Repository files navigation

Golang package for SPID authentication

This Go package is aimed at implementing SPID Service Providers.SPID is the Italian digital identity system, which enables citizens to access all public services with single set of credentials. This module provides a layer of abstraction over the SAML protocol by exposing just the subset required in order to implement SPID authentication in a web application.

Theexample/ directory contains a demo web application. Just follow these steps in order to test it withspid-saml-check:

1. Clone this package:

   git clone github.com/italia/spid-gocd spid-go

2. Install and runspid-saml-check as a Docker container (note:this bug in spid-saml-check prevents it from working with a non-HTTPS Service Provider so you'll have to apply a patch).

3. Get the Identity Provider metadata exposed by spid-saml-check:

   curl -o sample_data/test_idp/spid-saml-check.xml https://localhost:8443/metadata.xml

4. Run the demo Service Provider provided with this package:

   cd examplego run service.go

5. Open the spid-saml-check interface athttps://localhost:8443 and load the Service Provider metadata. Since spid-saml-check is running inside a Docker container, you'll have to use this URL:http://host.docker.internal:8000/metadata (if you want to open it from your browser, just usehttp://localhost:8000/metadata)

6. Perform (and enjoy) the metadata validation on spid-saml-check.

7. Openhttp://localhost:8000 and proceed with the full authentication test.

If you want to generate your own key and certificate:

1. Use theSPID compliant certificate builder

2. The above tool will create aPKCS#8 private key (key.pem) and a certificate (crt.pem). This package can handle RSA keys both in PKCS#8 and in PKCS#1 format.If you like to use the PKCS#1 format, we need to extract the RSA private key from the PKCS#8 file. In order to do this, we need to run this command:

   openssl rsa -in key.pem -out key.rsa.pem

Compliance withSPID regulations (for Service Providers)
Metadata:
parsing of IdP XML metadata (1.2.2.4)	✓
support for multiple signing certificates in IdP XML metadata (1.2.2.4)	✓
parsing of AA XML metadata (2.2.4)
SP XML metadata generation (1.3.2)	✓
AuthnRequest generation (1.2.2.1):
generation of AuthnRequest XML	✓
HTTP-Redirect binding	✓
HTTP-POST binding	✓
AssertionConsumerServiceURL customization	✓
AssertionConsumerServiceIndex customization	✓
AttributeConsumingServiceIndex customization	✓
AuthnContextClassRef (SPID level) customization	✓
RequestedAuthnContext/@Comparison customization	✓
RelayState customization (1.2.2)	✓
Response/Assertion parsing
verification ofSignature value (if any)	✓
verification ofSignature certificate (if any) against IdP/AA metadata	✓
verification ofAssertion/Signature value	✓
verification ofAssertion/Signature certificate against IdP/AA metadata	✓
verification ofSubjectConfirmationData/@Recipient	✓
verification ofSubjectConfirmationData/@NotOnOrAfter	✓
verification ofSubjectConfirmationData/@InResponseTo	✓
verification ofIssuer	✓
verification ofAssertion/Issuer	✓
verification ofDestination	✓
verification ofConditions/@NotBefore	✓
verification ofConditions/@NotOnOrAfter	✓
verification ofAudience	✓
parsing of Response with noAssertion (authentication/query failure)	✓
parsing of failureStatusCode (Requester/Responder)	✓
Response/Assertion parsing for SSO (1.2.1, 1.2.2.2, 1.3.1):
parsing ofNameID	✓
parsing ofAuthnContextClassRef (SPID level)	✓
parsing of attributes	✓
Response/Assertion parsing for attribute query (2.2.2.2, 2.3.1):
parsing of attributes
LogoutRequest generation (for SP-initiated logout):
generation of LogoutRequest XML	✓
HTTP-Redirect binding	✓
HTTP-POST binding	✓
LogoutResponse parsing (for SP-initiated logout):
parsing of LogoutResponse XML	✓
verification ofResponse/Signature value (if any)	✓
verification ofResponse/Signature certificate (if any) against IdP metadata	✓
verification ofIssuer	✓
verification ofDestination	✓
PartialLogout detection	✓
LogoutRequest parsing (for third-party-initiated logout):
parsing of LogoutRequest XML	✓
verification ofResponse/Signature value (if any)	✓
verification ofResponse/Signature certificate (if any) against IdP metadata	✓
verification ofIssuer	✓
verification ofDestination	✓
parsing ofNameID	✓
LogoutResponse generation (for third-party-initiated logout):
generation of LogoutResponse XML	✓
HTTP-Redirect binding	✓
HTTP-POST binding	✓
PartialLogout customization	✓
AttributeQuery generation (2.2.2.1):
generation of AttributeQuery XML
SOAP binding (client)

Compliance withSPID regulations (for Attribute Authorities)
Metadata:
parsing of SP XML metadata (1.3.2)
AA XML metadata generation (2.2.4)
AttributeQuery parsing (2.2.2.1):
parsing of AttributeQuery XML
verification ofSignature value
verification ofSignature certificate against SP metadata
verification ofIssuer
verification ofDestination
parsing ofSubject/NameID
parsing of requested attributes
Response/Assertion generation (2.2.2.2):
generation ofResponse/Assertion XML
Signature

• Generation of SPID button markup

• SPID page on Developers Italia

• Alessandro Ranellucci (maintainer) -Team per la Trasformazione Digitale - Presidenza del Consiglio dei Ministri
  • a.ranellucci@governo.it