AuthnRequest not compatible with SPID specification

[ewedlund]

It seems that the AuthnRequest generated is not compatible with the SPID specification, at least regarding the "Issuer" (see also italia/spid-regole-tecniche#15). Using the example app and https://github.com/italia/spid-testenv2 as IP I get the following errors when trying to make a request:

AuthnRequest/Issuer - attribute: Format | required key not provided
AuthnRequest/Issuer - attribute: NameQualifier | required key not provided

This does not seem to be an easy thing to fix since it is part of the SAML package, and not spid-django.

[dipalmabiagio]

In order to fix this issue you have to create your own implementation of the OneLogin_Saml2_Templates class, editing the AUTHN_REQUEST, just add the required fields..

This is my implementation, for instance:
AUTHN_REQUEST = """\ <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="%(id)s" Version="2.0"%(provider_name)s%(force_authn_str)s%(is_passive_str)s IssueInstant="%(issue_instant)s" Destination="%(destination)s" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="%(assertion_url)s"%(attr_consuming_service_str)s> <saml:Issuer NameQualifier="%(entity_id)s" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">%(entity_id)s</saml:Issuer>%(subject_str)s%(nameid_policy_str)s %(requested_authn_context_str)s </samlp:AuthnRequest>"""

[ewedlund]

Thanks for the response! We actually decided to use the approach with a shibboleth reverse proxy instead. I will check this out though, still not sure which is the best approach.

[ewedlund]

Just started looking at this, and maybe I found out why it did not work for me. In the requirements for the demo app, there is a dependency that I think is wrong:

-r base.txt

# python3-saml needs to be manipulated in order to be compliand with SPID Identity Providers
https://github.com/spid-django-hack17/spid-django/archive/master.zip

I believe that the dependency should be

https://github.com/spid-django-hack17/python3-saml/archive/master.zip

This would make more sense (also considering the comment, and the commit that included this). I don't have time to test it now though.

[dipalmabiagio]

I think that your issue is related to the XML models listed in the OneLogin's library. I just edited the xml templated and it worked for me. Talking about the dependencies you already install python3-saml using pip3 install python3-saml

[peppelinux]

Ciao, il progetto è stato completamente rinnovato, questa issue è stata risolta, grazie e a presto

[ewedlund]

Ciao, c'è una ragione per cui si è deciso di passare a pysaml2? E' un po' un peccato che avete rimpiazzato il progetto invece di crearne uno nuovo (se non è perché python3-saml non va assolutamente usato). Noi abbiamo creato un fork di questo progetto che, utilizzando un nostro fork di python3-saml sta funzionando: https://github.com/fondazionebordoni/spid-django, e stavamo pensando di fare una pull request (il problema del fork di python3-saml ci ha frenato)

[peppelinux]

Ciao @ewedlund
Sono d'accordo con te ma sentiti i colleghi e chi tra gli autori del repo che hanno risposto sì ê deciso di fare così. Il vecchio progetto lo trovi sul repository old. Se le richieste della comunità fossero consistenti potremmo pensare di duplicare/scorporare i due progetti

[ewedlund]

Ok, grazie.