search

italia / spid-keycloak-provider

Italian SPID authentication provider for Keycloak (https://www.keycloak.org/)
Apache License 2.0
63 stars 22 forks source link

Mapping SAML StatusMessage due to Anomalia 19 #14

Closed nicolabeghin closed 3 years ago

nicolabeghin commented 3 years ago

AGID requirement

As per SPID – Tabella messaggi di anomalia V1.3 image

in case of

Autenticazione fallita per ripetuta sottomissione di credenziali errate (superato numero tentativi secondo le policy adottate)

it's expected to

Fornire una pagina di cortesia notificando all'utente le ragioni che hanno determinato il mancato accesso al servizio richiesto

SAML reference

Shortly, we should map the returned <samlp:StatusMessage> (SAML11StatusType.statusMessage in Keycloak) to something "human" 

<samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed"/>
    </samlp:StatusCode>
    <samlp:StatusMessage>
        ErrorCode nr19
    </samlp:StatusMessage>
</samlp:Status>

otherwise the raw message is shown in Keycloak image

(I don't understand why AgID is not returning the expected human message leaving the interpretation to the SP, but anyway...)

@lscorcia do you know if there's any way to map SAML statuses in Keycloak or if we need to approach this with extension? After some digging, I think it's enough to localize the message in SpidSAMLEndpoint. handleLoginResponse but no real clue on how to handle the fact that AgiID is returning a semi-human message ErrorCode nr19 in place of a proper error code (that would be easily localized through standard).

SPID-SAML-check example

image image

nicolabeghin commented 3 years ago

Submitted PR https://github.com/lscorcia/keycloak-spid-provider/pull/15 - new SPID error messages can be localized

ie. ErrorCode nr19 localized through ErrorCode_nr19 in messages_it.properties

image