Problemi con ACS endpoint

Question

Problemi con ACS endpoint

Closed this issue 4 years ago · 6 comments

Verificando il funzionamento di un installazione ho riscontrato problemi con la risposta della vista associata all'Assertion Consumer Service:

Errore di autenticazione

Accesso negato

Verificando con il progetto demo riscontro lo stesso problema. In effetti usando il validatore spid-sp-test non pare superare la validazione della richiesta di autenticazione. Questa è il risultato di una verifica sul progetto demo di spid-django:

$ spid_sp_test --metadata-url http://localhost:8000/spid/metadata --authn-url http://localhost:8000/spid/login/?idp=spid-idp-test
INFO:spid_sp_test.metadata:Test http://localhost:8000/spid/metadata with saml-schema-metadata-2.0.xsd -> OK
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.xsd_check
INFO:spid_sp_test.metadata:The EntityID must be equal to http://localhost:8000/spid/metadata
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_EntityDescriptor
INFO:spid_sp_test.metadata:Only one SPSSODescriptor element must be present
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_SPSSODescriptor
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_xmldsig: OK
INFO:spid_sp_test.metadata:The Signature element must be present - TR pag. 19
INFO:spid_sp_test.metadata:The SignatureMethod element must be present - TR pag. 19
INFO:spid_sp_test.metadata:The Algorithm attribute must be present in SignatureMethod element - TR pag. 19
INFO:spid_sp_test.metadata:The signature algorithm must be valid - TR pag. 19
INFO:spid_sp_test.metadata:The DigestMethod element must be present - TR pag. 19
INFO:spid_sp_test.metadata:The Algorithm attribute must be present in DigestMethod element - TR pag. 19
INFO:spid_sp_test.metadata:The digest algorithm must be valid - TR pag. 19
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Signature
INFO:spid_sp_test.metadata:At least one signing KeyDescriptor must be present - TR pag. 19
INFO:spid_sp_test.metadata:At least one signing x509 must be present - TR pag. 19
INFO:spid_sp_test.metadata:At least one encryption x509 must be present - TR pag. 19
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_KeyDescriptor
INFO:spid_sp_test.metadata:One or more SingleLogoutService elements must be present - AV n. 3
INFO:spid_sp_test.metadata:The Binding attribute in SingleLogoutService element must be present - AV n. 3
INFO:spid_sp_test.metadata:The Binding attribute in SingleLogoutService element must have a value
INFO:spid_sp_test.metadata:The Binding attribute in SingleLogoutService element must be one of [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect] - AV n. 3
INFO:spid_sp_test.metadata:The Location attribute in SingleLogoutService element must be present - AV n. 3
INFO:spid_sp_test.metadata:The Location attribute in SingleLogoutService element must have a value
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_SingleLogoutService
INFO:spid_sp_test.metadata:At least one AssertionConsumerService must be present - TR pag. 20
INFO:spid_sp_test.metadata:The index attribute must be present - TR pag. 20
INFO:spid_sp_test.metadata:The index attribute must be >= 0 - TR pag. 20
INFO:spid_sp_test.metadata:The Binding attribute must be present - TR pag. 20
INFO:spid_sp_test.metadata:The Binding attribute must be one of [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect] - TR pag. 20
INFO:spid_sp_test.metadata:The Location attribute must be present - TR pag. 20
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AssertionConsumerService
INFO:spid_sp_test.metadata:One or more AttributeConsumingService elements must be present - TR pag. 20
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService
INFO:spid_sp_test.metadata:Only one Organization element can be present - TR pag. 20
INFO:spid_sp_test.metadata:One or more OrganizationName elements must be present - TR pag. 20
INFO:spid_sp_test.metadata:The lang attribute in OrganizationName element must be present - TR pag. 20
INFO:spid_sp_test.metadata:The OrganizationName element must have a value - TR pag. 20
INFO:spid_sp_test.metadata:The lang attribute in OrganizationName element must be present - TR pag. 20
INFO:spid_sp_test.metadata:The OrganizationName element must have a value - TR pag. 20
INFO:spid_sp_test.metadata:One or more OrganizationDisplayName elements must be present - TR pag. 20
INFO:spid_sp_test.metadata:The lang attribute in OrganizationDisplayName element must be present - TR pag. 20
INFO:spid_sp_test.metadata:The OrganizationDisplayName element must have a value - TR pag. 20
INFO:spid_sp_test.metadata:The lang attribute in OrganizationDisplayName element must be present - TR pag. 20
INFO:spid_sp_test.metadata:The OrganizationDisplayName element must have a value - TR pag. 20
INFO:spid_sp_test.metadata:One or more OrganizationURL elements must be present - TR pag. 20
INFO:spid_sp_test.metadata:The lang attribute in OrganizationURL element must be present - TR pag. 20
INFO:spid_sp_test.metadata:The OrganizationURL element must have a value - TR pag. 20
INFO:spid_sp_test.metadata:The lang attribute in OrganizationURL element must be present - TR pag. 20
INFO:spid_sp_test.metadata:The OrganizationURL element must have a value - TR pag. 20
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_Organization
INFO:spid_sp_test.metadata:Test http://localhost:8000/spid/metadata with saml-schema-metadata-sp-spid.xsd -> OK
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.xsd_check
INFO:spid_sp_test.metadata:The protocolSupportEnumeration attribute must be present - TR pag. 20
INFO:spid_sp_test.metadata:The protocolSupportEnumeration attribute must have a value - TR pag. 20
INFO:spid_sp_test.metadata:The AuthnRequestsSigned attribute must be present - TR pag. 20
INFO:spid_sp_test.metadata:The AuthnRequestsSigned attribute must have a value - TR pag. 20
INFO:spid_sp_test.metadata:The AuthnRequestsSigned attribute must be true - TR pag. 20
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_SPSSODescriptor_SPID
INFO:spid_sp_test.metadata:Only one default AssertionConsumerService must be present - TR pag. 20
INFO:spid_sp_test.metadata:Must be present the default AssertionConsumerService with index = 0 - TR pag. 20
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AssertionConsumerService__SPID
INFO:spid_sp_test.metadata:The index attribute in AttributeConsumigService element must be present
INFO:spid_sp_test.metadata:The index attribute in AttributeConsumigService element must be >= 0 - TR pag. 20
INFO:spid_sp_test.metadata:The ServiceName element must be present
INFO:spid_sp_test.metadata:The ServiceName element must have a value
INFO:spid_sp_test.metadata:One or more RequestedAttribute elements must be present - TR pag. 20
INFO:spid_sp_test.metadata:The Name attribute in RequestedAttribute element must be present - TR pag. 20 and AV n. 6
INFO:spid_sp_test.metadata:The "spidCode" attribute in RequestedAttribute element must be valid
INFO:spid_sp_test.metadata:The Name attribute in RequestedAttribute element must be present - TR pag. 20 and AV n. 6
INFO:spid_sp_test.metadata:The "name" attribute in RequestedAttribute element must be valid
INFO:spid_sp_test.metadata:The Name attribute in RequestedAttribute element must be present - TR pag. 20 and AV n. 6
INFO:spid_sp_test.metadata:The "familyName" attribute in RequestedAttribute element must be valid
INFO:spid_sp_test.metadata:The Name attribute in RequestedAttribute element must be present - TR pag. 20 and AV n. 6
INFO:spid_sp_test.metadata:The "fiscalNumber" attribute in RequestedAttribute element must be valid
INFO:spid_sp_test.metadata:The Name attribute in RequestedAttribute element must be present - TR pag. 20 and AV n. 6
INFO:spid_sp_test.metadata:The "email" attribute in RequestedAttribute element must be valid
INFO:spid_sp_test.metadata:The Name attribute in RequestedAttribute element must be present - TR pag. 20 and AV n. 6
INFO:spid_sp_test.metadata:The "gender" attribute in RequestedAttribute element must be valid
INFO:spid_sp_test.metadata:The Name attribute in RequestedAttribute element must be present - TR pag. 20 and AV n. 6
INFO:spid_sp_test.metadata:The "companyName" attribute in RequestedAttribute element must be valid
INFO:spid_sp_test.metadata:The Name attribute in RequestedAttribute element must be present - TR pag. 20 and AV n. 6
INFO:spid_sp_test.metadata:The "registeredOffice" attribute in RequestedAttribute element must be valid
INFO:spid_sp_test.metadata:The Name attribute in RequestedAttribute element must be present - TR pag. 20 and AV n. 6
INFO:spid_sp_test.metadata:The "ivaCode" attribute in RequestedAttribute element must be valid
INFO:spid_sp_test.metadata:The Name attribute in RequestedAttribute element must be present - TR pag. 20 and AV n. 6
INFO:spid_sp_test.metadata:The "idCard" attribute in RequestedAttribute element must be valid
INFO:spid_sp_test.metadata:The Name attribute in RequestedAttribute element must be present - TR pag. 20 and AV n. 6
INFO:spid_sp_test.metadata:The "digitalAddress" attribute in RequestedAttribute element must be valid
INFO:spid_sp_test.metadata:The Name attribute in RequestedAttribute element must be present - TR pag. 20 and AV n. 6
INFO:spid_sp_test.metadata:The "placeOfBirth" attribute in RequestedAttribute element must be valid
INFO:spid_sp_test.metadata:The Name attribute in RequestedAttribute element must be present - TR pag. 20 and AV n. 6
INFO:spid_sp_test.metadata:The "countyOfBirth" attribute in RequestedAttribute element must be valid
INFO:spid_sp_test.metadata:The Name attribute in RequestedAttribute element must be present - TR pag. 20 and AV n. 6
INFO:spid_sp_test.metadata:The "dateOfBirth" attribute in RequestedAttribute element must be valid
INFO:spid_sp_test.metadata:The Name attribute in RequestedAttribute element must be present - TR pag. 20 and AV n. 6
INFO:spid_sp_test.metadata:The "address" attribute in RequestedAttribute element must be valid
INFO:spid_sp_test.metadata:The Name attribute in RequestedAttribute element must be present - TR pag. 20 and AV n. 6
INFO:spid_sp_test.metadata:The "mobilePhone" attribute in RequestedAttribute element must be valid
INFO:spid_sp_test.metadata:The Name attribute in RequestedAttribute element must be present - TR pag. 20 and AV n. 6
INFO:spid_sp_test.metadata:The "expirationDate" attribute in RequestedAttribute element must be valid
INFO:spid_sp_test.metadata:AttributeConsumigService must not contain duplicated RequestedAttribute - TR pag. 20
INFO:spid_sp_test.metadata:SpidSpMetadataCheck.test_AttributeConsumingService_SPID
Traceback (most recent call last):
  File "/home/brunato/.virtualenvs/spid-sp-test/bin/spid_sp_test", line 256, in <module>
    authn_check = SpidSpAuthnReqCheck(**data_ac)
  File "/home/brunato/.virtualenvs/spid-sp-test/lib/python3.9/site-packages/spid_sp_test/authn_request.py", line 133, in __init__
    self.authn_request = get_authn_request(authn_request_url,
  File "/home/brunato/.virtualenvs/spid-sp-test/lib/python3.9/site-packages/spid_sp_test/authn_request.py", line 61, in get_authn_request
    raise Exception(('Authn Request page returns a HTML error '
Exception: Authn Request page returns a HTML error code: 404

Answer 1 · 2021-05-21T15:20:19.000Z

Controllerò asap

Intanto dammi info sulle versioni che usi di Django djangosaml2 spid-sp-test e spid-django

Answer 2 · 2021-05-21T16:10:31.000Z

Sono le ultime:

  Django              3.2.2
  djangosaml2         1.1.5
  djangosaml2-spid    0.7.3

  spid-sp-test        0.5.9.post3

Answer 3 · 2021-05-21T16:15:07.000Z

Ciao caro, sono in un'altra località e con un vecchio portatile ho tirato su tutto from scratch.
usando spid-django e spid-sp-test da master branch non ho problemi: Spid QA: executed 273 tests, 0 failed.

(env) ~/DEV/Spid/spid-sp-test$ python3 src/spid_sp_test/spid_sp_test --metadata-url http://localhost:8000/spid/metadata --authn-url http://localhost:8000/spid/login/?idp=http://localhost:8080 -tr

cchessifà?
Se hai 404 è sbagliato l'url, controlla urls e service nei metadata

Answer 4 · 2021-05-21T16:17:08.000Z

ecco l'errore

http://localhost:8000/spid/login/?idp=spid-idp-test

usa questo
--authn-url http://localhost:8000/spid/login/?idp=http://localhost:8080

questa è la punizione dal cielo di quando mi fai PR su master branch ;)

Answer 5 · 2021-05-21T16:32:03.000Z

L'URL l'avevo preso dagli esempi nel README di spid-sp-test.

Con:

spid_sp_test --metadata-url http://localhost:8000/spid/metadata --authn-url http://localhost:8000/spid/login/?idp=http://localhost:8080 -tr

passa correttamente:

...
INFO:spid_sp_test:SpidSpResponseCheck
Spid QA: executed 271 tests, 0 failed.

Grazie!

Answer 6 · 2021-05-21T16:45:54.000Z

readme di spid-sp-test corretto, grazie!