": "",
"test": "The IssueInstant attribute MUST have a value",
"value": "2021-10-01T09:50:13.663Z",
"references": [
"TR pag. 8"
],
"method": "SpidSpAuthnReqCheck.test_AuthnRequest",
"result": "success"
},
{
"test_id": "",
"test": "The IssueInstant attribute MUST be a valid UTC string",
"value": "2021-10-01T09:50:13.663Z",
"references": [
"TR pag. 8"
],
"method": "SpidSpAuthnReqCheck.test_AuthnRequest",
"result": "success"
},
{
"test_id": "",
"test": "The Destination attribute MUST be present",
"value": "Destination",
"references": [
"TR pag. 8"
],
"method": "SpidSpAuthnReqCheck.test_AuthnRequest",
"result": "success"
},
{
"test_id": "",
"test": "The Destination attribute MUST have a value",
"value": "https://localhost:8080/samlsso",
"references": [
"TR pag. 8"
],
"method": "SpidSpAuthnReqCheck.test_AuthnRequest",
"result": "success"
},
{
"test_id": "",
"test": "The Destination attribute SHOULD be the address to which the request has been sent but can also be the EnityID of IdP (Av. SPID n.11)",
"value": "https://localhost:8080/samlsso",
"references": [
"TR pag. 8"
],
"method": "SpidSpAuthnReqCheck.test_AuthnRequest",
"result": "success"
},
{
"test_id": "",
"test": "The IsPassive attribute MUST not be present - TR pag. 9 ",
"value": "",
"references": [
"TR pag. 8"
],
"method": "SpidSpAuthnReqCheck.test_AuthnRequest",
"result": "success"
},
{
"test_id": "",
"test": "One Issuer element MUST be present",
"value": "<Issuer NameQualifier=\"https://localhost:44369\" Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:entity\">https://localhost:4436",
"references": [
"TR pag. 9"
],
"method": "SpidSpAuthnReqCheck.test_Issuer",
"result": "success"
},
{
"test_id": "",
"test": "The Issuer element MUST have a value",
"value": "<Issuer NameQualifier=\"https://localhost:44369\" Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:entity\">https://localhost:4436",
"references": [
"TR pag. 9"
],
"method": "SpidSpAuthnReqCheck.test_Issuer",
"result": "success"
},
{
"test_id": "",
"test": "The Issuer's value MUST be equal to entityID",
"value": "https://localhost:44369",
"references": [
"TR pag. 9"
],
"method": "SpidSpAuthnReqCheck.test_Issuer",
"result": "success"
},
{
"test_id": "",
"test": "The Format attribute MUST be present",
"value": "{'NameQualifier': 'https://localhost:44369', 'Format': 'urn:oasis:names:tc:SAML:2.0:nameid-format:entity'}",
"references": [
"TR pag. 9"
],
"method": "SpidSpAuthnReqCheck.test_Issuer",
"result": "success"
},
{
"test_id": "",
"test": "The Format attribute MUST have a value",
"value": "urn:oasis:names:tc:SAML:2.0:nameid-format:entity",
"references": [
"TR pag. 9"
],
"method": "SpidSpAuthnReqCheck.test_Issuer",
"result": "success"
},
{
"test_id": "",
"test": "The Format attribute MUST be urn:oasis:names:tc:SAML:2.0:nameid-format:entity",
"value": "urn:oasis:names:tc:SAML:2.0:nameid-format:entity",
"references": [
"TR pag. 9"
],
"method": "SpidSpAuthnReqCheck.test_Issuer",
"result": "success"
},
{
"test_id": "",
"test": "The NameQualifier attribute MUST be present",
"value": "{'NameQualifier': 'https://localhost:44369', 'Format': 'urn:oasis:names:tc:SAML:2.0:nameid-format:entity'}",
"references": [
"TR pag. 9"
],
"method": "SpidSpAuthnReqCheck.test_Issuer",
"result": "success"
},
{
"test_id": "",
"test": "The NameQualifier attribute MUST have a value",
"value": "https://localhost:44369",
"references": [
"TR pag. 9"
],
"method": "SpidSpAuthnReqCheck.test_Issuer",
"result": "success"
},
{
"test_id": "",
"test": "The NotBefore attribute MUST be present",
"value": "<Element Conditions at 0x7f4d5ab1cd48>",
"references": [
"TR pag. 9"
],
"method": "SpidSpAuthnReqCheck.test_Conditions",
"result": "success"
},
{
"test_id": "",
"test": "The NotBefore attribute MUST have a value",
"value": "2021-10-01T09:50:13.663Z",
"references": [
"TR pag. 9"
],
"method": "SpidSpAuthnReqCheck.test_Conditions",
"result": "success"
},
{
"test_id": "",
"test": "The NotBefore attribute MUST have avalid UTC string",
"value": "2021-10-01T09:50:13.663Z",
"references": [
"TR pag. 9"
],
"method": "SpidSpAuthnReqCheck.test_Conditions",
"result": "success"
},
{
"test_id": "",
"test": "The NotOnOrAfter attribute MUST be present",
"value": "2021-10-01T09:50:13.663Z",
"references": [
"TR pag. 9"
],
"method": "SpidSpAuthnReqCheck.test_Conditions",
"result": "success"
},
{
"test_id": "",
"test": "The NotOnOrAfter attribute MUST have a value",
"value": "2021-10-01T10:00:13.663Z",
"references": [
"TR pag. 9"
],
"method": "SpidSpAuthnReqCheck.test_Conditions",
"result": "success"
},
{
"test_id": "",
"test": "The NotOnOrAfter attribute MUST have avalid UTC string",
"value": "2021-10-01T10:00:13.663Z",
"references": [
"TR pag. 9"
],
"method": "SpidSpAuthnReqCheck.test_Conditions",
"result": "success"
},
{
"test_id": "",
"test": "RelayState MUST not be immediately intelligible",
"value": "668b41c5-ccbc-4d77-ba98-84462272ed42",
"references": [
"TR pag. 14",
"TR pag. 15"
],
"method": "SpidSpAuthnReqCheck.test_RelayState",
"result": "success"
},
{
"test_id": "",
"test": "The Signature element MUST be present",
"value": "",
"references": [
"TR pag. 10"
],
"method": "SpidSpAuthnReqCheck.test_Signature",
"result": "success"
},
{
"test_id": "",
"test": "The SignatureMethod element MUST be present",
"value": "",
"references": [
"TR pag. 10"
],
"method": "SpidSpAuthnReqCheck.test_Signature",
"result": "success"
},
{
"test_id": "",
"test": "The Algorithm attribute MUST be present in SignatureMethod element",
"value": "",
"references": [
"TR pag. 10"
],
"method": "SpidSpAuthnReqCheck.test_Signature",
"result": "success"
},
{
"test_id": "",
"test": "The signature algorithm MUST be valid",
"value": "One of http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256, http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384, http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512, http://www.w3.org/2001/04/xmldsig-more#hmac-sha256, http://www.w3.org/2001/04/xmldsig-more#hmac-sha384, http://www.w3.org/2001/04/xmldsig-more#hmac-sha512, http://www.w3.org/2001/04/xmldsig-more#rsa-sha256, http://www.w3.org/2001/04/xmldsig-more#rsa-sha384, http://www.w3.org/2001/04/xmldsig-more#rsa-sha512",
"references": [
"TR pag. 10"
],
"method": "SpidSpAuthnReqCheck.test_Signature",
"result": "success"
},
{
"test_id": "",
"test": "The DigestMethod element MUST be present",
"value": "",
"references": [
"TR pag. 10"
],
"method": "SpidSpAuthnReqCheck.test_Signature",
"result": "success"
},
{
"test_id": "",
"test": "The Algorithm attribute MUST be present in DigestMethod element",
"value": "",
"references": [
"TR pag. 10"
],
"method": "SpidSpAuthnReqCheck.test_Signature",
"result": "success"
},
{
"test_id": "",
"test": "The digest algorithm MUST be one of [http://www.w3.org/2001/04/xmlenc#sha256, http://www.w3.org/2001/04/xmlenc#sha384, http://www.w3.org/2001/04/xmlenc#sha512]",
"value": "",
"references": [
"TR pag. 10"
],
"method": "SpidSpAuthnReqCheck.test_Signature",
"result": "success"
},
{
"test_id": "",
"result": "failure",
"test": "AuthnRequest Signature validation failed",
"value": "The AuthnRequest MUST validate against XSD and MUST have a valid signature\nstderr: func=xmlSecOpenSSLAppKeyLoadBIO:file=app.c:line=268:obj=unknown:subj=PEM_read_bio_PrivateKey and PEM_read_bio_PUBKEY:error=4:crypto library function failed:openssl error: 151584876: PEM routines: get_name no start line\nfunc=xmlSecOpenSSLAppKeyLoad:file=app.c:line=172:obj=unknown:subj=xmlSecOpenSSLAppKeyLoadBIO:error=1:xmlsec library function failed:filename=/tmp/tmps95zj8q1.crt\nError: xmlSecCryptoAppKeyLoad failed: file=/tmp/tmps95zj8q1.crt\nError: failed to load public key from \"/tmp/tmps95zj8q1.crt\".\nError: keys manager creation failed\nUnknown command\n\nstdout: Usage: xmlsec <command> [<options>] [<files>]\n\nxmlsec is a command line tool for signing, verifying, encrypting and\ndecrypting XML documents. The allowed <command> values are:\n --help \tdisplay this help information and exit\n --help-all \tdisplay help information for all commands/options and exit\n --help-<cmd>\tdisplay help information for command <cmd> and exit\n --version \tprint version information and exit\n --keys \tkeys XML file manipulation\n --sign \tsign data and output XML document\n --verify \tverify signed document\n --sign-tmpl \tcreate and sign dynamicaly generated signature template\n --encrypt \tencrypt data and output XML document\n --decrypt \tdecrypt data from XML document\n\n\nReport bugs to http://www.aleksey.com/xmlsec/bugs.html\n\nWritten by Aleksey Sanin <aleksey@aleksey.com>.\n\nCopyright (C) 2002-2016 Aleksey Sanin <aleksey@aleksey.com>. All Rights Reserved..\nThis is free software: see the source for copying information.\n\n",
"references": [],
"method": ""
},
{
"test_id": "",
"test": "The ForceAuthn attribute MUST be present if SPID level > 1",
"value": "['<AuthnContextClassRef>https://www.spid.gov.it/SpidL2</AuthnContextClassRef>']",
"references": [
"TR pag. 8"
],
"method": "SpidSpAuthnReqCheck.test_AuthnRequest_SPID",
"result": "success"
},
{
"test_id": "",
"test": "The ForceAuthn attribute MUST be true or 1 - TR pag. 8 ",
"value": "true",
"references": [
"TR pag. 8"
],
"method": "SpidSpAuthnReqCheck.test_AuthnRequest_SPID",
"result": "success"
},
{
"test_id": "",
"test": "The AssertionConsumerServiceIndex attribute MUST be equal to an AssertionConsumerService index",
"value": "['<AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://localhost:44369/signin-spid\" index=\"0\" isDefault=\"true\"/>\\n\\n ']",
"references": [
"TR pag. 8"
],
"method": "SpidSpAuthnReqCheck.test_AuthnRequest_SPID",
"result": "success"
},
{
"test_id": "",
"test": "The AssertionConsumerServiceIndex attribute MUST have a value",
"value": "0",
"references": [
"TR pag. 8"
],
"method": "SpidSpAuthnReqCheck.test_AuthnRequest_SPID",
"result": "success"
},
{
"test_id": "",
"test": "The AssertionConsumerServiceIndex attribute MUST be >= 0",
"value": "0",
"references": [
"TR pag. 8"
],
"method": "SpidSpAuthnReqCheck.test_AuthnRequest_SPID",
"result": "success"
},
{
"test_id": "",
"test": "The AttributeConsumingServiceIndex attribute MUST have a value",
"value": "0",
"references": [
"TR pag. 8"
],
"method": "SpidSpAuthnReqCheck.test_AuthnRequest_SPID",
"result": "success"
},
{
"test_id": "",
"test": "The AttributeConsumingServiceIndex attribute MUST be >= 0",
"value": "0",
"references": [
"TR pag. 8"
],
"method": "SpidSpAuthnReqCheck.test_AuthnRequest_SPID",
"result": "success"
},
{
"test_id": "",
"test": "The AttributeConsumingServiceIndex attribute MUST be equal to an AttributeConsumingService index",
"value": "0",
"references": [
"TR pag. 8"
],
"method": "SpidSpAuthnReqCheck.test_AuthnRequest_SPID",
"result": "success"
},
{
"test_id": "",
"test": "One NameIDPolicy element MUST be present",
"value": "<NameIDPolicy Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:transient\"/>",
"references": [
"TR pag. 9"
],
"method": "SpidSpAuthnReqCheck.test_NameIDPolicy",
"result": "success"
},
{
"test_id": "",
"test": "The Format attribute MUST be present",
"value": "{'Format': 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'}",
"references": [
"TR pag. 9"
],
"method": "SpidSpAuthnReqCheck.test_NameIDPolicy",
"result": "success"
},
{
"test_id": "",
"test": "The Format attribute MUST have a value",
"value": "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
"references": [
"TR pag. 9"
],
"method": "SpidSpAuthnReqCheck.test_NameIDPolicy",
"result": "success"
},
{
"test_id": "",
"test": "The Format attribute MUST be urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
"value": "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
"references": [
"TR pag. 9"
],
"method": "SpidSpAuthnReqCheck.test_NameIDPolicy",
"result": "success"
},
{
"test_id": "",
"test": "The AllowCreate attribute MUST not be present",
"value": "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
"references": [
"AV n.5"
],
"method": "SpidSpAuthnReqCheck.test_NameIDPolicy",
"result": "success"
},
{
"test_id": "",
"test": "Only one RequestedAuthnContext element MUST be present",
"value": "['<RequestedAuthnContext Comparison=\"minimum\"><AuthnContextClassRef>https://www.spid.gov.it/SpidL2</AuthnContextClassRef></RequestedAuthnContext>']",
"references": [
"TR pag. 9",
"TR pag. 10"
],
"method": "SpidSpAuthnReqCheck.test_RequestedAuthnContext",
"result": "success"
},
{
"test_id": "",
"test": "The Comparison attribute MUST be present",
"value": "{'Comparison': 'minimum'}",
"references": [
"TR pag. 9",
"TR pag. 10"
],
"method": "SpidSpAuthnReqCheck.test_RequestedAuthnContext",
"result": "success"
},
{
"test_id": "",
"test": "The Comparison attribute MUST have a value",
"value": "minimum",
"references": [
"TR pag. 9",
"TR pag. 10"
],
"method": "SpidSpAuthnReqCheck.test_RequestedAuthnContext",
"result": "success"
},
{
"test_id": "",
"test": "Attribute not valid",
"value": "The Comparison attribute MUST be one of [exact, minimum, better, maximum]",
"references": [
"TR pag. 9",
"TR pag. 10"
],
"method": "SpidSpAuthnReqCheck.test_RequestedAuthnContext",
"result": "success"
},
{
"test_id": "",
"test": "Only one AuthnContexClassRef element MUST be present",
"value": "['<AuthnContextClassRef>https://www.spid.gov.it/SpidL2</AuthnContextClassRef>']",
"references": [
"TR pag. 9",
"TR pag. 10"
],
"method": "SpidSpAuthnReqCheck.test_RequestedAuthnContext",
"result": "success"
},
{
"test_id": "",
"test": "The AuthnContexClassRef element MUST have a value",
"value": "b'<AuthnContextClassRef>https://www.spid.gov.it/SpidL2</AuthnContextClassRef>'",
"references": [
"TR pag. 9",
"TR pag. 10"
],
"method": "SpidSpAuthnReqCheck.test_RequestedAuthnContext",
"result": "success"
},
{
"test_id": "",
"test": "The AuthnContextClassRef element MUST have a valid SPID level",
"value": "b'<AuthnContextClassRef>https://www.spid.gov.it/SpidL2</AuthnContextClassRef>'",
"references": [
"TR pag. 9",
"TR pag. 10"
],
"method": "SpidSpAuthnReqCheck.test_RequestedAuthnContext",
"result": "success"
}
]
}
}
}
}
Spid QA: executed 153 tests, 1 failed. 0 warnings.
In particolare
{
"test_id": "",
"result": "failure",
"test": "AuthnRequest Signature validation failed",
"value": "The AuthnRequest MUST validate against XSD and MUST have a valid signature\nstderr: func=xmlSecOpenSSLAppKeyLoadBIO:file=app.c:line=268:obj=unknown:subj=PEM_read_bio_PrivateKey and PEM_read_bio_PUBKEY:error=4:crypto library function failed:openssl error: 151584876: PEM routines: get_name no start line\nfunc=xmlSecOpenSSLAppKeyLoad:file=app.c:line=172:obj=unknown:subj=xmlSecOpenSSLAppKeyLoadBIO:error=1:xmlsec library function failed:filename=/tmp/tmps95zj8q1.crt\nError: xmlSecCryptoAppKeyLoad failed: file=/tmp/tmps95zj8q1.crt\nError: failed to load public key from \"/tmp/tmps95zj8q1.crt\".\nError: keys manager creation failed\nUnknown command\n\nstdout: Usage: xmlsec <command> [<options>] [<files>]\n\nxmlsec is a command line tool for signing, verifying, encrypting and\ndecrypting XML documents. The allowed <command> values are:\n --help \tdisplay this help information and exit\n --help-all \tdisplay help information for all commands/options and exit\n --help-<cmd>\tdisplay help information for command <cmd> and exit\n --version \tprint version information and exit\n --keys \tkeys XML file manipulation\n --sign \tsign data and output XML document\n --verify \tverify signed document\n --sign-tmpl \tcreate and sign dynamicaly generated signature template\n --encrypt \tencrypt data and output XML document\n --decrypt \tdecrypt data from XML document\n\n\nReport bugs to http://www.aleksey.com/xmlsec/bugs.html\n\nWritten by Aleksey Sanin <aleksey@aleksey.com>.\n\nCopyright (C) 2002-2016 Aleksey Sanin <aleksey@aleksey.com>. All Rights Reserved..\nThis is free software: see the source for copying information.\n\n",
"references": [],
"method": ""
},
ma quindi, voi riuscite ad usare questa SDK con l'ambiente demo?
Questo, per intenderci? --> https://demo.spid.gov.it/metadata.xml
Si, io personalmente non ho problemi, sia con certificati self-signed, sia con certificati di produzione emessi da Agid
SP privato o pubblico?
SP pubblico e aggregatore
Ma in questo caso non credo c'entri nulla il profilo, dipende da come spid_sp_test legge e interpreta il certificato dalla request. L'errore avviene in quella fase
ma il fatto è che il metadato sembrerebbe ok - il certificato è quello ed anche quello sulla request.
Non so come procedere per abilitare il nuovo ambiente demo.
potrebbe provare a lanciare il comando di validazione della request ed incollare l'esito?
Questo il comando. spid_sp_test --metadata-url https://localhost:5001/spid/metadata.xml --authn-url https://localhost:5001/home/login?idpname=SpidSpTest -rf json --debug ERROR --extra --profile spid-sp-ag-public-full Allego il file con il report output.txt
Utilizzo la webapp contenuta nella solution, eseguita in locale.
il numero dei check dipende dal profilo, giusto? Non vorrei che sia il profilo che in qualche modo può causare qualche problema...
Credo che il profilo influisca esclusivamente sui check che vengono fatti sul metadata, ma non posso darti certezze su questo.
vedo che sul tuo sono 189 test - sul mio 153
comunque - hanno appena aggiornato qualcosa lato demo, ora mi si schianta direttamente il tutto.
sono lieto di comunicarvi che con la versione spid-sp-test pari a 0.9.22 questo problema è stato risolto.
Perfetto, chiudo
Sul nuovo ambiente demo validator la verifica della firma della request fallisce (strict ed extra n. 34):
"failure - value: The AuthnRequest MUST validate against XSD and MUST have a valid signature stderr: func=xmlSecOpenSSLAppKeyLoadBIO:file=app.c:line=272:obj=unknown:subj=PEM_read_bio_PrivateKey and PEM_read_bio_PUBKEY:error=4:crypto library function failed:openssl error: 151584876: PEM routines: get_name no start line func=xmlSecOpenSSLAppKeyLoad:file=app.c:line=175:obj=unknown:subj=xmlSecOpenSSLAppKeyLoadBIO:error=1:xmlsec library function failed:filename=/tmp/tmpkxyk79rd.crt Error: xmlSecCryptoAppKeyLoad failed: file=/tmp/tmpkxyk79rd.crt Error: failed to load public key from "/tmp/tmpkxyk79rd.crt". Error: keys manager creation failed Unknown command stdout: Usage: xmlsec [] [] xmlsec is a command line tool for signing, verifying, encrypting and decrypting XML documents. The allowed values are: --help display this help information and exit --help-all display help information for all commands/options and exit --help- display help information for command and exit --version print version information and exit --keys keys XML file manipulation --sign sign data and output XML document --verify verify signed document --sign-tmpl create and sign dynamicaly generated signature template --encrypt encrypt data and output XML document --decrypt decrypt data from XML document Report bugs to http://www.aleksey.com/xmlsec/bugs.html Written by Aleksey Sanin aleksey@aleksey.com. Copyright (C) 2002-2016 Aleksey Sanin aleksey@aleksey.com. All Rights Reserved.. This is free software: see the source for copying information."
Ho provato a cambiare certificato, ma il problema persiste.