Merge pull request #47 from isprambiente/master

Enable eIDAS login with ficep node
italia · Jan 31, 2022 · 39f71a0 · 39f71a0
2 parents c54491f + db62461
commit 39f71a0
Show file tree

Hide file tree

Showing 15 changed files with 637 additions and 32 deletions.
diff --git a/example/backends/spidsaml2.py b/example/backends/spidsaml2.py
@@ -218,38 +218,53 @@ def _metadata_endpoint(self, context):
         conf = self.sp.config
 
         metadata = entity_descriptor(conf)
+
         # creare gli attribute_consuming_service
-        cnt = 0
-        for (
-            attribute_consuming_service
-        ) in metadata.spsso_descriptor.attribute_consuming_service:
-            attribute_consuming_service.index = str(cnt)
-            cnt += 1
-
-        cnt = 0
-        for (
-            assertion_consumer_service
-        ) in metadata.spsso_descriptor.assertion_consumer_service:
-            assertion_consumer_service.is_default = "true" if not cnt else ""
-            assertion_consumer_service.index = str(cnt)
-            cnt += 1
-
-        # nameformat patch... tutto questo non rispecchia gli standard OASIS
-        for reqattr in metadata.spsso_descriptor.attribute_consuming_service[
-            0
-        ].requested_attribute:
+        metadata.spsso_descriptor.attribute_consuming_service[0].index = '0'
+        metadata.spsso_descriptor.attribute_consuming_service[0].service_name[0].lang = "it"
+        metadata.spsso_descriptor.attribute_consuming_service[0].service_name[0].text = metadata.entity_id
+        for reqattr in metadata.spsso_descriptor.attribute_consuming_service[0].requested_attribute:
             reqattr.name_format = None
             reqattr.friendly_name = None
 
-        # attribute consuming service service name patch
-        service_name = metadata.spsso_descriptor.attribute_consuming_service[
-            0
-        ].service_name[0]
-        service_name.lang = "it"
-        service_name.text = metadata.entity_id
-
-        # remove extension disco and uuinfo (spid-testenv2)
-        # metadata.spsso_descriptor.extensions = []
+        metadata.spsso_descriptor.assertion_consumer_service[0].index = '0'
+        metadata.spsso_descriptor.assertion_consumer_service[0].is_default = 'true'
+
+        if self.config["sp_config"]["ficep_enable"] is True:
+            # Aggiungere CIE 99
+            metadata.spsso_descriptor.attribute_consuming_service.append(saml2.md.AttributeConsumingService())
+            metadata.spsso_descriptor.attribute_consuming_service[1].index = '99'
+            metadata.spsso_descriptor.attribute_consuming_service[1].service_name.append(saml2.md.ServiceName())
+            metadata.spsso_descriptor.attribute_consuming_service[1].service_name[0].lang = "it"
+            metadata.spsso_descriptor.attribute_consuming_service[1].service_name[0].text = "eIDAS Natural Person Minimum Attribute Set"
+            metadata.spsso_descriptor.attribute_consuming_service[1].requested_attribute = [
+                    saml2.md.RequestedAttribute('true', None, 'spidCode'),
+                    saml2.md.RequestedAttribute('true', None, 'name'),
+                    saml2.md.RequestedAttribute('true', None, 'familyName'),
+                    saml2.md.RequestedAttribute('true', None, 'dateOfBirth'),
+                    ]
+
+            metadata.spsso_descriptor.assertion_consumer_service[1].index = '99'
+            metadata.spsso_descriptor.assertion_consumer_service[1].is_default = None
+
+            # Aggiungere CIE 100
+            metadata.spsso_descriptor.attribute_consuming_service.append(saml2.md.AttributeConsumingService())
+            metadata.spsso_descriptor.attribute_consuming_service[2].index = '100'
+            metadata.spsso_descriptor.attribute_consuming_service[2].service_name.append(saml2.md.ServiceName())
+            metadata.spsso_descriptor.attribute_consuming_service[2].service_name[0].lang = "it"
+            metadata.spsso_descriptor.attribute_consuming_service[2].service_name[0].text = "eIDAS Natural Person Full Attribute Set"
+            metadata.spsso_descriptor.attribute_consuming_service[2].requested_attribute = [
+                    saml2.md.RequestedAttribute('true', None, 'spidCode'),
+                    saml2.md.RequestedAttribute('true', None, 'name'),
+                    saml2.md.RequestedAttribute('true', None, 'familyName'),
+                    saml2.md.RequestedAttribute('true', None, 'dateOfBirth'),
+                    saml2.md.RequestedAttribute('true', None, 'placeOfBirth'),
+                    saml2.md.RequestedAttribute('true', None, 'address'),
+                    saml2.md.RequestedAttribute('true', None, 'gender'),
+                    ]
+
+            metadata.spsso_descriptor.assertion_consumer_service[2].index = '100'
+            metadata.spsso_descriptor.assertion_consumer_service[2].is_default = None
 
         # load ContactPerson Extensions
         self._metadata_contact_person(metadata, conf)
@@ -360,7 +375,11 @@ def authn_request(self, context, entity_id):
             authn_req.destination = location
             # spid-testenv2 preleva l'attribute consumer service dalla authnRequest
             # (anche se questo sta già nei metadati...)
-            authn_req.attribute_consuming_service_index = "0"
+            # Imposta il consuming_service_index in base al default di ficep per le richieste ficep, oppure a '0' per le richieste spid
+            if entity_id == self.config["sp_config"]["ficep_entity_id"]:
+                authn_req.attribute_consuming_service_index = str(self.config["sp_config"]["ficep_default_acs_index"])
+            else:
+                authn_req.attribute_consuming_service_index = "0"
 
             issuer = saml2.saml.Issuer()
             issuer.name_qualifier = client.config.entityid

diff --git a/example/metadata/idp/ficep.xml b/example/metadata/idp/ficep.xml
@@ -0,0 +1,113 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_af9a441e29ce11eb8c9d0242ac110002" cacheDuration="P0Y0M30DT0H0M0.000S" entityID="https://sp-proxy.eid.gov.it/spproxy/idpit"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+<ds:SignedInfo>
+<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
+<ds:Reference URI="">
+<ds:Transforms>
+<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+</ds:Transforms>
+<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
+<ds:DigestValue>C/11EIgvQoa04VxGpjtx0MgWAq3sgQFaGvGXc1NqNZzPsSp6ez8Xb3EsxDUuapBU03kJdwGWmCgQ
+oEkerdQWcg==</ds:DigestValue>
+</ds:Reference>
+</ds:SignedInfo>
+<ds:SignatureValue>
+PNxUmVGIErNxau4yvSaHBud4ZuJtRhpPlOv3PShskLRsQIfYbTNswJ0TKV3/4ryyI+TYR83F/oMb
+4fG+UcnSCQI40hkE4mg+ywaN2ApfS8a5qsOIbamEUi5U/R2aStTQJAl0e+4Szqe9WoAroAaLdo3F
+Lq+btlyfvNx/Wr/OlICGYk4Qi240NP1ymV8y5ny4TQCrfPqIxG2DtwFn4+J9njrSUfDb9QbK/kOc
+m5depcNjQVq2vBnEZozjOqsbfDuLhqH66QycA2INm/cstzFXmcY7dWkbCf9lBKPgXWktSsW4xf26
+AIK1XLc+MldXecKL86dHxEBxrQ/Joeu33wYfDOAjwJ/TuZekPXbpJbzYe8MwWm5SSiy7Thg3t/Hc
+aBKuFeaDW50Gz9tOM5xwiS8LysnO+Mnw5VjhWKdV94U2gfZwJSAU58JyBK/rz0TOS1sy99t8T2XX
+JP8cUjy10tmv3GulXCU0Enjzosw/AfITJtgnGYdN4nXxA2Gtu5mgN1fM
+</ds:SignatureValue>
+<ds:KeyInfo>
+<ds:KeyValue>
+<ds:RSAKeyValue>
+<ds:Modulus>
+zCP1ETxEdB0VssVjH3Nf5/n6YrZyY/Culd3lJIHTbACXPM/APgAWIIk9hcp23rGSH6YDWpxUYGFi
+/SdkRgPhXuzfDMcMdnO8rMQ3BGh81lVL1pUxmRtCQzGhurZ2C0Kzyp/fFlE1WFuMq92arU/q7vFt
+a/h84YCZMmIrW/9vQzyLjSbN1kbq9nljfxRLzc5XBZxogbV7UPLclnfqlxb1Wpr5fsZa8DuqVKyT
+8ZEA4BE8ibU/1KW0tScjXSpU7sKPIPif4EiyQwRP+vLENqsW0iUG5Nq5VCpXQijsReCdsOgER5CR
+6XlaSp8Nt5/Zee5Gu808i1+GSw9zv18tbaGBGdPRYCf1G/1GpNqJNdtQVOBrnKI1UEsY7JONzvnr
+78PBD4oFyxkVYhD+IEb/98L9o1GotR/EmSaqccrdUUVnOhnxReb88lKJyH3Zane8UI/Jwtwvh8JR
+2sSntYcgKly8hyCtN9+x6XqY6l5UsAIjn67rT74YyWso1w3KX6j5fdEr
+</ds:Modulus>
+<ds:Exponent>AQAB</ds:Exponent>
+</ds:RSAKeyValue>
+</ds:KeyValue>
+<ds:X509Data>
+<ds:X509Certificate>
+MIIFCTCCA3GgAwIBAgIUHGXIsxFzz3ZDh6TyQA3c0wfGRR4wDQYJKoZIhvcNAQELBQAwga4xCzAJ
+BgNVBAYTAklUMS0wKwYDVQQKDCRBZ2VuemlhIHBlciBsJ0l0YWxpYSBEaWdpdGFsZSAtIEFnSUQx
+KDAmBgNVBAsMH0ZJQ0VQIFByb2R1Y3Rpb24gSW5mcmFzdHJ1Y3R1cmUxRjBEBgNVBAMMPVB1Ymxp
+YyBBZG1pbmlzdHJhdGlvbiBTUCBQUk9YWSBJRFAtSVQgU0FNTCBNZXRhZGF0YSBTaWduYXR1cmUw
+HhcNMjAxMTE4MTYzNDMwWhcNMjIxMTE4MTYzNDMwWjCBrjELMAkGA1UEBhMCSVQxLTArBgNVBAoM
+JEFnZW56aWEgcGVyIGwnSXRhbGlhIERpZ2l0YWxlIC0gQWdJRDEoMCYGA1UECwwfRklDRVAgUHJv
+ZHVjdGlvbiBJbmZyYXN0cnVjdHVyZTFGMEQGA1UEAww9UHVibGljIEFkbWluaXN0cmF0aW9uIFNQ
+IFBST1hZIElEUC1JVCBTQU1MIE1ldGFkYXRhIFNpZ25hdHVyZTCCAaIwDQYJKoZIhvcNAQEBBQAD
+ggGPADCCAYoCggGBAMwj9RE8RHQdFbLFYx9zX+f5+mK2cmPwrpXd5SSB02wAlzzPwD4AFiCJPYXK
+dt6xkh+mA1qcVGBhYv0nZEYD4V7s3wzHDHZzvKzENwRofNZVS9aVMZkbQkMxobq2dgtCs8qf3xZR
+NVhbjKvdmq1P6u7xbWv4fOGAmTJiK1v/b0M8i40mzdZG6vZ5Y38US83OVwWcaIG1e1Dy3JZ36pcW
+9Vqa+X7GWvA7qlSsk/GRAOARPIm1P9SltLUnI10qVO7CjyD4n+BIskMET/ryxDarFtIlBuTauVQq
+V0Io7EXgnbDoBEeQkel5WkqfDbef2XnuRrvNPItfhksPc79fLW2hgRnT0WAn9Rv9RqTaiTXbUFTg
+a5yiNVBLGOyTjc756+/DwQ+KBcsZFWIQ/iBG//fC/aNRqLUfxJkmqnHK3VFFZzoZ8UXm/PJSich9
+2Wp3vFCPycLcL4fCUdrEp7WHICpcvIcgrTffsel6mOpeVLACI5+u60++GMlrKNcNyl+o+X3RKwID
+AQABox0wGzAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIGwDANBgkqhkiG9w0BAQsFAAOCAYEAYGTD
+coZ83sLwP0nlqS2QSUswVRNg+C/6nvncE+R4R82tt1Ri5FUfDIqm4z5SIOFTV87PP+k3bV6PdfMr
+pojY8zE1Tdq+JMlCupeps1nzU4nJTSWCqE2Bhmc8TO2QZt6h+uLAFV3u3U1TL+yz0V6xPyygqCTh
+dv9CsauXvxmvEtStcIojE6sS2M9ycJQicvRvFZE+Xp+YxvoDlMW/tLVDpVVjaE31CRBEySH2t9iD
+1REnOpw6405+XzMPTKuv1lEpR35Ia/QWnIhUE/u5KRkCINXGvFYmTaboWSzWsFdltl3N8iYFVadf
+XPgKXs4rLnORv4SVx/bnUvpQJ7S0qVvOnFRgTRljNAHl1lgQpU2j1AXaba0y/iGpGd71IBLqLyzY
+P9CjMvLkTDf8DrOnHw5dhxWQ6qRdgUTeC+71yzzX8O+CM6MUM2YdUDpwOWm3xAKqnx/WDc7Eixeo
+yEcURFVsjUQ3fapOA3bYeQ4p02xglKd/MaFaAmav/E7vpaDmY8Ri
+</ds:X509Certificate>
+</ds:X509Data>
+</ds:KeyInfo>
+</ds:Signature>
+<md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+<md:KeyDescriptor use="signing">
+<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+<ds:X509Data>
+<ds:X509Certificate>MIIE9zCCA1+gAwIBAgIUN10AiTpTrsmjxyIGD8mQ/SmZiR0wDQYJKoZIhvcNAQELBQAwgaUxCzAJBgNVBAYTAklUMS0wKwYDVQQKDCRBZ2VuemlhIHBlciBsJ0l0YWxpYSBEaWdpdGFsZSAtIEFnSUQxKDAmBgNVBAsMH0ZJQ0VQIFByb2R1Y3Rpb24gSW5mcmFzdHJ1Y3R1cmUxPTA7BgNVBAMMNFB1YmxpYyBBZG1pbmlzdHJhdGlvbiBTUCBQUk9YWSBJRFAtSVQgU0FNTCBTaWduYXR1cmUwHhcNMjAxMTE4MTYzNDMwWhcNMjIxMTE4MTYzNDMwWjCBpTELMAkGA1UEBhMCSVQxLTArBgNVBAoMJEFnZW56aWEgcGVyIGwnSXRhbGlhIERpZ2l0YWxlIC0gQWdJRDEoMCYGA1UECwwfRklDRVAgUHJvZHVjdGlvbiBJbmZyYXN0cnVjdHVyZTE9MDsGA1UEAww0UHVibGljIEFkbWluaXN0cmF0aW9uIFNQIFBST1hZIElEUC1JVCBTQU1MIFNpZ25hdHVyZTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBANA72VpSvAnN+F2T/ikVfPW8i8rtw8IcoRb8iCFHlf99y3A+R/xk8fPjz7vzC6HrUW55VyXg2Bt1NN4hqLzoLhbw4mSomdOUdZf4rUGoMFIUMch7eH9RNsyLmZotAZZ+wSGMkJeuGNJ+agiQqMDLO00fOv938d1g38tLCgxOYyosjq/KYjxatXcXhTgCNWUo3fDy5q/F9Ev0HuIX9YJdqpCDyfwaypycyaDtATZhV7pBjASxHwGVJm2e1Jif8iydpHhmK/f7slLhAidzWSrBV9XzyV8rTd3OOWXrVahsYEzNuRXdJFTaPgmjAj6dMPmfZzVXOlr1smFF1KfP/7VcFMC8lgOevMdGADtOORN4ZLdsCdnHPQlPDT9CKAuAqQynbIz+7nZZ7nSJmPFSzjQ44zKvQPzPOqLLXwvAIq8d7Wz1oF9U9fsBm3/4RDVav4kt0lSFASLieNPvXQlAcs1DAXOP2ix0LaeB+ggoeRtC1VOpwbTFDvObsEYnBRCZM4XRLQIDAQABox0wGzAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIGwDANBgkqhkiG9w0BAQsFAAOCAYEAJuuvqsFNLRiYHX0OFC/xrHiecKF+BPbh/VRJRUQyPPTT9j4YE+OrmrWuXIekmKDX9reSSHYIjul1XQQyM0d3xKFPyrgoOXzsOZqvOBMOqYC3t4XW281UFXRx9TYaWK26SOi/C/2NR+SUHEZTUNYTAoMu6jJXkl9PbFMHMal8OWLUB6AhshITiLhU4ax3uoAo/Aytap2wxEZYH9a5rlcHdZ8uHv9bnllLeVxyCZNEfYMWSTOM+QyvMfsjQ2UsTXADPztNAqfRXsg3O8oulHF89Lr70vEd0eHxnnqg/kawFuCI6WPdeSWWZVP59QyVUea1IZc//83kLaltny3yg2apoldp4EVZ70KdgOus659ezOXFHOqy7FUzpULhT44UzYHthfFsiOwAm4TISXr6NjyvmFU7HQC5xQJ9TnYIFZumL3IPtUO8zImAgKCoueH+06j4Ubs15YlYjSjjDmzxawuXPVavVuzR/GjY8MVm4yU1nD4g7bkW3W0U0o1I0UpNCVaX</ds:X509Certificate>
+</ds:X509Data>
+</ds:KeyInfo>
+</md:KeyDescriptor>
+<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sp-proxy.eid.gov.it/spproxy/samlslo" ResponseLocation="https://sp-proxy.eid.gov.it/spproxy/samlslo"/>
+<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sp-proxy.eid.gov.it/spproxy/samlslo" ResponseLocation="https://sp-proxy.eid.gov.it/spproxy/samlslo"/>
+<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
+<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sp-proxy.eid.gov.it/spproxy/samlsso"/>
+<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sp-proxy.eid.gov.it/spproxy/samlsso"/>
+<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="Domicilio fisico" Name="address"/>
+<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="Ragione o denominazione sociale" Name="companyName"/>
+<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="Provincia di nascita" Name="countyOfBirth"/>
+<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="Data di nascita" Name="dateOfBirth"/>
+<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="Domicilio digitale" Name="digitalAddress"/>
+<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="Indirizzo di posta elettronica" Name="email"/>
+<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="Data di scadenza identita" Name="expirationDate"/>
+<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="Cognome" Name="familyName"/>
+<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="Codice fiscale" Name="fiscalNumber"/>
+<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="Sesso" Name="gender"/>
+<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="Documento d'identita" Name="idCard"/>
+<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="Partita IVA" Name="ivaCode"/>
+<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="Numero di telefono mobile" Name="mobilePhone"/>
+<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="Nome" Name="name"/>
+<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="Luogo di nascita" Name="placeOfBirth"/>
+<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="Sede legale" Name="registeredOffice"/>
+<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="Codice identificativo SPID" Name="spidCode"/>
+</md:IDPSSODescriptor>
+<md:Organization>
+<md:OrganizationName xml:lang="it">Agenzia per l'Italia Digitale - AgID</md:OrganizationName>
+<md:OrganizationName xml:lang="en">Agenzia per l'Italia Digitale - AgID</md:OrganizationName>
+<md:OrganizationName xml:lang="fr">Agenzia per l'Italia Digitale - AgID</md:OrganizationName>
+<md:OrganizationName xml:lang="de">Agenzia per l'Italia Digitale - AgID</md:OrganizationName>
+<md:OrganizationDisplayName xml:lang="it">Agenzia per l'Italia Digitale - AgID</md:OrganizationDisplayName>
+<md:OrganizationDisplayName xml:lang="en">Agenzia per l'Italia Digitale - AgID</md:OrganizationDisplayName>
+<md:OrganizationDisplayName xml:lang="fr">Agenzia per l'Italia Digitale - AgID</md:OrganizationDisplayName>
+<md:OrganizationDisplayName xml:lang="de">Agenzia per l'Italia Digitale - AgID</md:OrganizationDisplayName>
+<md:OrganizationURL xml:lang="it">https://www.agid.gov.it</md:OrganizationURL>
+<md:OrganizationURL xml:lang="en">https://www.agid.gov.it/en</md:OrganizationURL>
+<md:OrganizationURL xml:lang="fr">https://www.agid.gov.it/fr</md:OrganizationURL>
+<md:OrganizationURL xml:lang="de">https://www.agid.gov.it/de</md:OrganizationURL>
+</md:Organization>
+</md:EntityDescriptor>
diff --git a/example/plugins/backends/spidsaml2_backend.yaml b/example/plugins/backends/spidsaml2_backend.yaml
@@ -47,6 +47,9 @@ config:
       # mdq:
       #  - url: "http://mdq.auth.unical.it/static/sha1"
           # cert: mdq.pem
+    ficep_enable: True
+    ficep_entity_id: https://sp-proxy.eid.gov.it/spproxy/idpit
+    ficep_default_acs_index: 99
 
     entityid: '<base_url>/<name>/metadata'
     accepted_time_diff: 10
@@ -121,6 +124,8 @@ config:
         endpoints:
           assertion_consumer_service:
           - [<base_url>/<name>/acs/post, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
+          - [<base_url>/<name>/acs/99/post, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
+          - [<base_url>/<name>/acs/100/post, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
           single_logout_service:
           - [<base_url>/<name>/ls/post/, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
           discovery_response:

diff --git a/example/plugins/microservices/target_based_routing.yaml b/example/plugins/microservices/target_based_routing.yaml
@@ -18,3 +18,4 @@ config:
     "https://identity.sieltecloud.it": "spidSaml2"
     "https://spid.register.it": "spidSaml2"
     "https://login.id.tim.it/affwebservices/public/saml2sso": "spidSaml2"
+    "https://sp-proxy.eid.gov.it/spproxy/idpitmetadata": "spidSaml2"
diff --git a/example/static/disco.html b/example/static/disco.html
@@ -8,6 +8,7 @@
     <link rel="stylesheet" href="spid/bootstrap-italia.css">
     <link rel="shortcut icon" href="spid/favicon-32x32.png">
     <link type="text/css" rel="stylesheet" href="spid/spid-sp-access-button.css">
+    <link type="text/css" rel="stylesheet" href="eidas/css/eidas-sp-access-button.min.css">
     <script src="spid/spid-idps.js"></script>
   </head>
   <body>
@@ -125,11 +126,14 @@ <h3 class="no_toc">Entra con SPID</h3>
       <div class="container">
         <div class="col-12 py-md-5 bd-content">
           <h4 class="">Benvenuto in Nome Organizzazione Spid Discovery Service</h4>
-          <p class="mb-lg-5 mb-2">
-            SPID è il sistema di accesso che consente di utilizzare, con un'identità digitale unica, i servizi online della Pubblica Amministrazione e dei privati accreditati.
+          <p>
+	    <b>SPID</b> è il sistema di accesso che consente di utilizzare, con un'identità digitale unica, i servizi online della Pubblica Amministrazione e dei privati accreditati.
             Se sei già in possesso di un'identità digitale, accedi con le credenziali del tuo gestore.
             Se non hai ancora una identità SPID richiedila ad uno dei gestori.
           </p>
+	  <p class="mb-lg-5">
+	  <b>eIDAS</b> è il sistema di interoperabilità delle identità digitale europeo. Tramite eIDAS puoi accedere utilizzando il sistema di identità digitale degli altri paesi europei.
+	  </p>
 
           <p>
             Seleziona il Provider di Identità presso il quale desideri autenticarti
@@ -149,7 +153,7 @@ <h4 class="">Benvenuto in Nome Organizzazione Spid Discovery Service</h4>
                         </a>
                     </div>
                     -->
-                  <div class="col-sm text-center">
+                  <div class="col-lg-6 pb-2 text-center">
                     <!-- AGID - SPID IDP BUTTON SMALL "ENTRA CON SPID" * begin * -->
 		    <a href="#" class="italia-it-button italia-it-button-size-xl button-spid" spid-idp-button="#spid-idp-button-xlarge-post" aria-haspopup="true" aria-expanded="false">
 		      <span class="italia-it-button-icon"><img src="spid/spid-ico-circle-bb.svg" onerror="this.src='img/spid-ico-circle-bb.png'; this.onerror=null;" alt=""></span>
@@ -163,7 +167,17 @@ <h4 class="">Benvenuto in Nome Organizzazione Spid Discovery Service</h4>
 		      </ul>
 		    </div>
                     <!-- AGID - SPID IDP BUTTON SMALL "ENTRA CON SPID" * end * -->
+		    <br/>
+                  </div>
+                  <div class="col-lg-6 text-center">
+      		    <!-- AGID - eIDAS IDP BUTTON SMALL "ENTRA CON SPID" * begin * -->
+                    <a href="/Saml2/disco?entityID=https://sp-proxy.eid.gov.it/spproxy/idpit&return=https://sso.isprambiente.it/Saml2/disco" class="italia-it-button italia-it-button-size-xl button-eidas" eidas-idp-button="#eidas-idp-button-xlarge-post" aria-haspopup="false" aria-expanded="false">
+                      <span class="italia-it-button-icon"><img src="eidas/img/ficep-it-eidas-ybw.svg" onerror="this.src='eidas/img/ficep-it-eidas-ybw.png'; this.onerror=null;" alt="" /></span>
+                      <span class="italia-it-button-text">Login with eIDAS</span>
+                    </a>
+                    <!-- AGID - eIDAS IDP BUTTON SMALL "ENTRA CON eIDAS" * end * -->
                   </div>
+
                 </div>
               </div>
             </div>