2.1.11 - The IsPassive attribute must not be present
both AssertionConsumerServiceIndex and AssertionConsumerServiceUrl+ProtocolBinding must not be set (partially addresses #11)
From spid-testenv2 validation:
"Uno e uno solo uno tra gli attributi o gruppi di attributi devono essere presenti: [AssertionConsumerServiceIndex, [AssertionConsumerServiceUrl, ProtocolBinding]]"
In alternativa all’attributo AssertionConsumerServiceIndex (scelta sconsigliata) possono essere presenti:
l’attributo AssertionConsumerServiceURL [...]
l’attributo ProtocolBinding [...]
ForceAuthn attribute must be present if SPID level > 1 (partially addresses #11)
l’attributo ForceAuthn nel caso in cui si richieda livelli di autenticazione superiori a SpidL1 (SpidL2 o SpidL3)
Issuer must be set to "urn:oasis:names:tc:SAML:2.0:nameid-format:entity" not to "urn:oasis:names:tc:SAML:2.0:nameid-format:transient" (partially addresses #11)
2.2.4 - The Format attribute must be urn:oasis:names:tc:SAML:2.0:nameidformat:entity
The same public key info is provided twice in getSignature() (explicitly and via certificate), resulting in having both KeyValue and X509Data elements present in the AuthnRequest, making signxml throwing an exception when using spid-testenv2. Fixes #10.
As a fix, public key info is now only added via certificate (commenting KeyInfoHelper.addPublicKey(keyInfo, certificate.getPublicKey()); in getSignature()) and adding Signer.signObject(authnRequest.getSignature()); to printAuthnRequest
AuthNRequest fixes
see https://docs.italia.it/italia/spid/spid-regole-tecniche/it/stabile/single-sign-on.html
see https://www.spid.gov.it/assets/download/SPID_QAD.pdf
From spid-testenv2 validation:
see https://docs.italia.it/italia/spid/spid-regole-tecniche/it/stabile/single-sign-on.html
see https://docs.italia.it/italia/spid/spid-regole-tecniche/it/stabile/single-sign-on.html
see https://docs.italia.it/italia/spid/spid-regole-tecniche/it/stabile/single-sign-on.html
see https://www.spid.gov.it/assets/download/SPID_QAD.pdf
see https://github.com/XML-Security/signxml/issues/143
As a fix, public key info is now only added via certificate (commenting KeyInfoHelper.addPublicKey(keyInfo, certificate.getPublicKey()); in getSignature()) and adding Signer.signObject(authnRequest.getSignature()); to printAuthnRequest
see https://github.com/italia/spid-testenv2/issues/325
Other minor changes: