danielegiallonardo
commented
3 years ago Potresti dirmi, utilizzando questo tool (https://redkestrel.co.uk/products/decoder/), quale valore per "Sig. Algorithm" è riportato all'interno del certificato?
Closed dassocec closed 3 years ago
danielegiallonardo
commented
3 years ago Potresti dirmi, utilizzando questo tool (https://redkestrel.co.uk/products/decoder/), quale valore per "Sig. Algorithm" è riportato all'interno del certificato?
dassocec
commented
3 years ago Il certificato autofirmato riporta "sha256WithRSAEncryption" e l'altro certificato emesso da Aruba per il dominio riporta anche "sha256WithRSAEncryption".
danielegiallonardo
commented
3 years ago Potresti incollare una request di esempio che fallisce la validazione?
dassocec
commented
3 years ago dassocec
commented
3 years ago è possibile avere riscontro dell'errore (la firma del messaggio non risulta corretta) anche provando a validare la request al seguente tool: https://www.samltool.com/validate_authn_req.php
peppelinux
commented
3 years ago Ciao, sto cercando di risalire all'origine di questo problema, il tool di validazione usato da spid-saml-check è spid-sp-test
per una corretta validazione della request serve anche il metadata. Il comando da fare è il seguente, si può eseguire direttamente all'interno del container docker di spid-saml-check.
spid_sp_test --metadata-url https://localhost:8000/spid/metadata/ --extra --authn-url https://localhost:8000/spid/login/?idp=https://localhost:8080 --debug ERRORin caso di file si può usare l'url file://
spid_sp_test --metadata-url c_m093__80002630624.xml --extra --authn-url file:///home/utente/Downloads/AuthRequest.txt --debug ERROR --profile spid-sp-ag-public-fullla validazione avviene mediante xmlsec1, ovvero con questo comando:
xmlsec1 --verify --insecure --id-attr:ID "urn:oasis:names:tc:SAML:2.0:protocol:AuthnRequest" --pubkey-pem /tmp/tmpwy3k37d1.crt /tmp/tmpq_wn5v8f.xml dove /tmp/tmpwy3k37d1.crt è il certificato estratto dal metadata, esempio qui:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyFPFTcDe6UcZj+S6BC8W
p7vWy/PoyKEMEXySAPzUxS0lu2Z4ae9CBSB8YG3Ub+RnkgPhF1cWkM+ZZ7F15cWJ
w1/6FVwmhccPmCOSZuqqcP4n/fmkr98tW7Cqd88hlJD4mi3X1Rc/1bmWb8/Is4wE
1NRCgE9fVyk3YBv0oxoGHM6Lki+TILhnf6Fp85+U6coxlpOjcleslR3KltkKEs4X
6jralHnc0QAvrveOmULXjbMHCbiVievrss4i66xOjKYcD/gC8lpFA2lf+2INvmp4
PP89OdV1xXnJEOS+2P6OtBmud7GlhVapO3/MHxOepKp5zWjz+XIqNmFXYo7DODIs
cQIDAQAB
-----END PUBLIC KEY-----mentre /tmp/tmpq_wn5v8f.xml è la request. Sono file temporanei quindi vengono nominati randomicamente da spid-sp-test.
Ora ... su spid-sp-test abbiamo irrobustito la verifica della firma, aggiungendo il paramento --pubkey-pem, questo mancava nella precedente implementazione dei test, come vedete qui:
in spid-sp-test è stata aggiunta la validazione usando il certificato del metadata (altrimenti avrebbe validato una firma autoreferenziale). Questo mediante l'argomento --pubkey-pem.
Perché --pubkey-pem e non --pubkey-cert-pem?
Perché qui noi convertiamo pem in x509:
https://github.com/italia/spid-sp-test/blob/7790a429ed78ccef504a19437f614c52feefb9d7/src/spid_sp_test/authn_request.py#L325
questo è il codice di spid-sp-test, è aperto, possiamo studiarlo e capire come migliorarlo, fare proposte. Io tendo a non fidarmi dei servizi di validazione di terze parti, perché non ho il loro codice sorgente e SAML2 è ... "ricco" di opzioni!
Vi consiglio di validare manualmente con xmlsec1 la vs request, esattamente come da codice e fornire qui o su slack developers italia un report.
Ad essere sincero tanti SP validano bene e pochi di questi incorrono in questa eccezione, non escludo che si possa fare un workaround ma dobbiamo essere certi di quello che facciamo. Sono a vs completa disposizione per analizzare il problema, qui o su slack, questa storia mi incuriosisce parecchio!
peppelinux
commented
3 years ago usando l'ultima versione su main branch di spid-sp-test ho aggiunto dei messaggi di DEBUG più eloquenti rispetto a prima, -l seleziona esclusivamente il test da eseguire, DEBUG stampa nel dettaglio le problematiche.
Dal log otteniamo il comando da eseguire e il certificato utilizzato per la validazione, questo dovrebbe facilitarvi la vita nella validazione "offline" delle vostre authn request.
Se scoprite utilizzi alternativi di xmlsec1 analizzeremo insieme eventuali impatti e possibilità di migliorare spid-sp-test
spid_sp_test --metadata-url file://c_m093__80002630624.xml --extra --authn-url file:///home/utente/Downloads/AuthRequest.txt --debug DEBUG -l test_xmldsig
DEBUG:spid_sp_test.authn_request:Running authn request signature validation:
xmlsec1 --verify --insecure --id-attr:ID "urn:oasis:names:tc:SAML:2.0:protocol:AuthnRequest" --pubkey-pem /tmp/tmp73c3dm7w.crt /tmp/tmpf1nwv7xp.xml
DEBUG:spid_sp_test.authn_request:/tmp/tmp73c3dm7w.crt:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4bh8zI2gyF6Vh7TnUxzG
7EfxKnr5IIpjTFZNSg1UF+UhHM12aI+DZDJNzcz6w6kBNuuxwXjB7bzruGXTcYuq
NhacxhJpOsMdlCTOStPrtJnc6OeTD+3U3J2VShUOQ0wOZ/Gj3eo7GtIyhW1oWIUC
5IOnUjPz99UjQy9bC+AdAhcro6gNCD2ftesCQF[ ... ]SSTeLv7Edz8qTwByBQ5NO
gVHpV9ml8xMD8qFSrMtYtarKFGfv4JzVkaRQpPUfYNSSf/mM0P9Ul/Um9MIO0THZ
ldyhl/rfKztSYULZ3e45WXq494T9Z7LcwkJfx+BkYdfG+6KJDuyXzOWBq8BZynZW
ZwIDAQAB
-----END PUBLIC KEY-----
DEBUG:spid_sp_test.authn_request:The AuthnRequest MUST validate against XSD and MUST have a valid signature
stderr: func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=279:obj=sha512:subj=unknown:error=12:invalid data:data and digest do not match
FAIL
SignedInfo References (ok/all): 0/1
Manifests References (ok/all): 0/0
Error: failed to verify file "/tmp/tmpf1nwv7xp.xml"
ERROR:spid_sp_test.authn_request:SpidSpAuthnReqCheckExtra.test_xmldsig: AuthnRequest Signature validation failed
ERROR:spid_sp_test.authn_request:AuthnRequest Signature validation failed
Spid QA: executed 2 tests, 1 failed. 0 warnings.@dassocec prova ad aggiornare a questa release
https://pypi.org/project/spid-sp-test/0.9.20/
basta fare un attach di una bash nel container di spid-saml-check e pip install --upgrade spid-sp-test
attendiamo tuo feedback
dassocec
commented
3 years ago Ok. Per effettuare i test in locale uso l'immagine Docker. Comunque ci provo.
danielegiallonardo
commented
3 years ago Puoi utilizzare https://demo.spid.gov.it/validator Oggi è stata pubblicata la versione che incorpora la versione 0.9.20 di spid-sp-test. Facci sapere se il test 34 sulla request ora viene validato con successo
santesem-links
commented
3 years ago utilizzando l'ambiente da Lei segnalato, si ottengono vari altri problemi (non legati a questa implementazione ma dallo stesso validator)
Comunque, anche aggiornando l'immagine che uso in locale con l'ultima versione di spid_sp_test, la validazione del punto 34 va sempre in errore - ma non so quanto possa essere un problema di creazione della request e non della validazione stessa.
Per esempio, se si va ad utilizzare l'ambiente https://www.spid-validator.it/metadata.xml (che è una vecchia versione) - la request viene data per buona.
danielegiallonardo
commented
3 years ago Puoi postare il metadata e la request con i quali ottieni questi errori? Grazie
dassocec
commented
3 years ago Confermo lo stesso comportamento per quanto detto da link-santesem
santesem-links
commented
3 years ago ok, allego varie info.
Log dal container docker contenente spid-saml-check
env IDP_ENTITYID="https://localhost:8080" spid_sp_test --metadata-url file://../data/https___localhost_44369/sp-metadata.xml --authn-url file://../data/https___localhost_44369/authn-request.dump -rf json -o ../data/https___localhost_44369/sp-authn-request-strict.json
Spid QA: executed 144 tests, 3 failed. 0 warnings.
{
test_id: '',
result: 'failure',
test: 'AuthnRequest Signature validation failed',
value: 'The AuthnRequest MUST validate against XSD and MUST have a valid signature\n' +
'stderr: func=xmlSecOpenSSLAppKeyLoadBIO:file=app.c:line=268:obj=unknown:subj=PEM_read_bio_PrivateKey and PEM_read_bio_PUBKEY:error=4:crypto library function failed:openssl error: 151584876: PEM routines: get_name no start line\n' +
'func=xmlSecOpenSSLAppKeyLoad:file=app.c:line=172:obj=unknown:subj=xmlSecOpenSSLAppKeyLoadBIO:error=1:xmlsec library function failed:filename=/tmp/tmpf5g2ihhr.crt\n' +
'Error: xmlSecCryptoAppKeyLoad failed: file=/tmp/tmpf5g2ihhr.crt\n' +
'Error: failed to load public key from "/tmp/tmpf5g2ihhr.crt".\n' +
'Error: keys manager creation failed\n' +
'Unknown command\n' +
'\n' +
'stdout: Usage: xmlsec <command> [<options>] [<files>]\n' +
'\n' +
'xmlsec is a command line tool for signing, verifying, encrypting and\n' +
'decrypting XML documents. The allowed <command> values are:\n' +
' --help \tdisplay this help information and exit\n' +
' --help-all \tdisplay help information for all commands/options and exit\n' +
' --help-<cmd>\tdisplay help information for command <cmd> and exit\n' +
' --version \tprint version information and exit\n' +
' --keys \tkeys XML file manipulation\n' +
' --sign \tsign data and output XML document\n' +
' --verify \tverify signed document\n' +
' --sign-tmpl \tcreate and sign dynamicaly generated signature template\n' +
' --encrypt \tencrypt data and output XML document\n' +
' --decrypt \tdecrypt data from XML document\n' +
'\n' +
'\n' +
'Report bugs to http://www.aleksey.com/xmlsec/bugs.html\n' +
'\n' +
'Written by Aleksey Sanin <aleksey@aleksey.com>.\n' +
'\n' +
'Copyright (C) 2002-2016 Aleksey Sanin <aleksey@aleksey.com>. All Rights Reserved..\n' +
'This is free software: see the source for copying information.\n' +
'\n',
references: [],
method: ''
}Questa è la request:
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_67ebe9ee-eb58-4d6c-9eaa-43a2ddb5d24f" Version="2.0" IssueInstant="2021-09-30T06:56:23.898Z" Destination="https://localhost:8080/samlsso" ForceAuthn="true" AssertionConsumerServiceIndex="0" AttributeConsumingServiceIndex="0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer NameQualifier="https://localhost:44369" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
https://localhost:44369
</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="#_67ebe9ee-eb58-4d6c-9eaa-43a2ddb5d24f">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>
vRihWk+RTAXPRb8SYjFdO0TjBYox17Yr6EELfiRVJvM=
</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
jk/Ee0yQIDPaG4yrSL/tx1OYFYVPAVjkHMnNbMBpLRrN5u2ZGHZkDR8gBXlPjEw1Ncuc8P6Ulzd1tTUbBqzqCjFiOd10GLyi7/neAy1VbQ5y5ZMUJckBa8ZIp6JJN53oVQu0+vbd/VC7cF3tJkLsVtj+BkA5i1XyE1GuAKNQwoDATA4bQMX/7BfSL4lHOpcaNFwmucKcKcJqYysvjOEVTsOXuDZxMNGfVbUhWvXKMZy9A+KvJHwn3vY+qtVLi4NJEUQ1HLL4Iu3AWmCQQENqWnZJyGfAU3wa0O4eKmDi86CyW7WTc8mqOrySh8UEzTzeD7wXio+jDWaboqvbeczmm4HK4AqdH41sKfp6Jmo9aocO/+5XuHvtHjUBgZvmpwnLyTLYnMKZ+bShA5BidDm81BFbIHeODzDv9nTcMbHpjenIJtf5uBVCRsmAcXB/57z5rFlIEUxn5zYn96GiX/7diqNkDp4IdNlW9+GQjIyothBw4NX4P7/SFSzQaDDz97ov1URIxVz0+3XAkcvkGReM0l0TcjqvSN7vmcqSFDeMelx1kzbRD1fb6AGJT7jvXfXQN8gBh7zIk26FBQEPtxjUIa+oIoch8ykP7mveqgRpxFkfxcQaAIqLGzp4AzKwrkpzSBov4p91zmp2G3q2OWnIMVYmeYQ5l1hf3kHEuh1XuBE=
</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>
MIIGQjCCBCqgAwIBAgIJAJmwYjNvjrCTMA0GCSqGSIb3DQEBCwUAMIG1MQswCQYDVQQGEwJJVDEYMBYGA1UECAwPTW9uemEgZSBCcmlhbnphMQ4wDAYDVQQHDAVEZXNpbzEkMCIGA1UECgwbQmFuY28gRGVzaW8gZSBkZWxsYSBCcmlhbnphMQ0wCwYDVQQLDARTcGlkMR8wHQYDVQQDDBZwc2QtY29sbC5iYW5jb2Rlc2lvLml0MSYwJAYJKoZIhvcNAQkBFhdzcGlkLnRlY2hAYmFuY29kZXNpby5pdDAeFw0yMTA5MjMxNTQzNTZaFw0yNDA5MjIxNTQzNTZaMIG1MQswCQYDVQQGEwJJVDEYMBYGA1UECAwPTW9uemEgZSBCcmlhbnphMQ4wDAYDVQQHDAVEZXNpbzEkMCIGA1UECgwbQmFuY28gRGVzaW8gZSBkZWxsYSBCcmlhbnphMQ0wCwYDVQQLDARTcGlkMR8wHQYDVQQDDBZwc2QtY29sbC5iYW5jb2Rlc2lvLml0MSYwJAYJKoZIhvcNAQkBFhdzcGlkLnRlY2hAYmFuY29kZXNpby5pdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALyl3yRngpOlQRDdzj9HjE1UqFmI9OjKSZVdDVIOpcuNSdvfAXGrhXyGZCewjSAmIUrf6dWrO/5tIZALk2HMO42LP4Awo5W/dlDhmt1/pGoxMepGAAPafctA/Fyj7Gsi2xxksitjdp7SVFsF8ucDgHNZLFazEjkt+CJopLO6oMW0y3wwe3b1RdGXClzK1HpfRFeQZImQEniQd5OmNNRD/zxRUZqtRtd3tRFPAtvZKHAqD7IWiSsVvvWLibj8dSKuoCfj/CIH+WPXJsUGhcDhRvhqgMmaIm1RyLjZohAMuSZEGXdils4TeaoWln/G64R3fP+fCWxya+UOEZgBUgJdFRmlfFp0rXM1oI2BnKWVFLwTJ1rxrzyIp5YcQhAZxxjTm1zzy2jUSm44H2idLxSGfDwEl6MCdYz7HsvMQtEGN818AdSQsZudW9c/ULpCyz+TVR0vMp0KteFWsy8FeAQq9zkkPSpiLFGdBXXnpqO1G9GzntsunDwwPCeEuhFU7RzY3M5SOXsCnZDF7leQNTphzFzbQAytev4MVt6FAyNIys5eO8I1Mw/+14cOGnjp/PipwMlPWVCV7rFJ1/NtICv/2SEHiY1xa5EFQwRzW1+zxYcxHOh6ibJFtvMm33sBkJU5aNx/7cThzFfHDB4rLHhWEg77tp0ntt1iFqfTpaI5Qy/9AgMBAAGjUzBRMB0GA1UdDgQWBBQogcz80jb43VQDFpd2xdbhHmQcizAfBgNVHSMEGDAWgBQogcz80jb43VQDFpd2xdbhHmQcizAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQAFNB9UurknL+Yc/p35d5K6D2uDMbC3bxZNP9MFaM8wrTjKeUF18AW8+k/CaqHA2xJ2wT4DXEL68VYr3HsG8b0ULwrwJO7/UsdzSy/TNnbTcyMGoeVNy9FQrYBloJB8Akc/K7vU70xf/UynWHYEepo2tQwxKyDKxlW/xkfEszuzNCBKWtLcCcPiqg73n3PKD+yn07tqN1uKVa6fu/DGqYwfJi+nRTIuaTtNYxVvI/+/8/c0zQOlGELyCIct3uPsMsD5ecyaStVW3o7z1EBVnoCKNUc6YgimWs4ygXzDYPWCGhUzKPMcWmrGE/TndKh9WBtM/FNr+0g7btDq8GRzbHFlPTLn2odiI9bn9Xr9JYjXeUrgOAUG0No8375yWWk4K6Hguo3+JzGQaufhzSlof/iTY7ReJ1/qQMbgrmWiDZHVR09x+GqD3XDwmCrjyYaPhwOsriME9OznwPm/0zqhwHFhpoYt4GU+tw0u+RFfjDiHXziFcKtN/7oL2C3RShQScHwoRlNuza9uFrShOjFo3juATstzV9wC6fa35GyGMjXd7vwe/jan7dPNaeqX0Pnquk2udHW7Iy7yOmduj6Q5KS2s7QACeQHXUEooXfCBs+eRL87+/K37/uYWqX0aJ760IJewE7BJFxiLkZnvmPt/xlUrQ55+F+AjhiMVQCTIMGV8YA==
</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
<saml:Conditions NotBefore="2021-09-30T06:56:23.898Z" NotOnOrAfter="2021-09-30T07:06:23.898Z"/>
<samlp:RequestedAuthnContext Comparison="minimum">
<saml:AuthnContextClassRef>
https://www.spid.gov.it/SpidL2
</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>Questo è il metadata (dove ho cancellato i dati sensibili)
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:spid="https://spid.gov.it/saml-extensions" ID="_8EEB1A1D-597F-405F-89C1-EDF69BB8021A" entityID="https://localhost:44369">
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_8EEB1A1D-597F-405F-89C1-EDF69BB8021A">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>
Xhrd1DBaXDPx+VX1QAMay8EuVIoZLtonQ2SL3qUu+Z8=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
qESaqpvfGcVc/3BdjJuenJmUgMnqPJa5NBx+//X4uNB1h7MPOVTSLqqw1+M52K2yk8tc/Kd0htHB
tZee0wSHTh+caE41038NS1bDRx0CiaacDzSnQu8mNzHlGOQqHofAjG/F8kOB8O4/kGrmsF5SltZ4
kRBxPZogfhcJqgLoUNpO9qJJ5Usc8CRoBOIaPqG1rF3ab8XLZSbfwfJlMzl4yH5cG1r5GkxWradM
LwMk6+QdgbMMOVwpn+IMVD1XZeXXpRzsKCUHy+eubmc76ctvSDsi16x499jTk8qmfWGP5F+DhrZ9
gDOJiYyd3kuueKdzX8ElS7IAI7dLfSOoNicX0DdEOYJo7aV6pEzpsZB4Y/DvufX8TEhWkrB+Ty3P
mp8cr+PEdBDEcJznai5AXClOl/3/UU6Ss+QEJmIIyyKJwishG/ljB7AxLI/XASLjqQuHlU1VURAu
xL7ZiIomzAC03DEmKk2S1AZFq0wZqcW3ETzTQcXClhdyCKdj3tMwBXNdiHf3G2G7W0Um5mIptKe3
hkGFU4WVIS1JNUq2Ki2gnOHYGvE7kRHlVue3QtFDWAa6CMKOLFJjUIvIZxyLcoY+0qSgbIJCaDSs
7qBhm54+vE11k4XEQV6aQfDbyuASFgMWmp3FRg4PDkzirenArvSQesX51aRvI/p+ZvzwUrfvxPI=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
vKXfJGeCk6VBEN3OP0eMTVSoWYj06MpJlV0NUg6ly41J298BcauFfIZkJ7CNICYhSt/p1as7/m0h
kAuTYcw7jYs/gDCjlb92UOGa3X+kajEx6kYAA9p9y0D8XKPsayLbHGSyK2N2ntJUWwXy5wOAc1ks
VrMSOS34Imiks7qgxbTLfDB7dvVF0ZcKXMrUel9EV5BkiZASeJB3k6Y01EP/PFFRmq1G13e1EU8C
29kocCoPshaJKxW+9YuJuPx1Iq6gJ+P8Igf5Y9cmxQaFwOFG+GqAyZoibVHIuNmiEAy5JkQZd2KW
zhN5qhaWf8brhHd8/58JbHJr5Q4RmAFSAl0VGaV8WnStczWgjYGcpZUUvBMnWvGvPIinlhxCEBnH
GNObXPPLaNRKbjgfaJ0vFIZ8PASXowJ1jPsey8xC0QY3zXwB1JCxm51b1z9QukLLP5NVHS8ynQq1
4VazLwV4BCr3OSQ9KmIsUZ0Fdeemo7Ub0bOe2y6cPDA8J4S6EVTtHNjczlI5ewKdkMXuV5A1OmHM
XNtADK16/gxW3oUDI0jKzl47wjUzD/7Xhw4aeOn8+KnAyU9ZUJXusUnX820gK//ZIQeJjXFrkQVD
BHNbX7PFhzEc6HqJskW28ybfewGQlTlo3H/txOHMV8cMHisseFYSDvu2nSe23WIWp9OlojlDL/0=
</ds:Modulus>
<ds:Exponent>
AQAB
</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
<ds:X509Data>
<ds:X509Certificate>
MIIGQjCCBCqgAwIBAgIJAJmwYjNvjrCTMA0GCSqGSIb3DQEBCwUAMIG1MQswCQYDVQQGEwJJVDEY
MBYGA1UECAwPTW9uemEgZSBCcmlhbnphMQ4wDAYDVQQHDAVEZXNpbzEkMCIGA1UECgwbQmFuY28g
RGVzaW8gZSBkZWxsYSBCcmlhbnphMQ0wCwYDVQQLDARTcGlkMR8wHQYDVQQDDBZwc2QtY29sbC5i
YW5jb2Rlc2lvLml0MSYwJAYJKoZIhvcNAQkBFhdzcGlkLnRlY2hAYmFuY29kZXNpby5pdDAeFw0y
MTA5MjMxNTQzNTZaFw0yNDA5MjIxNTQzNTZaMIG1MQswCQYDVQQGEwJJVDEYMBYGA1UECAwPTW9u
emEgZSBCcmlhbnphMQ4wDAYDVQQHDAVEZXNpbzEkMCIGA1UECgwbQmFuY28gRGVzaW8gZSBkZWxs
YSBCcmlhbnphMQ0wCwYDVQQLDARTcGlkMR8wHQYDVQQDDBZwc2QtY29sbC5iYW5jb2Rlc2lvLml0
MSYwJAYJKoZIhvcNAQkBFhdzcGlkLnRlY2hAYmFuY29kZXNpby5pdDCCAiIwDQYJKoZIhvcNAQEB
BQADggIPADCCAgoCggIBALyl3yRngpOlQRDdzj9HjE1UqFmI9OjKSZVdDVIOpcuNSdvfAXGrhXyG
ZCewjSAmIUrf6dWrO/5tIZALk2HMO42LP4Awo5W/dlDhmt1/pGoxMepGAAPafctA/Fyj7Gsi2xxk
sitjdp7SVFsF8ucDgHNZLFazEjkt+CJopLO6oMW0y3wwe3b1RdGXClzK1HpfRFeQZImQEniQd5Om
NNRD/zxRUZqtRtd3tRFPAtvZKHAqD7IWiSsVvvWLibj8dSKuoCfj/CIH+WPXJsUGhcDhRvhqgMma
Im1RyLjZohAMuSZEGXdils4TeaoWln/G64R3fP+fCWxya+UOEZgBUgJdFRmlfFp0rXM1oI2BnKWV
FLwTJ1rxrzyIp5YcQhAZxxjTm1zzy2jUSm44H2idLxSGfDwEl6MCdYz7HsvMQtEGN818AdSQsZud
W9c/ULpCyz+TVR0vMp0KteFWsy8FeAQq9zkkPSpiLFGdBXXnpqO1G9GzntsunDwwPCeEuhFU7RzY
3M5SOXsCnZDF7leQNTphzFzbQAytev4MVt6FAyNIys5eO8I1Mw/+14cOGnjp/PipwMlPWVCV7rFJ
1/NtICv/2SEHiY1xa5EFQwRzW1+zxYcxHOh6ibJFtvMm33sBkJU5aNx/7cThzFfHDB4rLHhWEg77
tp0ntt1iFqfTpaI5Qy/9AgMBAAGjUzBRMB0GA1UdDgQWBBQogcz80jb43VQDFpd2xdbhHmQcizAf
BgNVHSMEGDAWgBQogcz80jb43VQDFpd2xdbhHmQcizAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
DQEBCwUAA4ICAQAFNB9UurknL+Yc/p35d5K6D2uDMbC3bxZNP9MFaM8wrTjKeUF18AW8+k/CaqHA
2xJ2wT4DXEL68VYr3HsG8b0ULwrwJO7/UsdzSy/TNnbTcyMGoeVNy9FQrYBloJB8Akc/K7vU70xf
/UynWHYEepo2tQwxKyDKxlW/xkfEszuzNCBKWtLcCcPiqg73n3PKD+yn07tqN1uKVa6fu/DGqYwf
Ji+nRTIuaTtNYxVvI/+/8/c0zQOlGELyCIct3uPsMsD5ecyaStVW3o7z1EBVnoCKNUc6YgimWs4y
gXzDYPWCGhUzKPMcWmrGE/TndKh9WBtM/FNr+0g7btDq8GRzbHFlPTLn2odiI9bn9Xr9JYjXeUrg
OAUG0No8375yWWk4K6Hguo3+JzGQaufhzSlof/iTY7ReJ1/qQMbgrmWiDZHVR09x+GqD3XDwmCrj
yYaPhwOsriME9OznwPm/0zqhwHFhpoYt4GU+tw0u+RFfjDiHXziFcKtN/7oL2C3RShQScHwoRlNu
za9uFrShOjFo3juATstzV9wC6fa35GyGMjXd7vwe/jan7dPNaeqX0Pnquk2udHW7Iy7yOmduj6Q5
KS2s7QACeQHXUEooXfCBs+eRL87+/K37/uYWqX0aJ760IJewE7BJFxiLkZnvmPt/xlUrQ55+F+Aj
hiMVQCTIMGV8YA==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIJKgIBAAKCAgEAvKXfJGeCk6VBEN3OP0eMTVSoWYj06MpJlV0NUg6ly41J298B
cauFfIZkJ7CNICYhSt/p1as7/m0hkAuTYcw7jYs/gDCjlb92UOGa3X+kajEx6kYA
A9p9y0D8XKPsayLbHGSyK2N2ntJUWwXy5wOAc1ksVrMSOS34Imiks7qgxbTLfDB7
dvVF0ZcKXMrUel9EV5BkiZASeJB3k6Y01EP/PFFRmq1G13e1EU8C29kocCoPshaJ
KxW+9YuJuPx1Iq6gJ+P8Igf5Y9cmxQaFwOFG+GqAyZoibVHIuNmiEAy5JkQZd2KW
zhN5qhaWf8brhHd8/58JbHJr5Q4RmAFSAl0VGaV8WnStczWgjYGcpZUUvBMnWvGv
PIinlhxCEBnHGNObXPPLaNRKbjgfaJ0vFIZ8PASXowJ1jPsey8xC0QY3zXwB1JCx
m51b1z9QukLLP5NVHS8ynQq14VazLwV4BCr3OSQ9KmIsUZ0Fdeemo7Ub0bOe2y6c
PDA8J4S6EVTtHNjczlI5ewKdkMXuV5A1OmHMXNtADK16/gxW3oUDI0jKzl47wjUz
D/7Xhw4aeOn8+KnAyU9ZUJXusUnX820gK//ZIQeJjXFrkQVDBHNbX7PFhzEc6HqJ
skW28ybfewGQlTlo3H/txOHMV8cMHisseFYSDvu2nSe23WIWp9OlojlDL/0CAwEA
AQKCAgEApr4aQOw5D1XG8CiNb4NHMOb+Mr2Kc+SxK5Nm/buysft9aBlyBk3sHAgR
qL81zk/Fp4/I+LJ0wcsmGlMQ/yVtEgwdoancPbVQ1+bBYry6z54SF5et1boe7DPR
m/TMOFpDv5IFpbIxm+oe46GbdLO0qsAMH8oB9oZ6R7ektLPl/TpzjZ6w0pGzF7Fg
WGpzaoKgPqGDK9Arc2OGPfxvv5smk+LwtT4pWrQVWGo1BaupQZL78pZWwb1j31dp
8Rc8Vd5x8zBhoJbZyXTXcNj2CmlUuKgyk39opKXgO/spcvQ8BuW0eMCsuROfu0Zh
2ikx7RFMbAjfZHqygXBw/qFUIoCx70UC8QKQJRiQthk3DpjGAIVSX1Nn7rHzPdQK
CuMJOxqs6pzmjK/+UoPUe61vOhsYk9aMZLVl5ge673SbFf09qFeTw8UoOIg4sfER
5cldTWhQrQufvYVObe8ZKSSFJz+kqApaCe70afl7YrZPezyAx3Z8SleBQhefhaJ6
B7673M36UiH7DZpDZWFKNK1RfmyzvIvGbW8PwjGalAp4f0lvkAb3wsNVqKjGJsr0
Y7JpPHk5JQpWcjSmNEonD6Pgurtg9JbTetmmYumdkiqOAgM2IUBlHNxV5r/cZNDN
EurQPgHv8SXF9Vijqpnu9Ld7hZj1YXVOUsjJh0zcyEIV4KFdpuUCggEBAPegVmNE
+VHIdBATB3ToMhm5WGtR3X8REhS0ZiezcBAmo3GireMCx17vyL+Uaa6Kylzx0rdN
IwHegGJvQRe0ZzrlSxdXVrxAfwRmhqiqepMgJJ5AC/y37KFCj8PJV7osnzWAoRwA
edDQUmVav+x2k1CMoKD05lEpsg/WqBaR5FM3XHmOeQGuKUmLpWNEpVpZqdMDeirC
hM1CD2aFU4LIDtDQQAEa6C3xeahQyqVCKzibv3+3r1KHRGNLNgvohY0HBdf3ZZwu
0kz9OD9J0ZPUWtar7Ts1djRfaON3m78hUhddIXaZPAQMmm4o50ThHTTxW/KShTpF
ykpPKALrNi5Jg/8CggEBAMMG967H2gwxlqGDbnELqFxCn0fG1HJtuL4JuEt/XNto
pTBlWRLPOxzXikFfHTlOrw6NJwrCwO42NXOC4T3xpGBNhQUJBCNjJk0h1CEre6nN
wVzaZYKy1ao0nFCPnGh3PGj+QDM5VMXprojOKB2sfvqn+9f1QmDMsHa90/MwcqjN
O09oCw2Xm0KQhBn4nP3tlBOlwskW0kFKvpPGO4/Vo0nOBGkZJmC385evmol0lFeE
viLk8FD5Wk+qwKVbmDM1vH0kwGAR/nyXbtbryg3/tfzEXn7KwumDm16pEDIOR8Ab
1Hd4CysTCx3LPJAyBz5V2V7eXU51W0bjpmkAPGEJXAMCggEBAMe4QDTMmrIFlOaq
EmeOJ2pr/Q6B9r3XjNe6MHJw3T+JimXKqajgwuClUSqDj0FBm7mfKS7CPivxw2ah
CMUPsfrkmM34mXI4Krnn31AGP9qOIDqquYBY77eYsc9dgy4bc0V5u3eUQqvSecJZ
kVYsxOBArAVlwKVRldYEcYnSnW8oxaMc8CgUyiQRR5Fq+lqG2tvggBYg0W+jijxL
6HEg3iI49IZvpzf2/QJuNyNW3PlJVQizo+pSQyw6qxqrrZtzQJlRZlizwtZpnYYe
CbTLn4BpJmuM0QuosDZWb/2V6FoDuUuoh6lUaPHUd8MsNZxP1rMszduUEnYgpcrE
3uwySw0CggEAG7tW5uSGLeuzNp5AyxRUSWIz0foE5YySk3tAWIPwyUY1Dw+qPdF3
318Kysbime6FV/VcUtxkoLrWmOlIbA17STJcst2YWAvWO2uPBXRwbjHSyAhKHO6f
EUfP3mi9XeFulqNor5/8XPQgnFVsQOPxXmUam5fFa4xPn2LYy6Dc/QHJ6D2sLK+d
JTb1gdfnQvhQcQbGDuAO37foJ40tlQNU577Cw8sOuPwPSEdxGxCXs2Ytvzp8rZb3
b5KhOCIxHz8J4WWjcUW9wSurWCZJIfp1f07Q/QiJ9LiBFFHH+sYrD7clXCOWuvZH
Q2JN51clzohYk3PdIrXvV8IxPIcLDuVMzwKCAQEAk+9fD6GZaaKqdSX7OF+JZltS
UQXbk3XusIrShl0eAmKvmnLqZNVr3NW+qUdbHmyaNBCNM0KXJyX4lwHV2CTxT+rg
8c1F5VhmE1IIX9KaYrrsY8uqRHcRy/k2aKBbZD5ex2HUkU6KRJJnElieXTrlgErQ
57Meo5sXnsDzQadRFgyhmJ4aAK4SEIaOOLkFKE81TICrDaqWq+8T5oHSStCisSdv
iN6jkX1W8NS3GskYJuEA1+ckeJSy2ebD+6JC8e740YVp1gnFmbqThh9PeSEoQY+/
3uCRTECnA0xs6oH+mchs/dx5WKy0k8pXb7TUKLWoPrTRAefWl4JmWiEeCUMiig==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIJKgIBAAKCAgEAvKXfJGeCk6VBEN3OP0eMTVSoWYj06MpJlV0NUg6ly41J298B
cauFfIZkJ7CNICYhSt/p1as7/m0hkAuTYcw7jYs/gDCjlb92UOGa3X+kajEx6kYA
A9p9y0D8XKPsayLbHGSyK2N2ntJUWwXy5wOAc1ksVrMSOS34Imiks7qgxbTLfDB7
dvVF0ZcKXMrUel9EV5BkiZASeJB3k6Y01EP/PFFRmq1G13e1EU8C29kocCoPshaJ
KxW+9YuJuPx1Iq6gJ+P8Igf5Y9cmxQaFwOFG+GqAyZoibVHIuNmiEAy5JkQZd2KW
zhN5qhaWf8brhHd8/58JbHJr5Q4RmAFSAl0VGaV8WnStczWgjYGcpZUUvBMnWvGv
PIinlhxCEBnHGNObXPPLaNRKbjgfaJ0vFIZ8PASXowJ1jPsey8xC0QY3zXwB1JCx
m51b1z9QukLLP5NVHS8ynQq14VazLwV4BCr3OSQ9KmIsUZ0Fdeemo7Ub0bOe2y6c
PDA8J4S6EVTtHNjczlI5ewKdkMXuV5A1OmHMXNtADK16/gxW3oUDI0jKzl47wjUz
D/7Xhw4aeOn8+KnAyU9ZUJXusUnX820gK//ZIQeJjXFrkQVDBHNbX7PFhzEc6HqJ
skW28ybfewGQlTlo3H/txOHMV8cMHisseFYSDvu2nSe23WIWp9OlojlDL/0CAwEA
AQKCAgEApr4aQOw5D1XG8CiNb4NHMOb+Mr2Kc+SxK5Nm/buysft9aBlyBk3sHAgR
qL81zk/Fp4/I+LJ0wcsmGlMQ/yVtEgwdoancPbVQ1+bBYry6z54SF5et1boe7DPR
m/TMOFpDv5IFpbIxm+oe46GbdLO0qsAMH8oB9oZ6R7ektLPl/TpzjZ6w0pGzF7Fg
WGpzaoKgPqGDK9Arc2OGPfxvv5smk+LwtT4pWrQVWGo1BaupQZL78pZWwb1j31dp
8Rc8Vd5x8zBhoJbZyXTXcNj2CmlUuKgyk39opKXgO/spcvQ8BuW0eMCsuROfu0Zh
2ikx7RFMbAjfZHqygXBw/qFUIoCx70UC8QKQJRiQthk3DpjGAIVSX1Nn7rHzPdQK
CuMJOxqs6pzmjK/+UoPUe61vOhsYk9aMZLVl5ge673SbFf09qFeTw8UoOIg4sfER
5cldTWhQrQufvYVObe8ZKSSFJz+kqApaCe70afl7YrZPezyAx3Z8SleBQhefhaJ6
B7673M36UiH7DZpDZWFKNK1RfmyzvIvGbW8PwjGalAp4f0lvkAb3wsNVqKjGJsr0
Y7JpPHk5JQpWcjSmNEonD6Pgurtg9JbTetmmYumdkiqOAgM2IUBlHNxV5r/cZNDN
EurQPgHv8SXF9Vijqpnu9Ld7hZj1YXVOUsjJh0zcyEIV4KFdpuUCggEBAPegVmNE
+VHIdBATB3ToMhm5WGtR3X8REhS0ZiezcBAmo3GireMCx17vyL+Uaa6Kylzx0rdN
IwHegGJvQRe0ZzrlSxdXVrxAfwRmhqiqepMgJJ5AC/y37KFCj8PJV7osnzWAoRwA
edDQUmVav+x2k1CMoKD05lEpsg/WqBaR5FM3XHmOeQGuKUmLpWNEpVpZqdMDeirC
hM1CD2aFU4LIDtDQQAEa6C3xeahQyqVCKzibv3+3r1KHRGNLNgvohY0HBdf3ZZwu
0kz9OD9J0ZPUWtar7Ts1djRfaON3m78hUhddIXaZPAQMmm4o50ThHTTxW/KShTpF
ykpPKALrNi5Jg/8CggEBAMMG967H2gwxlqGDbnELqFxCn0fG1HJtuL4JuEt/XNto
pTBlWRLPOxzXikFfHTlOrw6NJwrCwO42NXOC4T3xpGBNhQUJBCNjJk0h1CEre6nN
wVzaZYKy1ao0nFCPnGh3PGj+QDM5VMXprojOKB2sfvqn+9f1QmDMsHa90/MwcqjN
O09oCw2Xm0KQhBn4nP3tlBOlwskW0kFKvpPGO4/Vo0nOBGkZJmC385evmol0lFeE
viLk8FD5Wk+qwKVbmDM1vH0kwGAR/nyXbtbryg3/tfzEXn7KwumDm16pEDIOR8Ab
1Hd4CysTCx3LPJAyBz5V2V7eXU51W0bjpmkAPGEJXAMCggEBAMe4QDTMmrIFlOaq
EmeOJ2pr/Q6B9r3XjNe6MHJw3T+JimXKqajgwuClUSqDj0FBm7mfKS7CPivxw2ah
CMUPsfrkmM34mXI4Krnn31AGP9qOIDqquYBY77eYsc9dgy4bc0V5u3eUQqvSecJZ
kVYsxOBArAVlwKVRldYEcYnSnW8oxaMc8CgUyiQRR5Fq+lqG2tvggBYg0W+jijxL
6HEg3iI49IZvpzf2/QJuNyNW3PlJVQizo+pSQyw6qxqrrZtzQJlRZlizwtZpnYYe
CbTLn4BpJmuM0QuosDZWb/2V6FoDuUuoh6lUaPHUd8MsNZxP1rMszduUEnYgpcrE
3uwySw0CggEAG7tW5uSGLeuzNp5AyxRUSWIz0foE5YySk3tAWIPwyUY1Dw+qPdF3
318Kysbime6FV/VcUtxkoLrWmOlIbA17STJcst2YWAvWO2uPBXRwbjHSyAhKHO6f
EUfP3mi9XeFulqNor5/8XPQgnFVsQOPxXmUam5fFa4xPn2LYy6Dc/QHJ6D2sLK+d
JTb1gdfnQvhQcQbGDuAO37foJ40tlQNU577Cw8sOuPwPSEdxGxCXs2Ytvzp8rZb3
b5KhOCIxHz8J4WWjcUW9wSurWCZJIfp1f07Q/QiJ9LiBFFHH+sYrD7clXCOWuvZH
Q2JN51clzohYk3PdIrXvV8IxPIcLDuVMzwKCAQEAk+9fD6GZaaKqdSX7OF+JZltS
UQXbk3XusIrShl0eAmKvmnLqZNVr3NW+qUdbHmyaNBCNM0KXJyX4lwHV2CTxT+rg
8c1F5VhmE1IIX9KaYrrsY8uqRHcRy/k2aKBbZD5ex2HUkU6KRJJnElieXTrlgErQ
57Meo5sXnsDzQadRFgyhmJ4aAK4SEIaOOLkFKE81TICrDaqWq+8T5oHSStCisSdv
iN6jkX1W8NS3GskYJuEA1+ckeJSy2ebD+6JC8e740YVp1gnFmbqThh9PeSEoQY+/
3uCRTECnA0xs6oH+mchs/dx5WKy0k8pXb7TUKLWoPrTRAefWl4JmWiEeCUMiig==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:44369/signout-spid"/>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:44369/signin-spid" index="0" isDefault="true"/>
<md:AttributeConsumingService index="0">
<md:ServiceName xml:lang="it">
Set Attributi 1 - ID Cittadini minimo
</md:ServiceName>
<md:ServiceDescription xml:lang="it">
Set Attributi 1 - ID Cittadini minimo
</md:ServiceDescription>
<md:RequestedAttribute Name="spidCode"/>
<md:RequestedAttribute Name="name"/>
<md:RequestedAttribute Name="familyName"/>
<md:RequestedAttribute Name="fiscalNumber"/>
<md:RequestedAttribute Name="gender"/>
<md:RequestedAttribute Name="dateOfBirth"/>
</md:AttributeConsumingService>
</md:SPSSODescriptor>
<md:Organization>
<md:OrganizationName xml:lang="it">
Banca S.p.A.
</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="it">
BDB
</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="it">
https://www.bancosa.it
</md:OrganizationURL>
</md:Organization>
<md:ContactPerson contactType="other">
<md:Extensions>
<spid:VATNumber>
IT01234567890
</spid:VATNumber>
<spid:FiscalCode>
01234567890
</spid:FiscalCode>
<spid:Private/>
</md:Extensions>
<md:Company>
Banca S.p.A.
</md:Company>
<md:EmailAddress>
spid.tech@bancasa.it
</md:EmailAddress>
<md:TelephoneNumber>
+3901234567890
</md:TelephoneNumber>
</md:ContactPerson>
<md:ContactPerson contactType="billing">
<md:Extensions xmlns:fpa="https://spid.gov.it/invoicing-extensions">
<fpa:CessionarioCommittente>
<fpa:DatiAnagrafici>
<fpa:IdFiscaleIVA>
<fpa:IdPaese>
IT
</fpa:IdPaese>
<fpa:IdCodice>
+3901234567890
</fpa:IdCodice>
</fpa:IdFiscaleIVA>
<fpa:Anagrafica>
<fpa:Denominazione>
Banca S.p.A.
</fpa:Denominazione>
</fpa:Anagrafica>
</fpa:DatiAnagrafici>
<fpa:Sede>
<fpa:Indirizzo>
via dei pini
</fpa:Indirizzo>
<fpa:NumeroCivico>
1
</fpa:NumeroCivico>
<fpa:CAP>
00000
</fpa:CAP>
<fpa:Comune>
Milano
</fpa:Comune>
<fpa:Provincia>
MI
</fpa:Provincia>
<fpa:Nazione>
IT
</fpa:Nazione>
</fpa:Sede>
</fpa:CessionarioCommittente>
</md:Extensions>
<md:Company>
Banca S.p.A.
</md:Company>
<md:EmailAddress>
spid.amm@bancasa.it
</md:EmailAddress>
<md:TelephoneNumber>
+3901234567890
</md:TelephoneNumber>
</md:ContactPerson>
</md:EntityDescriptor>All'interno del metadata, i certificati riportati nelle sezioni "signing" ed "encryption" sono corrotti, non riesco a decodificarli con nessuno dei tool online, e comunque sono diversi dal certificato usato per la firma del metadata stesso (c'è un motivo per questo?), che invece risulta corretto. Verifica il metadata e riprova ad effettuare i test.
santesem-links
commented
3 years ago Sicuramente è dovuto al merge involontario fra i vari tentativi.
Riporto il solito errore anche dopo aver sistemato la questione dei certificati.
Metadata - ho tolto la parte di organization e contanct (le info comunque sono nel certificato)
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:spid="https://spid.gov.it/saml-extensions" ID="_8EEB1A1D-597F-405F-89C1-EDF69BB8021A" entityID="https://localhost:44369">
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_8EEB1A1D-597F-405F-89C1-EDF69BB8021A">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>
VYr0Ja7BPRp5sO6gIbHSZYC1Ss7HZ6Q+Eh4FwxPEL44=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
KCKqeZUfapRbXDCkfBXEtWb67xouw9bUB0EdG3Wk04zcpP/u7h6pD7FWdvnfZYg+nM5gNVdbbmeW
ZyB6QPR+U43pnP8SWGKY7lWdVnm0/8ls5uKrreLAs6x9097q4U+YsRiZYBtJO8CWctjIHnoIOMqE
Xdf9GU3w/uw3UyZ/7rthGcZJmozLohxwNdKMBCYRTGrvTvCrKqEZen4ShcrowHe7Iz4jMxUAFp3K
RNBsuMLbDrZj5fKo27kRyvnXzsZa7h9qq98+Lmceq4RMxH2gGRoODjA8TDhw1Y1K4W/NRspIyOto
tnp1P9TMMHEpu0tOqLX229oXwmFZWrl8e/MiAvsRWCthpshpSMnMCH3mX68+O6G5zb8l5F8Q1d93
OrXeRZY5RBpTCDe/9mGbncEb0ac8tUcZhsWreWrUyYCwe/FG3ETY0wsxMvNyAIVmbaj6l5qUD0mI
yHA4Q18wLMigoRvfsxBI7D2ApwQ+0gQW2cDWAcbxlQsGo8Arh8UkaAhUoXojxOJk5Fuxj2ZX1ny7
0ZMVabFZXiuyW51J7BAmP7MDJVdhL0kYSNa7gvQmjTwCW7Kxnk5K6t+rmZpoKBRhSuwi5bqyuuvR
RwldMlRpJDvt2bgRTaVJxv4XANUkdxA5IjWv/ewyneKGzUeAK7KlA9fpd2ho0wDIPUjzScw8IVc=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
vKXfJGeCk6VBEN3OP0eMTVSoWYj06MpJlV0NUg6ly41J298BcauFfIZkJ7CNICYhSt/p1as7/m0h
kAuTYcw7jYs/gDCjlb92UOGa3X+kajEx6kYAA9p9y0D8XKPsayLbHGSyK2N2ntJUWwXy5wOAc1ks
VrMSOS34Imiks7qgxbTLfDB7dvVF0ZcKXMrUel9EV5BkiZASeJB3k6Y01EP/PFFRmq1G13e1EU8C
29kocCoPshaJKxW+9YuJuPx1Iq6gJ+P8Igf5Y9cmxQaFwOFG+GqAyZoibVHIuNmiEAy5JkQZd2KW
zhN5qhaWf8brhHd8/58JbHJr5Q4RmAFSAl0VGaV8WnStczWgjYGcpZUUvBMnWvGvPIinlhxCEBnH
GNObXPPLaNRKbjgfaJ0vFIZ8PASXowJ1jPsey8xC0QY3zXwB1JCxm51b1z9QukLLP5NVHS8ynQq1
4VazLwV4BCr3OSQ9KmIsUZ0Fdeemo7Ub0bOe2y6cPDA8J4S6EVTtHNjczlI5ewKdkMXuV5A1OmHM
XNtADK16/gxW3oUDI0jKzl47wjUzD/7Xhw4aeOn8+KnAyU9ZUJXusUnX820gK//ZIQeJjXFrkQVD
BHNbX7PFhzEc6HqJskW28ybfewGQlTlo3H/txOHMV8cMHisseFYSDvu2nSe23WIWp9OlojlDL/0=
</ds:Modulus>
<ds:Exponent>
AQAB
</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
<ds:X509Data>
<ds:X509Certificate>
MIIGQjCCBCqgAwIBAgIJAJmwYjNvjrCTMA0GCSqGSIb3DQEBCwUAMIG1MQswCQYDVQQGEwJJVDEY
MBYGA1UECAwPTW9uemEgZSBCcmlhbnphMQ4wDAYDVQQHDAVEZXNpbzEkMCIGA1UECgwbQmFuY28g
RGVzaW8gZSBkZWxsYSBCcmlhbnphMQ0wCwYDVQQLDARTcGlkMR8wHQYDVQQDDBZwc2QtY29sbC5i
YW5jb2Rlc2lvLml0MSYwJAYJKoZIhvcNAQkBFhdzcGlkLnRlY2hAYmFuY29kZXNpby5pdDAeFw0y
MTA5MjMxNTQzNTZaFw0yNDA5MjIxNTQzNTZaMIG1MQswCQYDVQQGEwJJVDEYMBYGA1UECAwPTW9u
emEgZSBCcmlhbnphMQ4wDAYDVQQHDAVEZXNpbzEkMCIGA1UECgwbQmFuY28gRGVzaW8gZSBkZWxs
YSBCcmlhbnphMQ0wCwYDVQQLDARTcGlkMR8wHQYDVQQDDBZwc2QtY29sbC5iYW5jb2Rlc2lvLml0
MSYwJAYJKoZIhvcNAQkBFhdzcGlkLnRlY2hAYmFuY29kZXNpby5pdDCCAiIwDQYJKoZIhvcNAQEB
BQADggIPADCCAgoCggIBALyl3yRngpOlQRDdzj9HjE1UqFmI9OjKSZVdDVIOpcuNSdvfAXGrhXyG
ZCewjSAmIUrf6dWrO/5tIZALk2HMO42LP4Awo5W/dlDhmt1/pGoxMepGAAPafctA/Fyj7Gsi2xxk
sitjdp7SVFsF8ucDgHNZLFazEjkt+CJopLO6oMW0y3wwe3b1RdGXClzK1HpfRFeQZImQEniQd5Om
NNRD/zxRUZqtRtd3tRFPAtvZKHAqD7IWiSsVvvWLibj8dSKuoCfj/CIH+WPXJsUGhcDhRvhqgMma
Im1RyLjZohAMuSZEGXdils4TeaoWln/G64R3fP+fCWxya+UOEZgBUgJdFRmlfFp0rXM1oI2BnKWV
FLwTJ1rxrzyIp5YcQhAZxxjTm1zzy2jUSm44H2idLxSGfDwEl6MCdYz7HsvMQtEGN818AdSQsZud
W9c/ULpCyz+TVR0vMp0KteFWsy8FeAQq9zkkPSpiLFGdBXXnpqO1G9GzntsunDwwPCeEuhFU7RzY
3M5SOXsCnZDF7leQNTphzFzbQAytev4MVt6FAyNIys5eO8I1Mw/+14cOGnjp/PipwMlPWVCV7rFJ
1/NtICv/2SEHiY1xa5EFQwRzW1+zxYcxHOh6ibJFtvMm33sBkJU5aNx/7cThzFfHDB4rLHhWEg77
tp0ntt1iFqfTpaI5Qy/9AgMBAAGjUzBRMB0GA1UdDgQWBBQogcz80jb43VQDFpd2xdbhHmQcizAf
BgNVHSMEGDAWgBQogcz80jb43VQDFpd2xdbhHmQcizAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
DQEBCwUAA4ICAQAFNB9UurknL+Yc/p35d5K6D2uDMbC3bxZNP9MFaM8wrTjKeUF18AW8+k/CaqHA
2xJ2wT4DXEL68VYr3HsG8b0ULwrwJO7/UsdzSy/TNnbTcyMGoeVNy9FQrYBloJB8Akc/K7vU70xf
/UynWHYEepo2tQwxKyDKxlW/xkfEszuzNCBKWtLcCcPiqg73n3PKD+yn07tqN1uKVa6fu/DGqYwf
Ji+nRTIuaTtNYxVvI/+/8/c0zQOlGELyCIct3uPsMsD5ecyaStVW3o7z1EBVnoCKNUc6YgimWs4y
gXzDYPWCGhUzKPMcWmrGE/TndKh9WBtM/FNr+0g7btDq8GRzbHFlPTLn2odiI9bn9Xr9JYjXeUrg
OAUG0No8375yWWk4K6Hguo3+JzGQaufhzSlof/iTY7ReJ1/qQMbgrmWiDZHVR09x+GqD3XDwmCrj
yYaPhwOsriME9OznwPm/0zqhwHFhpoYt4GU+tw0u+RFfjDiHXziFcKtN/7oL2C3RShQScHwoRlNu
za9uFrShOjFo3juATstzV9wC6fa35GyGMjXd7vwe/jan7dPNaeqX0Pnquk2udHW7Iy7yOmduj6Q5
KS2s7QACeQHXUEooXfCBs+eRL87+/K37/uYWqX0aJ760IJewE7BJFxiLkZnvmPt/xlUrQ55+F+Aj
hiMVQCTIMGV8YA==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIGQjCCBCqgAwIBAgIJAJmwYjNvjrCTMA0GCSqGSIb3DQEBCwUAMIG1MQswCQYDVQQGEwJJVDEY
MBYGA1UECAwPTW9uemEgZSBCcmlhbnphMQ4wDAYDVQQHDAVEZXNpbzEkMCIGA1UECgwbQmFuY28g
RGVzaW8gZSBkZWxsYSBCcmlhbnphMQ0wCwYDVQQLDARTcGlkMR8wHQYDVQQDDBZwc2QtY29sbC5i
YW5jb2Rlc2lvLml0MSYwJAYJKoZIhvcNAQkBFhdzcGlkLnRlY2hAYmFuY29kZXNpby5pdDAeFw0y
MTA5MjMxNTQzNTZaFw0yNDA5MjIxNTQzNTZaMIG1MQswCQYDVQQGEwJJVDEYMBYGA1UECAwPTW9u
emEgZSBCcmlhbnphMQ4wDAYDVQQHDAVEZXNpbzEkMCIGA1UECgwbQmFuY28gRGVzaW8gZSBkZWxs
YSBCcmlhbnphMQ0wCwYDVQQLDARTcGlkMR8wHQYDVQQDDBZwc2QtY29sbC5iYW5jb2Rlc2lvLml0
MSYwJAYJKoZIhvcNAQkBFhdzcGlkLnRlY2hAYmFuY29kZXNpby5pdDCCAiIwDQYJKoZIhvcNAQEB
BQADggIPADCCAgoCggIBALyl3yRngpOlQRDdzj9HjE1UqFmI9OjKSZVdDVIOpcuNSdvfAXGrhXyG
ZCewjSAmIUrf6dWrO/5tIZALk2HMO42LP4Awo5W/dlDhmt1/pGoxMepGAAPafctA/Fyj7Gsi2xxk
sitjdp7SVFsF8ucDgHNZLFazEjkt+CJopLO6oMW0y3wwe3b1RdGXClzK1HpfRFeQZImQEniQd5Om
NNRD/zxRUZqtRtd3tRFPAtvZKHAqD7IWiSsVvvWLibj8dSKuoCfj/CIH+WPXJsUGhcDhRvhqgMma
Im1RyLjZohAMuSZEGXdils4TeaoWln/G64R3fP+fCWxya+UOEZgBUgJdFRmlfFp0rXM1oI2BnKWV
FLwTJ1rxrzyIp5YcQhAZxxjTm1zzy2jUSm44H2idLxSGfDwEl6MCdYz7HsvMQtEGN818AdSQsZud
W9c/ULpCyz+TVR0vMp0KteFWsy8FeAQq9zkkPSpiLFGdBXXnpqO1G9GzntsunDwwPCeEuhFU7RzY
3M5SOXsCnZDF7leQNTphzFzbQAytev4MVt6FAyNIys5eO8I1Mw/+14cOGnjp/PipwMlPWVCV7rFJ
1/NtICv/2SEHiY1xa5EFQwRzW1+zxYcxHOh6ibJFtvMm33sBkJU5aNx/7cThzFfHDB4rLHhWEg77
tp0ntt1iFqfTpaI5Qy/9AgMBAAGjUzBRMB0GA1UdDgQWBBQogcz80jb43VQDFpd2xdbhHmQcizAf
BgNVHSMEGDAWgBQogcz80jb43VQDFpd2xdbhHmQcizAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
DQEBCwUAA4ICAQAFNB9UurknL+Yc/p35d5K6D2uDMbC3bxZNP9MFaM8wrTjKeUF18AW8+k/CaqHA
2xJ2wT4DXEL68VYr3HsG8b0ULwrwJO7/UsdzSy/TNnbTcyMGoeVNy9FQrYBloJB8Akc/K7vU70xf
/UynWHYEepo2tQwxKyDKxlW/xkfEszuzNCBKWtLcCcPiqg73n3PKD+yn07tqN1uKVa6fu/DGqYwf
Ji+nRTIuaTtNYxVvI/+/8/c0zQOlGELyCIct3uPsMsD5ecyaStVW3o7z1EBVnoCKNUc6YgimWs4y
gXzDYPWCGhUzKPMcWmrGE/TndKh9WBtM/FNr+0g7btDq8GRzbHFlPTLn2odiI9bn9Xr9JYjXeUrg
OAUG0No8375yWWk4K6Hguo3+JzGQaufhzSlof/iTY7ReJ1/qQMbgrmWiDZHVR09x+GqD3XDwmCrj
yYaPhwOsriME9OznwPm/0zqhwHFhpoYt4GU+tw0u+RFfjDiHXziFcKtN/7oL2C3RShQScHwoRlNu
za9uFrShOjFo3juATstzV9wC6fa35GyGMjXd7vwe/jan7dPNaeqX0Pnquk2udHW7Iy7yOmduj6Q5
KS2s7QACeQHXUEooXfCBs+eRL87+/K37/uYWqX0aJ760IJewE7BJFxiLkZnvmPt/xlUrQ55+F+Aj
hiMVQCTIMGV8YA==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIGQjCCBCqgAwIBAgIJAJmwYjNvjrCTMA0GCSqGSIb3DQEBCwUAMIG1MQswCQYDVQQGEwJJVDEY
MBYGA1UECAwPTW9uemEgZSBCcmlhbnphMQ4wDAYDVQQHDAVEZXNpbzEkMCIGA1UECgwbQmFuY28g
RGVzaW8gZSBkZWxsYSBCcmlhbnphMQ0wCwYDVQQLDARTcGlkMR8wHQYDVQQDDBZwc2QtY29sbC5i
YW5jb2Rlc2lvLml0MSYwJAYJKoZIhvcNAQkBFhdzcGlkLnRlY2hAYmFuY29kZXNpby5pdDAeFw0y
MTA5MjMxNTQzNTZaFw0yNDA5MjIxNTQzNTZaMIG1MQswCQYDVQQGEwJJVDEYMBYGA1UECAwPTW9u
emEgZSBCcmlhbnphMQ4wDAYDVQQHDAVEZXNpbzEkMCIGA1UECgwbQmFuY28gRGVzaW8gZSBkZWxs
YSBCcmlhbnphMQ0wCwYDVQQLDARTcGlkMR8wHQYDVQQDDBZwc2QtY29sbC5iYW5jb2Rlc2lvLml0
MSYwJAYJKoZIhvcNAQkBFhdzcGlkLnRlY2hAYmFuY29kZXNpby5pdDCCAiIwDQYJKoZIhvcNAQEB
BQADggIPADCCAgoCggIBALyl3yRngpOlQRDdzj9HjE1UqFmI9OjKSZVdDVIOpcuNSdvfAXGrhXyG
ZCewjSAmIUrf6dWrO/5tIZALk2HMO42LP4Awo5W/dlDhmt1/pGoxMepGAAPafctA/Fyj7Gsi2xxk
sitjdp7SVFsF8ucDgHNZLFazEjkt+CJopLO6oMW0y3wwe3b1RdGXClzK1HpfRFeQZImQEniQd5Om
NNRD/zxRUZqtRtd3tRFPAtvZKHAqD7IWiSsVvvWLibj8dSKuoCfj/CIH+WPXJsUGhcDhRvhqgMma
Im1RyLjZohAMuSZEGXdils4TeaoWln/G64R3fP+fCWxya+UOEZgBUgJdFRmlfFp0rXM1oI2BnKWV
FLwTJ1rxrzyIp5YcQhAZxxjTm1zzy2jUSm44H2idLxSGfDwEl6MCdYz7HsvMQtEGN818AdSQsZud
W9c/ULpCyz+TVR0vMp0KteFWsy8FeAQq9zkkPSpiLFGdBXXnpqO1G9GzntsunDwwPCeEuhFU7RzY
3M5SOXsCnZDF7leQNTphzFzbQAytev4MVt6FAyNIys5eO8I1Mw/+14cOGnjp/PipwMlPWVCV7rFJ
1/NtICv/2SEHiY1xa5EFQwRzW1+zxYcxHOh6ibJFtvMm33sBkJU5aNx/7cThzFfHDB4rLHhWEg77
tp0ntt1iFqfTpaI5Qy/9AgMBAAGjUzBRMB0GA1UdDgQWBBQogcz80jb43VQDFpd2xdbhHmQcizAf
BgNVHSMEGDAWgBQogcz80jb43VQDFpd2xdbhHmQcizAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
DQEBCwUAA4ICAQAFNB9UurknL+Yc/p35d5K6D2uDMbC3bxZNP9MFaM8wrTjKeUF18AW8+k/CaqHA
2xJ2wT4DXEL68VYr3HsG8b0ULwrwJO7/UsdzSy/TNnbTcyMGoeVNy9FQrYBloJB8Akc/K7vU70xf
/UynWHYEepo2tQwxKyDKxlW/xkfEszuzNCBKWtLcCcPiqg73n3PKD+yn07tqN1uKVa6fu/DGqYwf
Ji+nRTIuaTtNYxVvI/+/8/c0zQOlGELyCIct3uPsMsD5ecyaStVW3o7z1EBVnoCKNUc6YgimWs4y
gXzDYPWCGhUzKPMcWmrGE/TndKh9WBtM/FNr+0g7btDq8GRzbHFlPTLn2odiI9bn9Xr9JYjXeUrg
OAUG0No8375yWWk4K6Hguo3+JzGQaufhzSlof/iTY7ReJ1/qQMbgrmWiDZHVR09x+GqD3XDwmCrj
yYaPhwOsriME9OznwPm/0zqhwHFhpoYt4GU+tw0u+RFfjDiHXziFcKtN/7oL2C3RShQScHwoRlNu
za9uFrShOjFo3juATstzV9wC6fa35GyGMjXd7vwe/jan7dPNaeqX0Pnquk2udHW7Iy7yOmduj6Q5
KS2s7QACeQHXUEooXfCBs+eRL87+/K37/uYWqX0aJ760IJewE7BJFxiLkZnvmPt/xlUrQ55+F+Aj
hiMVQCTIMGV8YA==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:44369/signout-spid"/>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:44369/signin-spid" index="0" isDefault="true"/>
<md:AttributeConsumingService index="0">
<md:ServiceName xml:lang="it">
Set Attributi 1 - ID Cittadini minimo
</md:ServiceName>
<md:ServiceDescription xml:lang="it">
Set Attributi 1 - ID Cittadini minimo
</md:ServiceDescription>
<md:RequestedAttribute Name="spidCode"/>
<md:RequestedAttribute Name="name"/>
<md:RequestedAttribute Name="familyName"/>
<md:RequestedAttribute Name="fiscalNumber"/>
<md:RequestedAttribute Name="gender"/>
<md:RequestedAttribute Name="dateOfBirth"/>
</md:AttributeConsumingService>
</md:SPSSODescriptor>
</md:EntityDescriptor>Request
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_e27bf1c3-6289-44d9-9bc5-ea3190e6cfed" Version="2.0" IssueInstant="2021-09-30T08:10:04.036Z" Destination="https://localhost:8080/samlsso" ForceAuthn="true" AssertionConsumerServiceIndex="0" AttributeConsumingServiceIndex="0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer NameQualifier="https://localhost:44369" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
https://localhost:44369
</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="#_e27bf1c3-6289-44d9-9bc5-ea3190e6cfed">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>
+1VQTTSBHwlxHgSchhWGDdQhd+e/yLkYXX676CiY4OQ=
</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
EWmaprPWJaEXG8GrRYjJ3BuaL3ZnA1/mqdJod2bLBUZ/xwygrOUb013cUKSoKPH4WqQ/KBGTXMMHi9MAwWe9jybjY9UDVukru5feV5hRrEoeVkunDUa6SHInccQfw6ct3WLsG+8YB4rNzjKofWaOj9/x1jWYlt+PWSA1iXo7plXiRiXU/4yPQh+la1zdEXdEgj8EhzZu1I4BvkW1alrxrg/k5mrwWAQuAbmX5X807dRaL9hGeEd1mzIPNqS5MiGbgYXjoTkwQ+qnzUxfmgjuN8iLA3AP8i4btKryMMSOibG67XHIfP2dHMPxrPGucxyRKejJaIkIJVB0pophahEevP//2oJ1syq875w61sFIL2iIaj15dRlfYXaHmeMtqI9boYxNyNRCJtugAUCt8pFYwG6pVdffDxwQJXtEGDS+qgy0rGbANLCNqSEzyU/8NsqRVTuXZd+9dN08tech9chlyC7+lVzoB9Mhd+FHMgDQJ6wVH49VMgEVrIYieCM14+m9FJqyt4PSjmllI3CAhgsPHToss0NJG/1O1eL0whh1ebReu0BKA+mKor3l2ENehH98GFoyDVT/w7LZGfeC6PCEKacZHjHFsrJlbSZg4uTlq8t7vbioc7bmqu+LsD6OG1IjIyvDvU0woi8EIjzYL+cta6q7QNlAl677ewYPDsnXN3M=
</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>
MIIGQjCCBCqgAwIBAgIJAJmwYjNvjrCTMA0GCSqGSIb3DQEBCwUAMIG1MQswCQYDVQQGEwJJVDEYMBYGA1UECAwPTW9uemEgZSBCcmlhbnphMQ4wDAYDVQQHDAVEZXNpbzEkMCIGA1UECgwbQmFuY28gRGVzaW8gZSBkZWxsYSBCcmlhbnphMQ0wCwYDVQQLDARTcGlkMR8wHQYDVQQDDBZwc2QtY29sbC5iYW5jb2Rlc2lvLml0MSYwJAYJKoZIhvcNAQkBFhdzcGlkLnRlY2hAYmFuY29kZXNpby5pdDAeFw0yMTA5MjMxNTQzNTZaFw0yNDA5MjIxNTQzNTZaMIG1MQswCQYDVQQGEwJJVDEYMBYGA1UECAwPTW9uemEgZSBCcmlhbnphMQ4wDAYDVQQHDAVEZXNpbzEkMCIGA1UECgwbQmFuY28gRGVzaW8gZSBkZWxsYSBCcmlhbnphMQ0wCwYDVQQLDARTcGlkMR8wHQYDVQQDDBZwc2QtY29sbC5iYW5jb2Rlc2lvLml0MSYwJAYJKoZIhvcNAQkBFhdzcGlkLnRlY2hAYmFuY29kZXNpby5pdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALyl3yRngpOlQRDdzj9HjE1UqFmI9OjKSZVdDVIOpcuNSdvfAXGrhXyGZCewjSAmIUrf6dWrO/5tIZALk2HMO42LP4Awo5W/dlDhmt1/pGoxMepGAAPafctA/Fyj7Gsi2xxksitjdp7SVFsF8ucDgHNZLFazEjkt+CJopLO6oMW0y3wwe3b1RdGXClzK1HpfRFeQZImQEniQd5OmNNRD/zxRUZqtRtd3tRFPAtvZKHAqD7IWiSsVvvWLibj8dSKuoCfj/CIH+WPXJsUGhcDhRvhqgMmaIm1RyLjZohAMuSZEGXdils4TeaoWln/G64R3fP+fCWxya+UOEZgBUgJdFRmlfFp0rXM1oI2BnKWVFLwTJ1rxrzyIp5YcQhAZxxjTm1zzy2jUSm44H2idLxSGfDwEl6MCdYz7HsvMQtEGN818AdSQsZudW9c/ULpCyz+TVR0vMp0KteFWsy8FeAQq9zkkPSpiLFGdBXXnpqO1G9GzntsunDwwPCeEuhFU7RzY3M5SOXsCnZDF7leQNTphzFzbQAytev4MVt6FAyNIys5eO8I1Mw/+14cOGnjp/PipwMlPWVCV7rFJ1/NtICv/2SEHiY1xa5EFQwRzW1+zxYcxHOh6ibJFtvMm33sBkJU5aNx/7cThzFfHDB4rLHhWEg77tp0ntt1iFqfTpaI5Qy/9AgMBAAGjUzBRMB0GA1UdDgQWBBQogcz80jb43VQDFpd2xdbhHmQcizAfBgNVHSMEGDAWgBQogcz80jb43VQDFpd2xdbhHmQcizAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQAFNB9UurknL+Yc/p35d5K6D2uDMbC3bxZNP9MFaM8wrTjKeUF18AW8+k/CaqHA2xJ2wT4DXEL68VYr3HsG8b0ULwrwJO7/UsdzSy/TNnbTcyMGoeVNy9FQrYBloJB8Akc/K7vU70xf/UynWHYEepo2tQwxKyDKxlW/xkfEszuzNCBKWtLcCcPiqg73n3PKD+yn07tqN1uKVa6fu/DGqYwfJi+nRTIuaTtNYxVvI/+/8/c0zQOlGELyCIct3uPsMsD5ecyaStVW3o7z1EBVnoCKNUc6YgimWs4ygXzDYPWCGhUzKPMcWmrGE/TndKh9WBtM/FNr+0g7btDq8GRzbHFlPTLn2odiI9bn9Xr9JYjXeUrgOAUG0No8375yWWk4K6Hguo3+JzGQaufhzSlof/iTY7ReJ1/qQMbgrmWiDZHVR09x+GqD3XDwmCrjyYaPhwOsriME9OznwPm/0zqhwHFhpoYt4GU+tw0u+RFfjDiHXziFcKtN/7oL2C3RShQScHwoRlNuza9uFrShOjFo3juATstzV9wC6fa35GyGMjXd7vwe/jan7dPNaeqX0Pnquk2udHW7Iy7yOmduj6Q5KS2s7QACeQHXUEooXfCBs+eRL87+/K37/uYWqX0aJ760IJewE7BJFxiLkZnvmPt/xlUrQ55+F+AjhiMVQCTIMGV8YA==
</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
<saml:Conditions NotBefore="2021-09-30T08:10:04.036Z" NotOnOrAfter="2021-09-30T08:20:04.036Z"/>
<samlp:RequestedAuthnContext Comparison="minimum">
<saml:AuthnContextClassRef>
https://www.spid.gov.it/SpidL2
</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>Sempre solito errore sul punto 34 della validazione
danielegiallonardo
commented
3 years ago Non posso validare un metadata incompleto. Ad ogni modo, il metadata completo viene validato da spid_sp_test o da https://demo.spid.gov.it/validator#/metadata-sp-download ?
santesem-links
commented
3 years ago sì, il metadato non ha nessun problema - almeno il tool lo valida correttamente.
Nella request, il punto 34 da errore Ecco il metadato. metadata.zip .
danielegiallonardo
commented
3 years ago Anche in questo caso credo che l'unico che possa darci supporto è @peppelinux , dal momento che l'anomalia riguarda l'integrazione con spid_sp_test
peppelinux
commented
3 years ago cari, basta eseguire spid-sp-test sul metadata incriminato.
se il profilo cambia basta specificarlo con --profile
se non avete l'ultima versione aggiornata di spid-saml-check, aggiornatela
Con -rf json si ottiene il report come spid-saml-check, enjoy
spid_sp_test --metadata-url file:///home/wert/Scaricati/metadata\ \(1\).xml
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.xsd_check: SpidSpMetadataCheck.xsd_check
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_EntityDescriptor: Only one EntityDescriptor element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_EntityDescriptor: The entityID attribute MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_EntityDescriptor: The entityID attribute MUST have a value
ERROR:spid_sp_test.metadata:SpidSpMetadataCheck.test_SPSSODescriptor: Only one SPSSODescriptor element MUST be present
ERROR:spid_sp_test.metadata:Only one SPSSODescriptor element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_xmldsig: the metadata signature MUST be valid
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Signature: The Signature element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Signature: The SignatureMethod element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Signature: The Algorithm attribute MUST be present in SignatureMethod element
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Signature: The signature algorithm MUST be valid
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Signature: The DigestMethod element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Signature: The Algorithm attribute MUST be present in DigestMethod element
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Signature: The digest algorithm MUST be valid
ERROR:spid_sp_test.metadata:SpidSpMetadataCheck.test_KeyDescriptor: At least one signing KeyDescriptor MUST be present
ERROR:spid_sp_test.metadata:At least one signing KeyDescriptor MUST be present
ERROR:spid_sp_test.metadata:SpidSpMetadataCheck.test_SingleLogoutService: One or more SingleLogoutService elements MUST be present
ERROR:spid_sp_test.metadata:One or more SingleLogoutService elements MUST be present
ERROR:spid_sp_test.metadata:SpidSpMetadataCheck.test_AssertionConsumerService: At least one AssertionConsumerService MUST be present
ERROR:spid_sp_test.metadata:At least one AssertionConsumerService MUST be present
ERROR:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService: One or more AttributeConsumingService elements MUST be present
ERROR:spid_sp_test.metadata:One or more AttributeConsumingService elements MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: Only one Organization element can be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: One or more OrganizationName elements MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: The lang attribute in OrganizationName element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: The OrganizationName element MUST have a value
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: One or more OrganizationDisplayName elements MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: The lang attribute in OrganizationDisplayName element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: The OrganizationDisplayName element MUST have a value
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: One or more OrganizationURL elements MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: The lang attribute in OrganizationURL element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: The OrganizationURL element MUST have a value
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: The elements OrganizationName, OrganizationDisplayName and OrganizationURL MUST have the same number of lang attributes
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: The elements OrganizationName, OrganizationDisplayName and OrganizationURL MUST have at least an it language enabled
ERROR:spid_sp_test.metadata:Test file:///home/wert/Scaricati/metadata (1).xml with saml-schema-metadata-sp-spid.xsd: failed validating <Element '{urn:oasis:names:tc:SAML:2.0:metadata}EntityDescriptor' at 0x7f90638a7e00> with XsdGroup(model='sequence', occurs=[1, 1]):
Reason: Unexpected child with tag 'md:IDPSSODescriptor' at position 2. Tag 'md:SPSSODescriptor' expected.
Schema:
<complexType xmlns="http://www.w3.org/2001/XMLSchema" name="EntityDescriptorType">
<sequence>
<element ref="ds:Signature" minOccurs="0" />
<element ref="md:Extensions" minOccurs="0" />
<choice>
<choice maxOccurs="unbounded">
<element ref="md:SPSSODescriptor" />
</choice>
</choice>
<element ref="md:Organization" minOccurs="0" />
<element ref="md:ContactPerson" minOccurs="0" maxOccurs="unbounded" />
<element ref="md:AdditionalMetadataLocation" minOccurs="0" maxOccurs="unbounded" />
</sequence>
<attribute name="entityID" type="md:entityIDType" use="required" />
<attribute name="validUntil" type="dateTime" use="optional" />
<attribute name="cacheDuration" type="duration" use="optional" />
<attribute name="ID" type="ID" use="optional" />
<anyAttribute namespace="##other" processContents="lax" />
</complexType>
Instance:
<md:EntityDescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_c1f6200e-02e7-4870-9855-90f2685c8cb1" cacheDuration="P0Y0M30DT0H0M0.000S" entityID="https://posteid.poste.it"><ds:Signature><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_c1f6200e-02e7-4870-9855-90f2685c8cb1"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>iA8AbNQxrVU7FZvci3hpejhOKi7OIAFxCwYtGZ5znpM=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>kSmSGTQvM/V1ts5KSP/xcVNzngQHZ6vZyv+/fgKuDClSP+XYi5w8XGg0eLcBb8x1ZvuP9cV0zVLG
9RP7gTUfrR6SJQo8VM5bmhxPs6+mOlfe/+dSbjIDynW9Ui6zjEtpMV3+9qP9Ko7ewmFMuMB9zh3q
L1Ea+XCKwnfp9M55/xq7jO0bWErlL6VlgFqfAAHHeeL3QyBE+DWQY6XFQUMGxzuLVfb7Pu4quKLB
yitXBiWhdfsluGx3yI6Z01eWJ62+3b4yV74tLdkF+z4ogxtwUo6R/DK66xEFmt15a6MwORZ/Yhxy
pAJPv7wabL0dffxE2IR3S4i67vxR+5r6Nh9OGw==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIFgzCCA2ugAwIBAgIIJSppAZKg/XQwDQYJKoZIhvcNAQELBQAwZTELMAkGA1UEBhMCSVQxHjAc
BgNVBAoMFVBvc3RlIEl0YWxpYW5lIFMucC5BLjEaMBgGA1UEYQwRVkFUSVQtMDExMTQ2MDEwMDYx
GjAYBgNVBAMMEVBvc3RlIEl0YWxpYW5lIENBMB4XDTIxMDIxODExNDYzMVoXDTI0MDIxOTExNDYz
MVowQzELMAkGA1UEBhMCSVQxHjAcBgNVBAoMFVBvc3RlIEl0YWxpYW5lIFMucC5BLjEUMBIGA1UE
AwwLaWRwLXBvc3RlaWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZFEtJoEHFAjpC
aZcj5DVWrRDyaLZyu31XApslbo87CyWz61OJMtw6QQU0MdCtrYbtSJ6vJwx7/6EUjsZ3u4x3EPLd
lkyiGOqukPwATv4c7TVOUVs5onIqTphM9b+AHRg4ehiMGesm/9d7RIaLuN79iPUvdLn6WP3idAfE
w+rhJ/wYEQ0h1Xm5osNUgtWcBGavZIjLssWNrDDfJYxXH3QZ0kI6feEvLCJwgjXLGkBuhFehNhM4
fhbX9iUCWwwkJ3JsP2++Rc/iTA0LZhiUsXNNq7gBcLAJ9UX2V1dWjTzBHevfHspzt4e0VgIIwbDR
qsRtF8VUPSDYYbLoqwbLt18XAgMBAAGjggFXMIIBUzA/BggrBgEFBQcBAQQzMDEwLwYIKwYBBQUH
MAGGI2h0dHA6Ly9wb3N0ZWNlcnQucG9zdGUuaXQvcGktb2NzcENBMB0GA1UdDgQWBBRL64pGUJHw
Y7ok6cRMUgXvMBoLMjAfBgNVHSMEGDAWgBRs0025F7hHd0d+ULyAaELPZ7w/eTA+BgNVHSAENzA1
MDMGCCtMMAEFAQEEMCcwJQYIKwYBBQUHAgEWGWh0dHA6Ly9wb3N0ZWNlcnQucG9zdGUuaXQwOAYD
VR0fBDEwLzAtoCugKYYnaHR0cDovL3Bvc3RlY2VydC5wb3N0ZS5pdC9waS1DQS9jcmwuY3JsMA4G
A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwJwYDVR0RBCAwHoEc
aWRwLXBvc3RlaWRAcG9zdGVpdGFsaWFuZS5pdDANBgkqhkiG9w0BAQsFAAOCAgEAp0EhITlTx+cO
...
...
TSb9K/wCuiHiuoSB54rzJoQxz90gS868r/+JGahYwHY5dUh1RbA4g5N8H3TDThc=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://posteid.poste.it/jod-fs/sloservicepost" ResponseLocation="https://posteid.poste.it/jod-fs/sloserviceresponsepost" /><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://posteid.poste.it/jod-fs/sloserviceredirect" ResponseLocation="https://posteid.poste.it/jod-fs/sloserviceresponseredirect" /><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://posteid.poste.it/jod-fs/ssoservicepost" /><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://posteid.poste.it/jod-fs/ssoserviceredirect" /><saml2:Attribute Name="familyName" NameFormat="xsi:string" /><saml2:Attribute Name="name" NameFormat="xsi:string" /><saml2:Attribute Name="spidCode" NameFormat="xsi:string" /><saml2:Attribute Name="fiscalNumber" NameFormat="xsi:string" /><saml2:Attribute Name="gender" NameFormat="xsi:string" /><saml2:Attribute Name="dateOfBirth" NameFormat="xsi:string" /><saml2:Attribute Name="placeOfBirth" NameFormat="xsi:string" /><saml2:Attribute Name="countyOfBirth" NameFormat="xsi:string" /><saml2:Attribute Name="idCard" NameFormat="xsi:string" /><saml2:Attribute Name="address" NameFormat="xsi:string" /><saml2:Attribute Name="domicileStreetAddress" NameFormat="xsi:string" /><saml2:Attribute Name="domicilePostalCode" NameFormat="xsi:string" /><saml2:Attribute Name="domicileMunicipality" NameFormat="xsi:string" /><saml2:Attribute Name="domicileProvince" NameFormat="xsi:string" /><saml2:Attribute Name="domicileNation" NameFormat="xsi:string" /><saml2:Attribute Name="digitalAddress" NameFormat="xsi:string" /><saml2:Attribute Name="expirationDate" NameFormat="xsi:string" /><saml2:Attribute Name="email" NameFormat="xsi:string" /><saml2:Attribute Name="mobilePhone" NameFormat="xsi:string" /></md:IDPSSODescriptor><md:Organization><md:OrganizationName xml:lang="it">Poste Italiane SpA</md:OrganizationName><md:OrganizationDisplayName xml:lang="it">Poste Italiane SpA</md:OrganizationDisplayName><md:OrganizationURL xml:lang="it">https://www.poste.it</md:OrganizationURL></md:Organization></md:EntityDescriptor>
Path: /md:EntityDescriptor
ERROR:spid_sp_test.metadata:SpidSpMetadataCheck.xsd_check: Test file:///home/wert/Scaricati/metadata (1).xml with saml-schema-metadata-sp-spid.xsd
ERROR:spid_sp_test.metadata:Test file:///home/wert/Scaricati/metadata (1).xml with saml-schema-metadata-sp-spid.xsd
ERROR:spid_sp_test.metadata:Test file:///home/wert/Scaricati/metadata (1).xml with saml-schema-metadata-sp-spid.xsd: [Errno 2] No such file or directory: 'saml-schema-metadata-sp-spid-av29.xsd'
ERROR:spid_sp_test.metadata:SpidSpMetadataCheck.xsd_check: Test file:///home/wert/Scaricati/metadata (1).xml with saml-schema-metadata-sp-spid.xsd
ERROR:spid_sp_test.metadata:Test file:///home/wert/Scaricati/metadata (1).xml with saml-schema-metadata-sp-spid.xsd
ERROR:spid_sp_test.metadata:SpidSpMetadataCheck.test_SPSSODescriptor_SPID: SPSSODescriptor element not found
ERROR:spid_sp_test.metadata:SPSSODescriptor element not found
ERROR:spid_sp_test.metadata:SpidSpMetadataCheck.test_AssertionConsumerService_SPID: Only one default AssertionConsumerService MUST be present
ERROR:spid_sp_test.metadata:Only one default AssertionConsumerService MUST be present
ERROR:spid_sp_test.metadata:SpidSpMetadataCheck.test_AssertionConsumerService_SPID: Must be present the default AssertionConsumerService with index = 0
ERROR:spid_sp_test.metadata:Must be present the default AssertionConsumerService with index = 0
ERROR:spid_sp_test.metadata:SpidSpMetadataCheck.test_contactperson_email: The //ContactPerson/EmailAddress element MUST be present
ERROR:spid_sp_test.metadata:The //ContactPerson/EmailAddress element MUST be present
ERROR:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_PubPriv: ContactPerson MUST be present
ERROR:spid_sp_test.metadata:ContactPerson MUST be present
ERROR:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_PubPriv: Only one ContactPerson element of contactType "other" MUST be present
ERROR:spid_sp_test.metadata:Only one ContactPerson element of contactType "other" MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_VATFC: only one VATNumber element must be present
ERROR:spid_sp_test.metadata:SpidSpMetadataCheck.test_extensions_public_private: Missing ContactPerson/Extensions/Public, this element MUST be present
ERROR:spid_sp_test.metadata:Missing ContactPerson/Extensions/Public, this element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_extensions_public_private: The Private element MUST not be present
Spid QA: executed 40 tests, 14 failed. 0 warnings.Grazie per la risposta, ho scaricato e stavo usando l'ultima versione di "italia/spid-saml-check" ed ottengo lo stesso errore sulla validazione 34 della request.
I check del metadata passano, almeno sul validator.
Tu hai fatto una validazione manuale, usando la libreria utilizzata all'interno di questo validator, vero?
santesem-links
commented
3 years ago Mi commento solo - ho effettuato il comando
spid_sp_test --metadata-url https://xxxx/spidpage/metadata --profile spid-sp-private
ed ho:
Quindi non vedo errori sul metadato
danielegiallonardo
commented
3 years ago Ok, step successivo è validare una request usando il parametro --authn-url
santesem-links
commented
3 years ago Perfetto, ho fatto quanto mi hai segnalato.
comando:
spid_sp_test --metadata-url file://../data/https___localhost_44369/sp-metadata.xml --authn-url file://../data/https___localhost_44369/authn-request.dump --profile spid-sp-private -rf json
risultato
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.xsd_check: SpidSpMetadataCheck.xsd_check
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_EntityDescriptor: Only one EntityDescriptor element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_EntityDescriptor: The entityID attribute MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_EntityDescriptor: The entityID attribute MUST have a value
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_SPSSODescriptor: Only one SPSSODescriptor element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_NameIDFormat_Transient: The NameIDFormat MUST be urn:oasis:names:tc:SAML:2.0:nameid-format:transient
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_xmldsig: the metadata signature MUST be valid
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Signature: The Signature element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Signature: The SignatureMethod element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Signature: The Algorithm attribute MUST be present in SignatureMethod element
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Signature: The signature algorithm MUST be valid
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Signature: The DigestMethod element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Signature: The Algorithm attribute MUST be present in DigestMethod element
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Signature: The digest algorithm MUST be valid
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_KeyDescriptor: At least one signing KeyDescriptor MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_KeyDescriptor: At least one signing x509 MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_KeyDescriptor: At least one encryption x509 MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_SingleLogoutService: One or more SingleLogoutService elements MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_SingleLogoutService: The Binding attribute in SingleLogoutService element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_SingleLogoutService: The Binding attribute in SingleLogoutService element MUST have a value
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_SingleLogoutService: The Binding attribute in SingleLogoutService element MUST be one of [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect]
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_SingleLogoutService: The Location attribute in SingleLogoutService element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_SingleLogoutService: The Location attribute in SingleLogoutService element MUST have a value
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_SingleLogoutService: The Location attribute in SingleLogoutService element MUST be a valid HTTP URL
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AssertionConsumerService: At least one AssertionConsumerService MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AssertionConsumerService: The index attribute MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AssertionConsumerService: The index attribute MUST be >= 0
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AssertionConsumerService: The Binding attribute MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AssertionConsumerService: The Binding attribute MUST be one of [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect]
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AssertionConsumerService: The Location attribute MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService: One or more AttributeConsumingService elements MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: Only one Organization element can be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: One or more OrganizationName elements MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: The lang attribute in OrganizationName element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: The OrganizationName element MUST have a value
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: One or more OrganizationDisplayName elements MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: The lang attribute in OrganizationDisplayName element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: The OrganizationDisplayName element MUST have a value
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: One or more OrganizationURL elements MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: The lang attribute in OrganizationURL element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: The OrganizationURL element MUST have a value
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: The elements OrganizationName, OrganizationDisplayName and OrganizationURL MUST have the same number of lang attributes
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization: The elements OrganizationName, OrganizationDisplayName and OrganizationURL MUST have at least an it language enabled
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.xsd_check: SpidSpMetadataCheck.xsd_check
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_SPSSODescriptor_SPID: The protocolSupportEnumeration attribute MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_SPSSODescriptor_SPID: The protocolSupportEnumeration attribute MUST have a value
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_SPSSODescriptor_SPID: The AuthnRequestsSigned attribute MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_SPSSODescriptor_SPID: The AuthnRequestsSigned attribute MUST have a value
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_SPSSODescriptor_SPID: The AuthnRequestsSigned attribute MUST be true
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AssertionConsumerService_SPID: Only one default AssertionConsumerService MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AssertionConsumerService_SPID: Must be present the default AssertionConsumerService with index = 0
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService_SPID: The index attribute in AttributeConsumigService element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService_SPID: The index attribute in AttributeConsumigService element MUST be >= 0
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService_SPID: The ServiceName element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService_SPID: The ServiceName element MUST have a value
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService_SPID: One or more RequestedAttribute elements MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService_SPID: The Name attribute in RequestedAttribute element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService_SPID: The "spidCode" attribute in RequestedAttribute element MUST be valid
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService_SPID: The Name attribute in RequestedAttribute element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService_SPID: The "name" attribute in RequestedAttribute element MUST be valid
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService_SPID: The Name attribute in RequestedAttribute element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService_SPID: The "familyName" attribute in RequestedAttribute element MUST be valid
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService_SPID: The Name attribute in RequestedAttribute element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService_SPID: The "fiscalNumber" attribute in RequestedAttribute element MUST be valid
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService_SPID: The Name attribute in RequestedAttribute element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService_SPID: The "gender" attribute in RequestedAttribute element MUST be valid
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService_SPID: The Name attribute in RequestedAttribute element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService_SPID: The "dateOfBirth" attribute in RequestedAttribute element MUST be valid
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService_SPID: AttributeConsumigService MUST not contain duplicated RequestedAttribute
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_contactperson_email: The //ContactPerson/EmailAddress element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_contactperson_email: The //ContactPerson/EmailAddress element MUST have a value
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_contactperson_email: The //ContactPerson/EmailAddress element MUST be a valid email address
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_contactperson_phone: The //ContactPerson/TelephoneNumber element MUST have a value
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_contactperson_phone: The //ContactPerson/TelephoneNumber element MUST not contain spaces
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_contactperson_phone: The //ContactPerson/TelephoneNumber element MUST start with "+39"
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_PubPriv: ContactPerson MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_PubPriv: ("Missing contactType in {'contactType': 'other'}: The contactType attribute MUST be present",)
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_PubPriv: The contactType attribute MUST have a value
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_PubPriv: The contactType must be "other"
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_PubPriv: Only one ContactPerson element of contactType "other" MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_PubPriv: ContactPerson MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_PubPriv: ("Missing contactType in {'contactType': 'billing'}: The contactType attribute MUST be present",)
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_PubPriv: The contactType attribute MUST have a value
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_PubPriv: The contactType must be "billing"
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_PubPriv: Only one ContactPerson element of contactType "billing" MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Extensions_PubPriv: Only one Extensions element inside ContactPerson element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Extensions_PubPriv: Only one Extensions element inside ContactPerson element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_extensions_public_private: Missing ContactPerson/Extensions/Private, this element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_extensions_public_private: The Private element MUST be empty
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_extensions_public_private: The Public element MUST not be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_VATFC: only one VATNumber element must be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_VATFC: The VATNumber element MUST have a value
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_VATFC: The VATNumber element MUST start with a valid ISO3166 Code
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_VATFC: only one FiscalCode element must be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_VATFC: The FiscalCode element MUST have a value
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_Priv: The IPACode element MUST NOT be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Contacts_Priv: The CessionarioCommittente element MUST be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.xsd_check: SpidSpMetadataCheck.xsd_check
INFO:spid_sp_test.authn_request:T e s t a u t h n _ r e q u e s t w i t h s a m l - s c h e m a - p r o t o c o l - 2 . 0 . x s d
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_AuthnRequest: One AuthnRequest element MUST be present
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_AuthnRequest: The ID attribute MUST be present
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_AuthnRequest: The ID attribute MUST have a value
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_AuthnRequest: The Version attribute MUST be present
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_AuthnRequest: The Version attribute MUST be 2.0
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_AuthnRequest: The IssueInstant attribute MUST be present
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_AuthnRequest: The IssueInstant attribute MUST have a value
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_AuthnRequest: The IssueInstant attribute MUST be a valid UTC string
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_AuthnRequest: The Destination attribute MUST be present
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_AuthnRequest: The Destination attribute MUST have a value
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_AuthnRequest: The Destination attribute SHOULD be the address to which the request has been sent but can also be the EnityID of IdP (Av. SPID n.11)
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_AuthnRequest: The IsPassive attribute MUST not be present - TR pag. 9
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Issuer: One Issuer element MUST be present
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Issuer: The Issuer element MUST have a value
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Issuer: The Issuer's value MUST be equal to entityID
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Issuer: The Format attribute MUST be present
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Issuer: The Format attribute MUST have a value
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Issuer: The Format attribute MUST be urn:oasis:names:tc:SAML:2.0:nameid-format:entity
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Issuer: The NameQualifier attribute MUST be present
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Issuer: The NameQualifier attribute MUST have a value
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Conditions: The NotBefore attribute MUST be present
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Conditions: The NotBefore attribute MUST have a value
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Conditions: The NotBefore attribute MUST have avalid UTC string
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Conditions: The NotOnOrAfter attribute MUST be present
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Conditions: The NotOnOrAfter attribute MUST have a value
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Conditions: The NotOnOrAfter attribute MUST have avalid UTC string
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_RelayState: RelayState MUST not be immediately intelligible
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Signature: The Signature element MUST be present
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Signature: The SignatureMethod element MUST be present
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Signature: The Algorithm attribute MUST be present in SignatureMethod element
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Signature: The signature algorithm MUST be valid
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Signature: The DigestMethod element MUST be present
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Signature: The Algorithm attribute MUST be present in DigestMethod element
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_Signature: The digest algorithm MUST be one of [http://www.w3.org/2001/04/xmlenc#sha256, http://www.w3.org/2001/04/xmlenc#sha384, http://www.w3.org/2001/04/xmlenc#sha512]
ERROR:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_xmldsig: AuthnRequest Signature validation failed
ERROR:spid_sp_test.authn_request:AuthnRequest Signature validation failed
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_AuthnRequest_SPID: The ForceAuthn attribute MUST be present if SPID level > 1
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_AuthnRequest_SPID: The ForceAuthn attribute MUST be true or 1 - TR pag. 8
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_AuthnRequest_SPID: The AssertionConsumerServiceIndex attribute MUST be equal to an AssertionConsumerService index
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_AuthnRequest_SPID: The AssertionConsumerServiceIndex attribute MUST have a value
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_AuthnRequest_SPID: The AssertionConsumerServiceIndex attribute MUST be >= 0
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_AuthnRequest_SPID: The AttributeConsumingServiceIndex attribute MUST have a value
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_AuthnRequest_SPID: The AttributeConsumingServiceIndex attribute MUST be >= 0
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_AuthnRequest_SPID: The AttributeConsumingServiceIndex attribute MUST be equal to an AttributeConsumingService index
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_NameIDPolicy: One NameIDPolicy element MUST be present
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_NameIDPolicy: The Format attribute MUST be present
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_NameIDPolicy: The Format attribute MUST have a value
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_NameIDPolicy: The Format attribute MUST be urn:oasis:names:tc:SAML:2.0:nameid-format:transient
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_NameIDPolicy: The AllowCreate attribute MUST not be present
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_RequestedAuthnContext: Only one RequestedAuthnContext element MUST be present
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_RequestedAuthnContext: The Comparison attribute MUST be present
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_RequestedAuthnContext: The Comparison attribute MUST have a value
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_RequestedAuthnContext: Attribute not valid
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_RequestedAuthnContext: Only one AuthnContexClassRef element MUST be present
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_RequestedAuthnContext: The AuthnContexClassRef element MUST have a value
INFO:spid_sp_test.authn_request:SpidSpAuthnReqCheck.test_RequestedAuthnContext: The AuthnContextClassRef element MUST have a valid SPID level
{
"test": {
"sp": {
"metadata_strict": {
"SpidSpMetadataCheck": [
{
"test_id": [
"1.0.0"
],
"test": "SpidSpMetadataCheck.xsd_check",
"value": "Test file://../data/https___localhost_44369/sp-metadata.xml with saml-schema-metadata-2.0.xsd",
"references": [],
"method": "SpidSpMetadataCheck.xsd_check",
"result": "success"
},
{
"test_id": [
"1.3.0"
],
"test": "Only one EntityDescriptor element MUST be present",
"value": "['<EntityDescriptor ID=\"_8EEB1A1D-597F-405F-89C1-EDF69BB8021A\" entityID=\"https://localhost:44369\"><Signature>\\n<SignedInfo>\\n<Canoni']",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_EntityDescriptor",
"result": "success"
},
{
"test_id": [
"1.3.1"
],
"test": "The entityID attribute MUST be present",
"value": "{'ID': '_8EEB1A1D-597F-405F-89C1-EDF69BB8021A', 'entityID': 'https://localhost:44369'}",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_EntityDescriptor",
"result": "success"
},
{
"test_id": [
"1.3.2"
],
"test": "The entityID attribute MUST have a value",
"value": "https://localhost:44369",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_EntityDescriptor",
"result": "success"
},
{
"test_id": [
"1.6.0"
],
"test": "Only one SPSSODescriptor element MUST be present",
"value": "['<SPSSODescriptor AuthnRequestsSigned=\"true\" WantAssertionsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:']",
"references": [
""
],
"method": "SpidSpMetadataCheck.test_SPSSODescriptor",
"result": "success"
},
{
"test_id": "",
"test": "The NameIDFormat MUST be urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
"value": "['<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>\\n\\n ']",
"references": [
"TR pag. ..."
],
"method": "SpidSpMetadataCheck.test_NameIDFormat_Transient",
"result": "success"
},
{
"test_id": [
"1.9.0"
],
"test": "the metadata signature MUST be valid",
"value": "xmlsec1 --verify --insecure --id-attr:ID urn:oasis:names:tc:SAML:2.0:metadata:EntityDescriptor /tmp/tmpwc3on5xj.xml",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_xmldsig",
"result": "success"
},
{
"test_id": [
"1.7.0"
],
"test": "The Signature element MUST be present",
"value": "<Signature>\n<SignedInfo>\n<CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>\n<SignatureMethod Algorith",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_Signature",
"result": "success"
},
{
"test_id": [
"1.7.1"
],
"test": "The SignatureMethod element MUST be present",
"value": "<SignatureMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\"/>\n",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_Signature",
"result": "success"
},
{
"test_id": "",
"test": "The Algorithm attribute MUST be present in SignatureMethod element",
"value": "<SignatureMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\"/>\n",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_Signature",
"result": "success"
},
{
"test_id": [
"1.7.3"
],
"test": "The signature algorithm MUST be valid",
"value": "One of http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256, http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384, http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512, http://www.w3.org/2001/04/xmldsig-more#hmac-sha256, http://www.w3.org/2001/04/xmldsig-more#hmac-sha384, http://www.w3.org/2001/04/xmldsig-more#hmac-sha512, http://www.w3.org/2001/04/xmldsig-more#rsa-sha256, http://www.w3.org/2001/04/xmldsig-more#rsa-sha384, http://www.w3.org/2001/04/xmldsig-more#rsa-sha512",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_Signature",
"result": "success"
},
{
"test_id": [
"1.7.4"
],
"test": "The DigestMethod element MUST be present",
"value": "",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_Signature",
"result": "success"
},
{
"test_id": [
"1.7.5"
],
"test": "The Algorithm attribute MUST be present in DigestMethod element",
"value": "",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_Signature",
"result": "success"
},
{
"test_id": [
"1.7.6"
],
"test": "The digest algorithm MUST be valid",
"value": "One of http://www.w3.org/2001/04/xmlenc#sha256, http://www.w3.org/2001/04/xmlenc#sha384, http://www.w3.org/2001/04/xmlenc#sha512",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_Signature",
"result": "success"
},
{
"test_id": [
"1.4.0"
],
"test": "At least one signing KeyDescriptor MUST be present",
"value": "",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_KeyDescriptor",
"result": "success"
},
{
"test_id": [
"1.4.1"
],
"test": "At least one signing x509 MUST be present",
"value": "<KeyDescriptor use=\"signing\">\n <KeyInfo>\n <X509Data>\n <X509Certificate>\nMIIGQjCCBCqgAwIBAgIJAJmwYjNvjrCTMA0",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_KeyDescriptor",
"result": "success"
},
{
"test_id": [
"1.4.2"
],
"test": "At least one encryption x509 MUST be present",
"value": "",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_KeyDescriptor",
"result": "success"
},
{
"test_id": [
"1.8.0"
],
"test": "One or more SingleLogoutService elements MUST be present",
"value": "<SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://localhost:44369/signout-spid\"/>\n",
"references": [
"AV n. 3"
],
"method": "SpidSpMetadataCheck.test_SingleLogoutService",
"result": "success"
},
{
"test_id": [
"1.8.1",
"1.8.4"
],
"test": "The Binding attribute in SingleLogoutService element MUST be present",
"value": "<SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://localhost:44369/signout-spid\"/>\n",
"references": [
"AV n. 3"
],
"method": "SpidSpMetadataCheck.test_SingleLogoutService",
"result": "success"
},
{
"test_id": [
"1.8.2",
"1.8.5"
],
"test": "The Binding attribute in SingleLogoutService element MUST have a value",
"value": "<SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://localhost:44369/signout-spid\"/>\n",
"references": [
"AV n. 3"
],
"method": "SpidSpMetadataCheck.test_SingleLogoutService",
"result": "success"
},
{
"test_id": [
"1.8.3"
],
"test": "The Binding attribute in SingleLogoutService element MUST be one of [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect]",
"value": "<SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://localhost:44369/signout-spid\"/>\n",
"references": [
"AV n. 3"
],
"method": "SpidSpMetadataCheck.test_SingleLogoutService",
"result": "success"
},
{
"test_id": [
"1.8.1",
"1.8.4"
],
"test": "The Location attribute in SingleLogoutService element MUST be present",
"value": "<SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://localhost:44369/signout-spid\"/>\n",
"references": [
"AV n. 3"
],
"method": "SpidSpMetadataCheck.test_SingleLogoutService",
"result": "success"
},
{
"test_id": [
"1.8.2",
"1.8.5"
],
"test": "The Location attribute in SingleLogoutService element MUST have a value",
"value": "<SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://localhost:44369/signout-spid\"/>\n",
"references": [
"AV n. 3"
],
"method": "SpidSpMetadataCheck.test_SingleLogoutService",
"result": "success"
},
{
"test_id": "",
"test": "The Location attribute in SingleLogoutService element MUST be a valid HTTP URL",
"value": "<SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://localhost:44369/signout-spid\"/>\n",
"references": [
"AV n. 3"
],
"method": "SpidSpMetadataCheck.test_SingleLogoutService",
"result": "success"
},
{
"test_id": [
"1.1.0"
],
"test": "At least one AssertionConsumerService MUST be present",
"value": "<AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://localhost:44369/signin-spid",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AssertionConsumerService",
"result": "success"
},
{
"test_id": [
"1.1.1",
"1.1.3",
"1.1.5"
],
"test": "The index attribute MUST be present",
"value": "<AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://localhost:44369/signin-spid",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AssertionConsumerService",
"result": "success"
},
{
"test_id": [
"1.1.2"
],
"test": "The index attribute MUST be >= 0",
"value": "<AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://localhost:44369/signin-spid",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AssertionConsumerService",
"result": "success"
},
{
"test_id": [
"1.1.1",
"1.1.3",
"1.1.5"
],
"test": "The Binding attribute MUST be present",
"value": "<AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://localhost:44369/signin-spid",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AssertionConsumerService",
"result": "success"
},
{
"test_id": [
"1.1.4"
],
"test": "The Binding attribute MUST be one of [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect]",
"value": "<AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://localhost:44369/signin-spid",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AssertionConsumerService",
"result": "success"
},
{
"test_id": [
"1.1.1",
"1.1.3",
"1.1.5"
],
"test": "The Location attribute MUST be present",
"value": "<AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://localhost:44369/signin-spid",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AssertionConsumerService",
"result": "success"
},
{
"test_id": [
"1.2.0"
],
"test": "One or more AttributeConsumingService elements MUST be present",
"value": "<AttributeConsumingService index=\"0\">\n <ServiceName xml:lang=\"it\">Set Attributi 1 - ID Cittadini minimo</ServiceName>\n ",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AttributeConsumingService",
"result": "success"
},
{
"test_id": [
"1.5.0"
],
"test": "Only one Organization element can be present",
"value": "['<Organization>\\n <OrganizationName xml:lang=\"it\">Banco Desio e della Brianza S.p.A.</OrganizationName>\\n <OrganizationDisplayName xml:lang=\"it\">BDB</OrganizationDisplayName>\\n <OrganizationURL xml:lang=\"it\">https://www.bancodesio.it</OrganizationURL>\\n </Organization>\\n\\n ']",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_Organization",
"result": "success"
},
{
"test_id": [
"1.5.1",
"1.5.4"
],
"test": "One or more OrganizationName elements MUST be present",
"value": "['<Organization>\\n <OrganizationName xml:lang=\"it\">Banco Desio e della Brianza S.p.A.</OrganizationName>\\n <OrganizationDisplayName xml:lang=\"it\">BDB</OrganizationDisplayName>\\n <OrganizationURL xml:lang=\"it\">https://www.bancodesio.it</OrganizationURL>\\n </Organization>\\n\\n ']",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_Organization",
"result": "success"
},
{
"test_id": [
"1.5.2",
"1.5.5",
"1.5.8"
],
"test": "The lang attribute in OrganizationName element MUST be present",
"value": "['<Organization>\\n <OrganizationName xml:lang=\"it\">Banco Desio e della Brianza S.p.A.</OrganizationName>\\n <OrganizationDisplayName xml:lang=\"it\">BDB</OrganizationDisplayName>\\n <OrganizationURL xml:lang=\"it\">https://www.bancodesio.it</OrganizationURL>\\n </Organization>\\n\\n ']",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_Organization",
"result": "success"
},
{
"test_id": [
"1.5.3",
"1.5.7",
"1.5.9"
],
"test": "The OrganizationName element MUST have a value",
"value": "['<Organization>\\n <OrganizationName xml:lang=\"it\">Banco Desio e della Brianza S.p.A.</OrganizationName>\\n <OrganizationDisplayName xml:lang=\"it\">BDB</OrganizationDisplayName>\\n <OrganizationURL xml:lang=\"it\">https://www.bancodesio.it</OrganizationURL>\\n </Organization>\\n\\n ']",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_Organization",
"result": "success"
},
{
"test_id": [
"1.5.1",
"1.5.4"
],
"test": "One or more OrganizationDisplayName elements MUST be present",
"value": "['<Organization>\\n <OrganizationName xml:lang=\"it\">Banco Desio e della Brianza S.p.A.</OrganizationName>\\n <OrganizationDisplayName xml:lang=\"it\">BDB</OrganizationDisplayName>\\n <OrganizationURL xml:lang=\"it\">https://www.bancodesio.it</OrganizationURL>\\n </Organization>\\n\\n ']",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_Organization",
"result": "success"
},
{
"test_id": [
"1.5.2",
"1.5.5",
"1.5.8"
],
"test": "The lang attribute in OrganizationDisplayName element MUST be present",
"value": "['<Organization>\\n <OrganizationName xml:lang=\"it\">Banco Desio e della Brianza S.p.A.</OrganizationName>\\n <OrganizationDisplayName xml:lang=\"it\">BDB</OrganizationDisplayName>\\n <OrganizationURL xml:lang=\"it\">https://www.bancodesio.it</OrganizationURL>\\n </Organization>\\n\\n ']",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_Organization",
"result": "success"
},
{
"test_id": [
"1.5.3",
"1.5.7",
"1.5.9"
],
"test": "The OrganizationDisplayName element MUST have a value",
"value": "['<Organization>\\n <OrganizationName xml:lang=\"it\">Banco Desio e della Brianza S.p.A.</OrganizationName>\\n <OrganizationDisplayName xml:lang=\"it\">BDB</OrganizationDisplayName>\\n <OrganizationURL xml:lang=\"it\">https://www.bancodesio.it</OrganizationURL>\\n </Organization>\\n\\n ']",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_Organization",
"result": "success"
},
{
"test_id": [
"1.5.1",
"1.5.4"
],
"test": "One or more OrganizationURL elements MUST be present",
"value": "['<Organization>\\n <OrganizationName xml:lang=\"it\">Banco Desio e della Brianza S.p.A.</OrganizationName>\\n <OrganizationDisplayName xml:lang=\"it\">BDB</OrganizationDisplayName>\\n <OrganizationURL xml:lang=\"it\">https://www.bancodesio.it</OrganizationURL>\\n </Organization>\\n\\n ']",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_Organization",
"result": "success"
},
{
"test_id": [
"1.5.2",
"1.5.5",
"1.5.8"
],
"test": "The lang attribute in OrganizationURL element MUST be present",
"value": "['<Organization>\\n <OrganizationName xml:lang=\"it\">Banco Desio e della Brianza S.p.A.</OrganizationName>\\n <OrganizationDisplayName xml:lang=\"it\">BDB</OrganizationDisplayName>\\n <OrganizationURL xml:lang=\"it\">https://www.bancodesio.it</OrganizationURL>\\n </Organization>\\n\\n ']",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_Organization",
"result": "success"
},
{
"test_id": [
"1.5.3",
"1.5.7",
"1.5.9"
],
"test": "The OrganizationURL element MUST have a value",
"value": "['<Organization>\\n <OrganizationName xml:lang=\"it\">Banco Desio e della Brianza S.p.A.</OrganizationName>\\n <OrganizationDisplayName xml:lang=\"it\">BDB</OrganizationDisplayName>\\n <OrganizationURL xml:lang=\"it\">https://www.bancodesio.it</OrganizationURL>\\n </Organization>\\n\\n ']",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_Organization",
"result": "success"
},
{
"test_id": [
"1.5.5",
"1.5.8"
],
"test": "The elements OrganizationName, OrganizationDisplayName and OrganizationURL MUST have the same number of lang attributes",
"value": "['<Organization>\\n <OrganizationName xml:lang=\"it\">Banco Desio e della Brianza S.p.A.</OrganizationName>\\n <OrganizationDisplayName xml:lang=\"it\">BDB</OrganizationDisplayName>\\n <OrganizationURL xml:lang=\"it\">https://www.bancodesio.it</OrganizationURL>\\n </Organization>\\n\\n ']",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_Organization",
"result": "success"
},
{
"test_id": "",
"test": "The elements OrganizationName, OrganizationDisplayName and OrganizationURL MUST have at least an it language enabled",
"value": "['<Organization>\\n <OrganizationName xml:lang=\"it\">Banco Desio e della Brianza S.p.A.</OrganizationName>\\n <OrganizationDisplayName xml:lang=\"it\">BDB</OrganizationDisplayName>\\n <OrganizationURL xml:lang=\"it\">https://www.bancodesio.it</OrganizationURL>\\n </Organization>\\n\\n ']",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_Organization",
"result": "success"
},
{
"test_id": [
"1.0.0"
],
"test": "SpidSpMetadataCheck.xsd_check",
"value": "Test file://../data/https___localhost_44369/sp-metadata.xml with saml-schema-metadata-sp-spid.xsd",
"references": [],
"method": "SpidSpMetadataCheck.xsd_check",
"result": "success"
},
{
"test_id": [
"1.6.1",
"1.6.3"
],
"test": "The protocolSupportEnumeration attribute MUST be present",
"value": "['<SPSSODescriptor AuthnRequestsSigned=\"true\" WantAssertionsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:']",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_SPSSODescriptor_SPID",
"result": "success"
},
{
"test_id": [
"1.6.2",
"1.6.4"
],
"test": "The protocolSupportEnumeration attribute MUST have a value",
"value": "['<SPSSODescriptor AuthnRequestsSigned=\"true\" WantAssertionsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:']",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_SPSSODescriptor_SPID",
"result": "success"
},
{
"test_id": [
"1.6.1",
"1.6.3"
],
"test": "The AuthnRequestsSigned attribute MUST be present",
"value": "['<SPSSODescriptor AuthnRequestsSigned=\"true\" WantAssertionsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:']",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_SPSSODescriptor_SPID",
"result": "success"
},
{
"test_id": [
"1.6.2",
"1.6.4"
],
"test": "The AuthnRequestsSigned attribute MUST have a value",
"value": "['<SPSSODescriptor AuthnRequestsSigned=\"true\" WantAssertionsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:']",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_SPSSODescriptor_SPID",
"result": "success"
},
{
"test_id": [
"1.6.5"
],
"test": "The AuthnRequestsSigned attribute MUST be true",
"value": "['<SPSSODescriptor AuthnRequestsSigned=\"true\" WantAssertionsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:']",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_SPSSODescriptor_SPID",
"result": "success"
},
{
"test_id": [
"1.1.7"
],
"test": "Only one default AssertionConsumerService MUST be present",
"value": "<AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://localhost:44369/signin-spid",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AssertionConsumerService_SPID",
"result": "success"
},
{
"test_id": [
"1.1.8"
],
"test": "Must be present the default AssertionConsumerService with index = 0",
"value": "<AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://localhost:44369/signin-spid",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AssertionConsumerService_SPID",
"result": "success"
},
{
"test_id": [
"1.2.1"
],
"test": "The index attribute in AttributeConsumigService element MUST be present",
"value": "<AttributeConsumingService index=\"0\">\n <ServiceName xml:lang=\"it\">Set Attributi 1 - ID Cittadini minimo</ServiceName>\n ",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AttributeConsumingService_SPID",
"result": "success"
},
{
"test_id": [
"1.2.2"
],
"test": "The index attribute in AttributeConsumigService element MUST be >= 0",
"value": "<AttributeConsumingService index=\"0\">\n <ServiceName xml:lang=\"it\">Set Attributi 1 - ID Cittadini minimo</ServiceName>\n ",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AttributeConsumingService_SPID",
"result": "success"
},
{
"test_id": [
"1.2.3"
],
"test": "The ServiceName element MUST be present",
"value": "<AttributeConsumingService index=\"0\">\n <ServiceName xml:lang=\"it\">Set Attributi 1 - ID Cittadini minimo</ServiceName>\n ",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AttributeConsumingService_SPID",
"result": "success"
},
{
"test_id": [
"1.2.4"
],
"test": "The ServiceName element MUST have a value",
"value": "<AttributeConsumingService index=\"0\">\n <ServiceName xml:lang=\"it\">Set Attributi 1 - ID Cittadini minimo</ServiceName>\n ",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AttributeConsumingService_SPID",
"result": "success"
},
{
"test_id": [
"1.2.5"
],
"test": "One or more RequestedAttribute elements MUST be present",
"value": "<AttributeConsumingService index=\"0\">\n <ServiceName xml:lang=\"it\">Set Attributi 1 - ID Cittadini minimo</ServiceName>\n ",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AttributeConsumingService_SPID",
"result": "success"
},
{
"test_id": [
"1.2.6"
],
"test": "The Name attribute in RequestedAttribute element MUST be present",
"value": "<AttributeConsumingService index=\"0\">\n <ServiceName xml:lang=\"it\">Set Attributi 1 - ID Cittadini minimo</ServiceName>\n ",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AttributeConsumingService_SPID",
"result": "success"
},
{
"test_id": [
"1.2.7"
],
"test": "The \"spidCode\" attribute in RequestedAttribute element MUST be valid",
"value": "one of [address, companyName, companyFiscalNumber, countyOfBirth, dateOfBirth, digitalAddress, email, expirationDate, familyName, fiscalNumber, gender, idCard, ivaCode, mobilePhone, name, placeOfBirth, registeredOffice, spidCode, domicileStreetAddress, domicilePostalCode, domicileMunicipality, domicileProvince, domicileNation]",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AttributeConsumingService_SPID",
"result": "success"
},
{
"test_id": [
"1.2.6"
],
"test": "The Name attribute in RequestedAttribute element MUST be present",
"value": "<AttributeConsumingService index=\"0\">\n <ServiceName xml:lang=\"it\">Set Attributi 1 - ID Cittadini minimo</ServiceName>\n ",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AttributeConsumingService_SPID",
"result": "success"
},
{
"test_id": [
"1.2.7"
],
"test": "The \"name\" attribute in RequestedAttribute element MUST be valid",
"value": "one of [address, companyName, companyFiscalNumber, countyOfBirth, dateOfBirth, digitalAddress, email, expirationDate, familyName, fiscalNumber, gender, idCard, ivaCode, mobilePhone, name, placeOfBirth, registeredOffice, spidCode, domicileStreetAddress, domicilePostalCode, domicileMunicipality, domicileProvince, domicileNation]",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AttributeConsumingService_SPID",
"result": "success"
},
{
"test_id": [
"1.2.6"
],
"test": "The Name attribute in RequestedAttribute element MUST be present",
"value": "<AttributeConsumingService index=\"0\">\n <ServiceName xml:lang=\"it\">Set Attributi 1 - ID Cittadini minimo</ServiceName>\n ",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AttributeConsumingService_SPID",
"result": "success"
},
{
"test_id": [
"1.2.7"
],
"test": "The \"familyName\" attribute in RequestedAttribute element MUST be valid",
"value": "one of [address, companyName, companyFiscalNumber, countyOfBirth, dateOfBirth, digitalAddress, email, expirationDate, familyName, fiscalNumber, gender, idCard, ivaCode, mobilePhone, name, placeOfBirth, registeredOffice, spidCode, domicileStreetAddress, domicilePostalCode, domicileMunicipality, domicileProvince, domicileNation]",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AttributeConsumingService_SPID",
"result": "success"
},
{
"test_id": [
"1.2.6"
],
"test": "The Name attribute in RequestedAttribute element MUST be present",
"value": "<AttributeConsumingService index=\"0\">\n <ServiceName xml:lang=\"it\">Set Attributi 1 - ID Cittadini minimo</ServiceName>\n ",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AttributeConsumingService_SPID",
"result": "success"
},
{
"test_id": [
"1.2.7"
],
"test": "The \"fiscalNumber\" attribute in RequestedAttribute element MUST be valid",
"value": "one of [address, companyName, companyFiscalNumber, countyOfBirth, dateOfBirth, digitalAddress, email, expirationDate, familyName, fiscalNumber, gender, idCard, ivaCode, mobilePhone, name, placeOfBirth, registeredOffice, spidCode, domicileStreetAddress, domicilePostalCode, domicileMunicipality, domicileProvince, domicileNation]",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AttributeConsumingService_SPID",
"result": "success"
},
{
"test_id": [
"1.2.6"
],
"test": "The Name attribute in RequestedAttribute element MUST be present",
"value": "<AttributeConsumingService index=\"0\">\n <ServiceName xml:lang=\"it\">Set Attributi 1 - ID Cittadini minimo</ServiceName>\n ",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AttributeConsumingService_SPID",
"result": "success"
},
{
"test_id": [
"1.2.7"
],
"test": "The \"gender\" attribute in RequestedAttribute element MUST be valid",
"value": "one of [address, companyName, companyFiscalNumber, countyOfBirth, dateOfBirth, digitalAddress, email, expirationDate, familyName, fiscalNumber, gender, idCard, ivaCode, mobilePhone, name, placeOfBirth, registeredOffice, spidCode, domicileStreetAddress, domicilePostalCode, domicileMunicipality, domicileProvince, domicileNation]",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AttributeConsumingService_SPID",
"result": "success"
},
{
"test_id": [
"1.2.6"
],
"test": "The Name attribute in RequestedAttribute element MUST be present",
"value": "<AttributeConsumingService index=\"0\">\n <ServiceName xml:lang=\"it\">Set Attributi 1 - ID Cittadini minimo</ServiceName>\n ",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AttributeConsumingService_SPID",
"result": "success"
},
{
"test_id": [
"1.2.7"
],
"test": "The \"dateOfBirth\" attribute in RequestedAttribute element MUST be valid",
"value": "one of [address, companyName, companyFiscalNumber, countyOfBirth, dateOfBirth, digitalAddress, email, expirationDate, familyName, fiscalNumber, gender, idCard, ivaCode, mobilePhone, name, placeOfBirth, registeredOffice, spidCode, domicileStreetAddress, domicilePostalCode, domicileMunicipality, domicileProvince, domicileNation]",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AttributeConsumingService_SPID",
"result": "success"
},
{
"test_id": "",
"test": "AttributeConsumigService MUST not contain duplicated RequestedAttribute",
"value": "<AttributeConsumingService index=\"0\">\n <ServiceName xml:lang=\"it\">Set Attributi 1 - ID Cittadini minimo</ServiceName>\n ",
"references": [
"TR pag. 20"
],
"method": "SpidSpMetadataCheck.test_AttributeConsumingService_SPID",
"result": "success"
},
{
"test_id": [
"1.10.4"
],
"test": "The //ContactPerson/EmailAddress element MUST be present",
"value": "['<EmailAddress>spid.tech@bancodesio.it</EmailAddress>\\n ', '<EmailAddress>spid.amm@bancodesio.it</EmailAddress>\\n ']",
"references": [
""
],
"method": "SpidSpMetadataCheck.test_contactperson_email",
"result": "success"
},
{
"test_id": [
"1.10.5"
],
"test": "The //ContactPerson/EmailAddress element MUST have a value",
"value": "['<EmailAddress>spid.tech@bancodesio.it</EmailAddress>\\n ', '<EmailAddress>spid.amm@bancodesio.it</EmailAddress>\\n ']",
"references": [
""
],
"method": "SpidSpMetadataCheck.test_contactperson_email",
"result": "success"
},
{
"test_id": [
"1.10.6"
],
"test": "The //ContactPerson/EmailAddress element MUST be a valid email address",
"value": "['<EmailAddress>spid.tech@bancodesio.it</EmailAddress>\\n ', '<EmailAddress>spid.amm@bancodesio.it</EmailAddress>\\n ']",
"references": [
""
],
"method": "SpidSpMetadataCheck.test_contactperson_email",
"result": "success"
},
{
"test_id": "",
"test": "The //ContactPerson/TelephoneNumber element MUST have a value",
"value": "",
"references": [
""
],
"method": "SpidSpMetadataCheck.test_contactperson_phone",
"result": "success"
},
{
"test_id": [
"1.10.8"
],
"test": "The //ContactPerson/TelephoneNumber element MUST not contain spaces",
"value": "+390362613340",
"references": [
""
],
"method": "SpidSpMetadataCheck.test_contactperson_phone",
"result": "success"
},
{
"test_id": [
"1.10.9"
],
"test": "The //ContactPerson/TelephoneNumber element MUST start with \"+39\"",
"value": "+390362613340",
"references": [
""
],
"method": "SpidSpMetadataCheck.test_contactperson_phone",
"result": "success"
},
{
"test_id": "",
"test": "ContactPerson MUST be present",
"value": "",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_Contacts_PubPriv",
"result": "success"
},
{
"test_id": "",
"test": [
"Missing contactType in {'contactType': 'other'}: The contactType attribute MUST be present"
],
"value": "",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_Contacts_PubPriv",
"result": "success"
},
{
"test_id": "",
"test": "The contactType attribute MUST have a value",
"value": "",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_Contacts_PubPriv",
"result": "success"
},
{
"test_id": "",
"test": "The contactType must be \"other\"",
"value": "other",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_Contacts_PubPriv",
"result": "success"
},
{
"test_id": [
"1.10.0"
],
"test": "Only one ContactPerson element of contactType \"other\" MUST be present",
"value": "",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_Contacts_PubPriv",
"result": "success"
},
{
"test_id": "",
"test": "ContactPerson MUST be present",
"value": "",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_Contacts_PubPriv",
"result": "success"
},
{
"test_id": "",
"test": [
"Missing contactType in {'contactType': 'billing'}: The contactType attribute MUST be present"
],
"value": "",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_Contacts_PubPriv",
"result": "success"
},
{
"test_id": "",
"test": "The contactType attribute MUST have a value",
"value": "",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_Contacts_PubPriv",
"result": "success"
},
{
"test_id": "",
"test": "The contactType must be \"billing\"",
"value": "billing",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_Contacts_PubPriv",
"result": "success"
},
{
"test_id": [
"1.10.0"
],
"test": "Only one ContactPerson element of contactType \"billing\" MUST be present",
"value": "",
"references": [
"TR pag. 19"
],
"method": "SpidSpMetadataCheck.test_Contacts_PubPriv",
"result": "success"
},
{
"test_id": [
"1.10.1"
],
"test": "Only one Extensions element inside ContactPerson element MUST be present",
"value": "<ContactPerson contactType=\"other\">\n <Extensions>\n <VATNumber>IT10537880964</VATNumber>\n <FiscalCode>01181770155</FiscalCode>\n <Private/>\n </Extensions>\n <Company>Banco Desio e della Brianza S.p.A.</Company>\n <EmailAddress>spid.tech@bancodesio.it</EmailAddress>\n <TelephoneNumber>+390362613340</TelephoneNumber>\n </ContactPerson>\n ",
"references": [
""
],
"method": "SpidSpMetadataCheck.test_Extensions_PubPriv",
"result": "success"
},
{
"test_id": [
"1.10.1"
],
"test": "Only one Extensions element inside ContactPerson element MUST be present",
"value": "<ContactPerson contactType=\"billing\">\n <Extensions>\n <CessionarioCommittente>\n <DatiAnagrafici>\n <IdFiscaleIVA>\n <IdPaese>IT</IdPaese>\n <IdCodice>+390123456789</IdCodice>\n </IdFiscaleIVA>\n <Anagrafica>\n <Denominazione>\n Banco Desio e della Brianza S.p.A.\n </Denominazione>\n </Anagrafica>\n </DatiAnagrafici>\n <Sede>\n <Indirizzo>via E. Rovagnati</Indirizzo>\n <NumeroCivico>1</NumeroCivico>\n <CAP>20832</CAP>\n <Comune>Desio</Comune>\n <Provincia>MB</Provincia>\n <Nazione>IT</Nazione>\n </Sede>\n </CessionarioCommittente>\n </Extensions>\n <Company>Banco Desio e della Brianza S.p.A.</Company>\n <EmailAddress>spid.amm@bancodesio.it</EmailAddress>\n <TelephoneNumber>+390362613656</TelephoneNumber>\n </ContactPerson>\n",
"references": [
""
],
"method": "SpidSpMetadataCheck.test_Extensions_PubPriv",
"result": "success"
},
{
"test_id": [
"1.11.7",
"1.12.5"
],
"test": "Missing ContactPerson/Extensions/Private, this element MUST be present",
"value": "",
"references": [
""
],
"method": "SpidSpMetadataCheck.test_extensions_public_private",
"result": "success"
},
{
"test_id": [
"1.11.8",
"1.12.6"
],
"test": "The Private element MUST be empty",
"value": "",
"references": [
""
],
"method": "SpidSpMetadataCheck.test_extensions_public_private",
"result": "success"
},
{
"test_id": [
"1.11.9",
"1.12.7"
],
"test": "The Public element MUST not be present",
"value": "",
"references": [
""
],
"method": "SpidSpMetadataCheck.test_extensions_public_private",
"result": "success"
},
{
"test_id": "",
"test": "only one VATNumber element must be present",
"value": "['<VATNumber>IT10537880964</VATNumber>\\n ']",
"references": [
""
],
"method": "SpidSpMetadataCheck.test_Contacts_VATFC",
"result": "success"
},
{
"test_id": [
"1.11.4"
],
"test": "The VATNumber element MUST have a value",
"value": "",
"references": [
""
],
"method": "SpidSpMetadataCheck.test_Contacts_VATFC",
"result": "success"
},
{
"test_id": "",
"test": "The VATNumber element MUST start with a valid ISO3166 Code",
"value": "",
"references": [
""
],
"method": "SpidSpMetadataCheck.test_Contacts_VATFC",
"result": "success"
},
{
"test_id": "",
"test": "only one FiscalCode element must be present",
"value": "['<FiscalCode>01181770155</FiscalCode>\\n ']",
"references": [
""
],
"method": "SpidSpMetadataCheck.test_Contacts_VATFC",
"result": "success"
},
{
"test_id": [
"1.11.6"
],
"test": "The FiscalCode element MUST have a value",
"value": "",
"references": [
""
],
"method": "SpidSpMetadataCheck.test_Contacts_VATFC",
"result": "success"
},
{
"test_id": [
"1.12.0"
],
"test": "The IPACode element MUST NOT be present",
"value": "[]",
"references": [],
"method": "SpidSpMetadataCheck.test_Contacts_Priv",
"result": "success"
},
{
"test_id": [
"1.14.4"
],
"test": "The CessionarioCommittente element MUST be present",
"value": "[<Element CessionarioCommittente at 0x7f4d5ac67788>]",
"references": [],
"method": "SpidSpMetadataCheck.test_Contacts_Priv",
"result": "success"
},
{
"test_id": [
"1.0.0"
],
"test": "SpidSpMetadataCheck.xsd_check",
"value": "Test file://../data/https___localhost_44369/sp-metadata.xml with saml-schema-metadata-2.0.xsd",
"references": [],
"method": "SpidSpMetadataCheck.xsd_check",
"result": "success"
}
]
},
"authnrequest_strict": {
"SpidSpAuthnReqCheck": [
{
"test_id": "",
"test": "One AuthnRequest element MUST be present",
"value": "",
"references": [
"TR pag. 8"
],
"method": "SpidSpAuthnReqCheck.test_AuthnRequest",
"result": "success"
},
{
"test_id": "",
"test": "The ID attribute MUST be present",
"value": "ID",
"references": [
"TR pag. 8"
],
"method": "SpidSpAuthnReqCheck.test_AuthnRequest",
"result": "success"
},
{
"test_id": "",
"test": "The ID attribute MUST have a value",
"value": "_668b41c5-ccbc-4d77-ba98-84462272ed42",
"references": [
"TR pag. 8"
],
"method": "SpidSpAuthnReqCheck.test_AuthnRequest",
"result": "success"
},
{
"test_id": "",
"test": "The Version attribute MUST be present",
"value": "Version",
"references": [
"TR pag. 8"
],
"method": "SpidSpAuthnReqCheck.test_AuthnRequest",
"result": "success"
},
{
"test_id": "",
"test": "The Version attribute MUST be 2.0",
"value": "2.0",
"references": [
"TR pag. 8"
],
"method": "SpidSpAuthnReqCheck.test_AuthnRequest",
"result": "success"
},
{
"test_id": "",
"test": "The IssueInstant attribute MUST be present",
"value": "IssueInstant",
"references": [
"TR pag. 8"
],
"method": "SpidSpAuthnReqCheck.test_AuthnRequest",
"result": "success"
},
{
"test_id": "",
"test": "The IssueInstant attribute MUST have a value",
"value": "2021-10-01T09:50:13.663Z",
"references": [
"TR pag. 8"
],
"method": "SpidSpAuthnReqCheck.test_AuthnRequest",
"result": "success"
},
{
"test_id": "",
"test": "The IssueInstant attribute MUST be a valid UTC string",
"value": "2021-10-01T09:50:13.663Z",
"references": [
"TR pag. 8"
],
"method": "SpidSpAuthnReqCheck.test_AuthnRequest",
"result": "success"
},
{
"test_id": "",
"test": "The Destination attribute MUST be present",
"value": "Destination",
"references": [
"TR pag. 8"
],
"method": "SpidSpAuthnReqCheck.test_AuthnRequest",
"result": "success"
},
{
"test_id": "",
"test": "The Destination attribute MUST have a value",
"value": "https://localhost:8080/samlsso",
"references": [
"TR pag. 8"
],
"method": "SpidSpAuthnReqCheck.test_AuthnRequest",
"result": "success"
},
{
"test_id": "",
"test": "The Destination attribute SHOULD be the address to which the request has been sent but can also be the EnityID of IdP (Av. SPID n.11)",
"value": "https://localhost:8080/samlsso",
"references": [
"TR pag. 8"
],
"method": "SpidSpAuthnReqCheck.test_AuthnRequest",
"result": "success"
},
{
"test_id": "",
"test": "The IsPassive attribute MUST not be present - TR pag. 9 ",
"value": "",
"references": [
"TR pag. 8"
],
"method": "SpidSpAuthnReqCheck.test_AuthnRequest",
"result": "success"
},
{
"test_id": "",
"test": "One Issuer element MUST be present",
"value": "<Issuer NameQualifier=\"https://localhost:44369\" Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:entity\">https://localhost:4436",
"references": [
"TR pag. 9"
],
"method": "SpidSpAuthnReqCheck.test_Issuer",
"result": "success"
},
{
"test_id": "",
"test": "The Issuer element MUST have a value",
"value": "<Issuer NameQualifier=\"https://localhost:44369\" Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:entity\">https://localhost:4436",
"references": [
"TR pag. 9"
],
"method": "SpidSpAuthnReqCheck.test_Issuer",
"result": "success"
},
{
"test_id": "",
"test": "The Issuer's value MUST be equal to entityID",
"value": "https://localhost:44369",
"references": [
"TR pag. 9"
],
"method": "SpidSpAuthnReqCheck.test_Issuer",
"result": "success"
},
{
"test_id": "",
"test": "The Format attribute MUST be present",
"value": "{'NameQualifier': 'https://localhost:44369', 'Format': 'urn:oasis:names:tc:SAML:2.0:nameid-format:entity'}",
"references": [
"TR pag. 9"
],
"method": "SpidSpAuthnReqCheck.test_Issuer",
"result": "success"
},
{
"test_id": "",
"test": "The Format attribute MUST have a value",
"value": "urn:oasis:names:tc:SAML:2.0:nameid-format:entity",
"references": [
"TR pag. 9"
],
"method": "SpidSpAuthnReqCheck.test_Issuer",
"result": "success"
},
{
"test_id": "",
"test": "The Format attribute MUST be urn:oasis:names:tc:SAML:2.0:nameid-format:entity",
"value": "urn:oasis:names:tc:SAML:2.0:nameid-format:entity",
"references": [
"TR pag. 9"
],
"method": "SpidSpAuthnReqCheck.test_Issuer",
"result": "success"
},
{
"test_id": "",
"test": "The NameQualifier attribute MUST be present",
"value": "{'NameQualifier': 'https://localhost:44369', 'Format': 'urn:oasis:names:tc:SAML:2.0:nameid-format:entity'}",
"references": [
"TR pag. 9"
],
"method": "SpidSpAuthnReqCheck.test_Issuer",
"result": "success"
},
{
"test_id": "",
"test": "The NameQualifier attribute MUST have a value",
"value": "https://localhost:44369",
"references": [
"TR pag. 9"
],
"method": "SpidSpAuthnReqCheck.test_Issuer",
"result": "success"
},
{
"test_id": "",
"test": "The NotBefore attribute MUST be present",
"value": "<Element Conditions at 0x7f4d5ab1cd48>",
"references": [
"TR pag. 9"
],
"method": "SpidSpAuthnReqCheck.test_Conditions",
"result": "success"
},
{
"test_id": "",
"test": "The NotBefore attribute MUST have a value",
"value": "2021-10-01T09:50:13.663Z",
"references": [
"TR pag. 9"
],
"method": "SpidSpAuthnReqCheck.test_Conditions",
"result": "success"
},
{
"test_id": "",
"test": "The NotBefore attribute MUST have avalid UTC string",
"value": "2021-10-01T09:50:13.663Z",
"references": [
"TR pag. 9"
],
"method": "SpidSpAuthnReqCheck.test_Conditions",
"result": "success"
},
{
"test_id": "",
"test": "The NotOnOrAfter attribute MUST be present",
"value": "2021-10-01T09:50:13.663Z",
"references": [
"TR pag. 9"
],
"method": "SpidSpAuthnReqCheck.test_Conditions",
"result": "success"
},
{
"test_id": "",
"test": "The NotOnOrAfter attribute MUST have a value",
"value": "2021-10-01T10:00:13.663Z",
"references": [
"TR pag. 9"
],
"method": "SpidSpAuthnReqCheck.test_Conditions",
"result": "success"
},
{
"test_id": "",
"test": "The NotOnOrAfter attribute MUST have avalid UTC string",
"value": "2021-10-01T10:00:13.663Z",
"references": [
"TR pag. 9"
],
"method": "SpidSpAuthnReqCheck.test_Conditions",
"result": "success"
},
{
"test_id": "",
"test": "RelayState MUST not be immediately intelligible",
"value": "668b41c5-ccbc-4d77-ba98-84462272ed42",
"references": [
"TR pag. 14",
"TR pag. 15"
],
"method": "SpidSpAuthnReqCheck.test_RelayState",
"result": "success"
},
{
"test_id": "",
"test": "The Signature element MUST be present",
"value": "",
"references": [
"TR pag. 10"
],
"method": "SpidSpAuthnReqCheck.test_Signature",
"result": "success"
},
{
"test_id": "",
"test": "The SignatureMethod element MUST be present",
"value": "",
"references": [
"TR pag. 10"
],
"method": "SpidSpAuthnReqCheck.test_Signature",
"result": "success"
},
{
"test_id": "",
"test": "The Algorithm attribute MUST be present in SignatureMethod element",
"value": "",
"references": [
"TR pag. 10"
],
"method": "SpidSpAuthnReqCheck.test_Signature",
"result": "success"
},
{
"test_id": "",
"test": "The signature algorithm MUST be valid",
"value": "One of http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256, http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384, http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512, http://www.w3.org/2001/04/xmldsig-more#hmac-sha256, http://www.w3.org/2001/04/xmldsig-more#hmac-sha384, http://www.w3.org/2001/04/xmldsig-more#hmac-sha512, http://www.w3.org/2001/04/xmldsig-more#rsa-sha256, http://www.w3.org/2001/04/xmldsig-more#rsa-sha384, http://www.w3.org/2001/04/xmldsig-more#rsa-sha512",
"references": [
"TR pag. 10"
],
"method": "SpidSpAuthnReqCheck.test_Signature",
"result": "success"
},
{
"test_id": "",
"test": "The DigestMethod element MUST be present",
"value": "",
"references": [
"TR pag. 10"
],
"method": "SpidSpAuthnReqCheck.test_Signature",
"result": "success"
},
{
"test_id": "",
"test": "The Algorithm attribute MUST be present in DigestMethod element",
"value": "",
"references": [
"TR pag. 10"
],
"method": "SpidSpAuthnReqCheck.test_Signature",
"result": "success"
},
{
"test_id": "",
"test": "The digest algorithm MUST be one of [http://www.w3.org/2001/04/xmlenc#sha256, http://www.w3.org/2001/04/xmlenc#sha384, http://www.w3.org/2001/04/xmlenc#sha512]",
"value": "",
"references": [
"TR pag. 10"
],
"method": "SpidSpAuthnReqCheck.test_Signature",
"result": "success"
},
{
"test_id": "",
"result": "failure",
"test": "AuthnRequest Signature validation failed",
"value": "The AuthnRequest MUST validate against XSD and MUST have a valid signature\nstderr: func=xmlSecOpenSSLAppKeyLoadBIO:file=app.c:line=268:obj=unknown:subj=PEM_read_bio_PrivateKey and PEM_read_bio_PUBKEY:error=4:crypto library function failed:openssl error: 151584876: PEM routines: get_name no start line\nfunc=xmlSecOpenSSLAppKeyLoad:file=app.c:line=172:obj=unknown:subj=xmlSecOpenSSLAppKeyLoadBIO:error=1:xmlsec library function failed:filename=/tmp/tmps95zj8q1.crt\nError: xmlSecCryptoAppKeyLoad failed: file=/tmp/tmps95zj8q1.crt\nError: failed to load public key from \"/tmp/tmps95zj8q1.crt\".\nError: keys manager creation failed\nUnknown command\n\nstdout: Usage: xmlsec <command> [<options>] [<files>]\n\nxmlsec is a command line tool for signing, verifying, encrypting and\ndecrypting XML documents. The allowed <command> values are:\n --help \tdisplay this help information and exit\n --help-all \tdisplay help information for all commands/options and exit\n --help-<cmd>\tdisplay help information for command <cmd> and exit\n --version \tprint version information and exit\n --keys \tkeys XML file manipulation\n --sign \tsign data and output XML document\n --verify \tverify signed document\n --sign-tmpl \tcreate and sign dynamicaly generated signature template\n --encrypt \tencrypt data and output XML document\n --decrypt \tdecrypt data from XML document\n\n\nReport bugs to http://www.aleksey.com/xmlsec/bugs.html\n\nWritten by Aleksey Sanin <aleksey@aleksey.com>.\n\nCopyright (C) 2002-2016 Aleksey Sanin <aleksey@aleksey.com>. All Rights Reserved..\nThis is free software: see the source for copying information.\n\n",
"references": [],
"method": ""
},
{
"test_id": "",
"test": "The ForceAuthn attribute MUST be present if SPID level > 1",
"value": "['<AuthnContextClassRef>https://www.spid.gov.it/SpidL2</AuthnContextClassRef>']",
"references": [
"TR pag. 8"
],
"method": "SpidSpAuthnReqCheck.test_AuthnRequest_SPID",
"result": "success"
},
{
"test_id": "",
"test": "The ForceAuthn attribute MUST be true or 1 - TR pag. 8 ",
"value": "true",
"references": [
"TR pag. 8"
],
"method": "SpidSpAuthnReqCheck.test_AuthnRequest_SPID",
"result": "success"
},
{
"test_id": "",
"test": "The AssertionConsumerServiceIndex attribute MUST be equal to an AssertionConsumerService index",
"value": "['<AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://localhost:44369/signin-spid\" index=\"0\" isDefault=\"true\"/>\\n\\n ']",
"references": [
"TR pag. 8"
],
"method": "SpidSpAuthnReqCheck.test_AuthnRequest_SPID",
"result": "success"
},
{
"test_id": "",
"test": "The AssertionConsumerServiceIndex attribute MUST have a value",
"value": "0",
"references": [
"TR pag. 8"
],
"method": "SpidSpAuthnReqCheck.test_AuthnRequest_SPID",
"result": "success"
},
{
"test_id": "",
"test": "The AssertionConsumerServiceIndex attribute MUST be >= 0",
"value": "0",
"references": [
"TR pag. 8"
],
"method": "SpidSpAuthnReqCheck.test_AuthnRequest_SPID",
"result": "success"
},
{
"test_id": "",
"test": "The AttributeConsumingServiceIndex attribute MUST have a value",
"value": "0",
"references": [
"TR pag. 8"
],
"method": "SpidSpAuthnReqCheck.test_AuthnRequest_SPID",
"result": "success"
},
{
"test_id": "",
"test": "The AttributeConsumingServiceIndex attribute MUST be >= 0",
"value": "0",
"references": [
"TR pag. 8"
],
"method": "SpidSpAuthnReqCheck.test_AuthnRequest_SPID",
"result": "success"
},
{
"test_id": "",
"test": "The AttributeConsumingServiceIndex attribute MUST be equal to an AttributeConsumingService index",
"value": "0",
"references": [
"TR pag. 8"
],
"method": "SpidSpAuthnReqCheck.test_AuthnRequest_SPID",
"result": "success"
},
{
"test_id": "",
"test": "One NameIDPolicy element MUST be present",
"value": "<NameIDPolicy Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:transient\"/>",
"references": [
"TR pag. 9"
],
"method": "SpidSpAuthnReqCheck.test_NameIDPolicy",
"result": "success"
},
{
"test_id": "",
"test": "The Format attribute MUST be present",
"value": "{'Format': 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'}",
"references": [
"TR pag. 9"
],
"method": "SpidSpAuthnReqCheck.test_NameIDPolicy",
"result": "success"
},
{
"test_id": "",
"test": "The Format attribute MUST have a value",
"value": "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
"references": [
"TR pag. 9"
],
"method": "SpidSpAuthnReqCheck.test_NameIDPolicy",
"result": "success"
},
{
"test_id": "",
"test": "The Format attribute MUST be urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
"value": "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
"references": [
"TR pag. 9"
],
"method": "SpidSpAuthnReqCheck.test_NameIDPolicy",
"result": "success"
},
{
"test_id": "",
"test": "The AllowCreate attribute MUST not be present",
"value": "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
"references": [
"AV n.5"
],
"method": "SpidSpAuthnReqCheck.test_NameIDPolicy",
"result": "success"
},
{
"test_id": "",
"test": "Only one RequestedAuthnContext element MUST be present",
"value": "['<RequestedAuthnContext Comparison=\"minimum\"><AuthnContextClassRef>https://www.spid.gov.it/SpidL2</AuthnContextClassRef></RequestedAuthnContext>']",
"references": [
"TR pag. 9",
"TR pag. 10"
],
"method": "SpidSpAuthnReqCheck.test_RequestedAuthnContext",
"result": "success"
},
{
"test_id": "",
"test": "The Comparison attribute MUST be present",
"value": "{'Comparison': 'minimum'}",
"references": [
"TR pag. 9",
"TR pag. 10"
],
"method": "SpidSpAuthnReqCheck.test_RequestedAuthnContext",
"result": "success"
},
{
"test_id": "",
"test": "The Comparison attribute MUST have a value",
"value": "minimum",
"references": [
"TR pag. 9",
"TR pag. 10"
],
"method": "SpidSpAuthnReqCheck.test_RequestedAuthnContext",
"result": "success"
},
{
"test_id": "",
"test": "Attribute not valid",
"value": "The Comparison attribute MUST be one of [exact, minimum, better, maximum]",
"references": [
"TR pag. 9",
"TR pag. 10"
],
"method": "SpidSpAuthnReqCheck.test_RequestedAuthnContext",
"result": "success"
},
{
"test_id": "",
"test": "Only one AuthnContexClassRef element MUST be present",
"value": "['<AuthnContextClassRef>https://www.spid.gov.it/SpidL2</AuthnContextClassRef>']",
"references": [
"TR pag. 9",
"TR pag. 10"
],
"method": "SpidSpAuthnReqCheck.test_RequestedAuthnContext",
"result": "success"
},
{
"test_id": "",
"test": "The AuthnContexClassRef element MUST have a value",
"value": "b'<AuthnContextClassRef>https://www.spid.gov.it/SpidL2</AuthnContextClassRef>'",
"references": [
"TR pag. 9",
"TR pag. 10"
],
"method": "SpidSpAuthnReqCheck.test_RequestedAuthnContext",
"result": "success"
},
{
"test_id": "",
"test": "The AuthnContextClassRef element MUST have a valid SPID level",
"value": "b'<AuthnContextClassRef>https://www.spid.gov.it/SpidL2</AuthnContextClassRef>'",
"references": [
"TR pag. 9",
"TR pag. 10"
],
"method": "SpidSpAuthnReqCheck.test_RequestedAuthnContext",
"result": "success"
}
]
}
}
}
}
Spid QA: executed 153 tests, 1 failed. 0 warnings.In particolare
{
"test_id": "",
"result": "failure",
"test": "AuthnRequest Signature validation failed",
"value": "The AuthnRequest MUST validate against XSD and MUST have a valid signature\nstderr: func=xmlSecOpenSSLAppKeyLoadBIO:file=app.c:line=268:obj=unknown:subj=PEM_read_bio_PrivateKey and PEM_read_bio_PUBKEY:error=4:crypto library function failed:openssl error: 151584876: PEM routines: get_name no start line\nfunc=xmlSecOpenSSLAppKeyLoad:file=app.c:line=172:obj=unknown:subj=xmlSecOpenSSLAppKeyLoadBIO:error=1:xmlsec library function failed:filename=/tmp/tmps95zj8q1.crt\nError: xmlSecCryptoAppKeyLoad failed: file=/tmp/tmps95zj8q1.crt\nError: failed to load public key from \"/tmp/tmps95zj8q1.crt\".\nError: keys manager creation failed\nUnknown command\n\nstdout: Usage: xmlsec <command> [<options>] [<files>]\n\nxmlsec is a command line tool for signing, verifying, encrypting and\ndecrypting XML documents. The allowed <command> values are:\n --help \tdisplay this help information and exit\n --help-all \tdisplay help information for all commands/options and exit\n --help-<cmd>\tdisplay help information for command <cmd> and exit\n --version \tprint version information and exit\n --keys \tkeys XML file manipulation\n --sign \tsign data and output XML document\n --verify \tverify signed document\n --sign-tmpl \tcreate and sign dynamicaly generated signature template\n --encrypt \tencrypt data and output XML document\n --decrypt \tdecrypt data from XML document\n\n\nReport bugs to http://www.aleksey.com/xmlsec/bugs.html\n\nWritten by Aleksey Sanin <aleksey@aleksey.com>.\n\nCopyright (C) 2002-2016 Aleksey Sanin <aleksey@aleksey.com>. All Rights Reserved..\nThis is free software: see the source for copying information.\n\n",
"references": [],
"method": ""
},ma quindi, voi riuscite ad usare questa SDK con l'ambiente demo?
Questo, per intenderci? --> https://demo.spid.gov.it/metadata.xml
danielegiallonardo
commented
3 years ago Si, io personalmente non ho problemi, sia con certificati self-signed, sia con certificati di produzione emessi da Agid
santesem-links
commented
3 years ago SP privato o pubblico?
danielegiallonardo
commented
3 years ago SP pubblico e aggregatore
danielegiallonardo
commented
3 years ago Ma in questo caso non credo c'entri nulla il profilo, dipende da come spid_sp_test legge e interpreta il certificato dalla request. L'errore avviene in quella fase
santesem-links
commented
3 years ago ma il fatto è che il metadato sembrerebbe ok - il certificato è quello ed anche quello sulla request.
Non so come procedere per abilitare il nuovo ambiente demo.
santesem-links
commented
3 years ago potrebbe provare a lanciare il comando di validazione della request ed incollare l'esito?
danielegiallonardo
commented
3 years ago Questo il comando. spid_sp_test --metadata-url https://localhost:5001/spid/metadata.xml --authn-url https://localhost:5001/home/login?idpname=SpidSpTest -rf json --debug ERROR --extra --profile spid-sp-ag-public-full Allego il file con il report output.txt
Utilizzo la webapp contenuta nella solution, eseguita in locale.
santesem-links
commented
3 years ago il numero dei check dipende dal profilo, giusto? Non vorrei che sia il profilo che in qualche modo può causare qualche problema...
danielegiallonardo
commented
3 years ago Credo che il profilo influisca esclusivamente sui check che vengono fatti sul metadata, ma non posso darti certezze su questo.
santesem-links
commented
3 years ago vedo che sul tuo sono 189 test - sul mio 153
santesem-links
commented
3 years ago comunque - hanno appena aggiornato qualcosa lato demo, ora mi si schianta direttamente il tutto.
santesem-links
commented
3 years ago sono lieto di comunicarvi che con la versione spid-sp-test pari a 0.9.22 questo problema è stato risolto.
danielegiallonardo
commented
3 years ago Perfetto, chiudo
Sul nuovo ambiente demo validator la verifica della firma della request fallisce (strict ed extra n. 34):
"failure - value: The AuthnRequest MUST validate against XSD and MUST have a valid signature stderr: func=xmlSecOpenSSLAppKeyLoadBIO:file=app.c:line=272:obj=unknown:subj=PEM_read_bio_PrivateKey and PEM_read_bio_PUBKEY:error=4:crypto library function failed:openssl error: 151584876: PEM routines: get_name no start line func=xmlSecOpenSSLAppKeyLoad:file=app.c:line=175:obj=unknown:subj=xmlSecOpenSSLAppKeyLoadBIO:error=1:xmlsec library function failed:filename=/tmp/tmpkxyk79rd.crt Error: xmlSecCryptoAppKeyLoad failed: file=/tmp/tmpkxyk79rd.crt Error: failed to load public key from "/tmp/tmpkxyk79rd.crt". Error: keys manager creation failed Unknown command stdout: Usage: xmlsec [] [] xmlsec is a command line tool for signing, verifying, encrypting and decrypting XML documents. The allowed values are: --help display this help information and exit --help-all display help information for all commands/options and exit --help- display help information for command and exit --version print version information and exit --keys keys XML file manipulation --sign sign data and output XML document --verify verify signed document --sign-tmpl create and sign dynamicaly generated signature template --encrypt encrypt data and output XML document --decrypt decrypt data from XML document Report bugs to http://www.aleksey.com/xmlsec/bugs.html Written by Aleksey Sanin aleksey@aleksey.com. Copyright (C) 2002-2016 Aleksey Sanin aleksey@aleksey.com. All Rights Reserved.. This is free software: see the source for copying information."
Ho provato a cambiare certificato, ma il problema persiste.