Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

All’interno del metadata deve essere presente almeno un certificato x509 #67

Open
totolabs opened this issue Feb 2, 2024 · 1 comment
Open

All’interno del metadata deve essere presente almeno un certificato x509 #67

totolabs opened this issue Feb 2, 2024 · 1 comment

Comments

@totolabs
Copy link
Contributor

totolabs commented Feb 2, 2024
edited
Loading

Buongiorno,

in fase di comunicazione del metadata spid.tech ci ha risposto:

Per quanto riguarda il metadata:

  • La firma del metadata deve essere valida
  • All’interno del metadata deve essere presente almeno un certificato x509

Questo è il contenuto del metadata generato dal plugin

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:spid="https://spid.gov.it/saml-extensions" entityID="https://*********.it" ID="https___*********_it">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#https___*********_it">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>gXO45VPPaf52a8DOv5Z0/w6J0bOiMUHKzuDrLDjLkN8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>I9cjsXOCu8Zh5inMcUpHlWAiAsrrvVtblXKeVaAUAE1h49YAxtH7k/sMUaxe69DiOGpnAGmCnPV7+ruBDXKXn467vh+ukrxjF1CcRl//Sn32ba9IFjEVFZ3k5dkxiVxBzEfkNwMg1snqrjrAzT4OFVBQRbCCRaklX4AnyFzXIEdY4nwPUwpjHrdjf6Y4OPBlv9ksaa3QWFcILI+DUdQ8n4iTUSRvD0fU6yAkPz9QU3zvpdG7teIQs48BvBFGBsGlWIsYo+6hvmskvFUuh9lc9nG6hXMwlLBa3nT87us163tM81DPQx9AFJUx1sE9g0IDqBG+eAlq0NzCAfotsHW6Yw==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data/>
</ds:KeyInfo>
</ds:Signature>
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true" WantAssertionsSigned="true">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate/>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://*********/accedi/?spid_sso=out"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:AssertionConsumerService index="0" isDefault="true" Location="https://*********/accedi/?spid_sso=in" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:AttributeConsumingService index="0">
<md:ServiceName xml:lang="it">Set 0</md:ServiceName>
<md:RequestedAttribute Name="name"/>
<md:RequestedAttribute Name="familyName"/>
<md:RequestedAttribute Name="fiscalNumber"/>
<md:RequestedAttribute Name="email"/>
</md:AttributeConsumingService>
</md:SPSSODescriptor>
<md:Organization>
<md:OrganizationName xml:lang="it">*********</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="it">*********</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="it">https://*********.it</md:OrganizationURL>
</md:Organization>
<md:ContactPerson contactType="other">
<md:Extensions>
<spid:IPACode>*********</spid:IPACode>
<spid:Public/>
</md:Extensions>
<md:EmailAddress>*********</md:EmailAddress>
<md:TelephoneNumber>*********</md:TelephoneNumber>
</md:ContactPerson>
</md:EntityDescriptor>

Come possiamo risolvere?

Grazie mille
@totolabs
Copy link
Contributor Author

totolabs commented Mar 3, 2024
edited
Loading

Aggiornamento dal fronte.

Abbiamo provato a:

  1. disattivare e riattivare il plugin
  2. disinstallare e reinstallare il plugin
  3. disinstallare, pulire ogni traccia del plugin nel db e reinstallare
    ma purtroppo il problema restava lì.

Quando avevamo quasi perso le speranze, abbiamo scoperto l'arcano: il limite di caratteri per la variabile sp_org_name aveva senso!
Se la variabile sp_org_name supera i 64 caratteri il file sp.crt viene genarato, ma resta vuoto (0 byte)!

Considerando che l'OrganizationName nel file metadata deve corrispondere al nome dell'ente indicato su IPA e non avendo mollte competenze in merito alla generazione dei certificati, al momento abbiamo risolto chiedendo all'ente di abbreviare il proprio nome nel registro IPA, in modo che ci sia la corrispondenza richiesta.

A questo punto bisognerebbe capire se è possibile generare il certificato con un OrganizationName più lungo di 64 caratteri, in modo da consentire una variabile sp_org_name di dimensioni adeguate.

In caso contrario sarà necessario modificare nuovamente il file admin/setting.php e aggiornare il contenuto della riga 109
da
<input id="sp_org_name" name="spid[sp_org_name]" type="text" value="<?php echo ( isset( $options['sp_org_name']) ? $options['sp_org_name'] : '' ); ?>" maxlength="300"/> your organization full name
a
<input id="sp_org_name" name="spid[sp_org_name]" type="text" value="<?php echo ( isset( $options['sp_org_name']) ? $options['sp_org_name'] : '' ); ?>" maxlength="64"/> your organization full name

@milesimarco pareri?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@totolabs