search

italia / spid-sp-shibboleth

Middleware SPID basato su Shibboleth
Creative Commons Zero v1.0 Universal
13 stars 5 forks source link

Shibboleth - WARN Shibboleth.AttributeResolver.Query [1] [default]: no SAML 2 AttributeAuthority role found in metadata #2

Closed rmonacoAPS closed 3 years ago

rmonacoAPS commented 5 years ago

Salve, ho configurato Shibboleth come SP per l'autenticazione tramite SPID. Quando tento di autenticarmi all'IDP di test https://idp.spid.gov.it viene restituito il seguente warning: WARN Shibboleth.AttributeResolver.Query [1] [default]: no SAML 2 AttributeAuthority role found in metadata Qualcuno può darmi una mano? Grazie. Di seguito il file shibboleth2.xml con le configurazioni:

<ApplicationDefaults entityID="https://sp.cittametrpolitana.na.it" REMOTE_USER="eppn persistent-id targeted-id" signing="true" signingAlg="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" encryption="false" authnContextClassRef="https://www.spid.gov.it/SpidL2" authnContextComparison="exact" NameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">

<!--
sessionHook="/Shibboleth.sso/AttrChecker"
metadataAttributePrefix="Meta-"
-->

<Sessions lifetime="1800" timeout="3600" relayState="ss:mem" checkAddress="false" handlerSSL="true" cookieProps="https">
<!--<Sessions lifetime="28800" timeout="3600" relayState="ss:mem" checkAddress="false" handlerSSL="true" cookieProps="https">-->

<!-- Login -->
<SessionInitiator   type="SAML2" 
                    Location="/Login"
                    isDefault="true"
                    entityID="sp.cittametrpolitana.na.it"
                    outgoingBinding="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
                    isPassive="false"
                    signing="true">
    <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
                        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                        ID="sp.cittametrpolitana.na.it"
                        Version="2.0"
                        IssueInstant="2017-01-01T00:00:00Z"
                        AttributeConsumingServiceIndex="0"
                        ForceAuthn="true">
        <saml:Issuer    Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
                        NameQualifier="https://sp.cittametrpolitana.na.it">
                        https://sp.cittametrpolitana.na.it
        </saml:Issuer>
        <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />
    </samlp:AuthnRequest>
</SessionInitiator>

 <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
        Location="/SAML2/POST" index="0"/>

<!-- Logout -->
<LogoutInitiator type="Chaining" Location="/Logout">
    <LogoutInitiator type="SAML2"
        outgoingBindings="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
        signing="true"/>
    <LogoutInitiator type="Local" signing="true"/>
</LogoutInitiator>

<md:SingleLogoutService Location="/SLO/POST"
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:SingleLogoutService Location="/SLO/Redirect"
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>

<!-- Handler -->
<Handler type="Status" Location="/Status" acl="127.0.0.1 10.253.0.66" showAttributeValues="true"/>
<Handler type="Session" Location="/Session" showAttributeValues="true"/>

    <!-- Administrative logout. -->
    <LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 10.253.0.66" />

    <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>

    <!-- JSON feed of discovery information. -->
    <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>

    <!-- Check the returned attributes 
    <Handler type="AttributeChecker" Location="/AttrChecker" template="attrChecker.html" flushSession="true">
        <AND>
            <Rule require="NAME"/>
            <Rule require="PLACEOFBIRTH"/>
            <Rule require="ADDRESS"/>
            <Rule require="COMPANYNAME"/>
            <Rule require="COUNTYOFBIRTH"/>
            <Rule require="DATEOFBIRTH"/>
            <Rule require="DIGITALADDRESS"/>
            <Rule require="EMAIL"/>
            <Rule require="EXPIRATIONDATE"/>
            <Rule require="FAMILYNAME"/>
            <Rule require="FISCALNUMBER"/>
            <Rule require="GENDER"/>
            <Rule require="IDCARD"/>
            <Rule require="IVACODE"/>
            <Rule require="MOBILEPHONE"/>
            <Rule require="REGISTEREDOFFICE"/>
            <Rule require="SPIDCODE"/>
        </AND>
    </Handler>-->
</Sessions>

<AttributeExtractor type="XML" validate="true" reloadChanges="true" path="attribute-map.xml"/>
<AttributeResolver type="Query" subjectMatch="true"/>
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>

<!-- Simple file-based resolvers for separate signing/encryption keys. -->
<CredentialResolver type="File" use="signing"    key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
<CredentialResolver type="File" use="encryption" key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>

<!-- SPID Test Environment IdentityServer Metadata -->
<MetadataProvider type="XML" validate="true" path="/opt/shibboleth/metadata/idp.spid.gov.it.xml" id="https://idp.spid.gov.it" />
<MetadataProvider type="XML" validate="true" path="/opt/shibboleth/metadata/arubaid.xml" id="https://loginspid.aruba.it" />
<MetadataProvider type="XML" validate="true" path="/opt/shibboleth/metadata/posteid.xml" id="https://posteid.poste.it"/>
francescm commented 3 years ago

Se è il tuo shibboleth-sp a emettere questo warning e se il metadata dello IdP di test davvero non contiene nessun endpoint per il servizio di AttributeAuthority, allora probabilmente non c'è nessun errore e semplicemente lo IdP di test non funziona come AttributeAuthority.

peppelinux commented 3 years ago

Ciao il repository è stato aggiornato, vorrei chiederti se questa issue è ancora valida oppure se intendessimo chiuderla