Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

if AuthnRequest RequestedAuthnContext Comparison is set to minimum, ForceAuthn must be set to true ? #94

Closed
simevo opened this issue Jan 12, 2020 · 7 comments
Closed

if AuthnRequest RequestedAuthnContext Comparison is set to minimum, ForceAuthn must be set to true ? #94

simevo opened this issue Jan 12, 2020 · 7 comments
Assignees
@simevo
Labels
bug Something isn't working
Milestone
0.35

Comments

@simevo
Copy link
Collaborator

simevo commented Jan 12, 2020

see this comment: #84 (comment)

@umigliore can you provide a normative reference for this ? thanks !
@simevo simevo added the question Further information is requested label Jan 12, 2020
@simevo simevo mentioned this issue Jan 13, 2020
Closed
@simevo
Copy link
Collaborator Author

simevo commented Jan 13, 2020

if the answer is yes, we can implement it as in here: fc61f0e#diff-d701c062084416d9da7c836d589226e5R24
or with:

if (isset($this->idp->sp->settings['sp_comparison'])) {
    $comparison = $this->idp->sp->settings['sp_comparison'];
} else {
    $comparison = "exact";
}
$force = ($level > 1 || $comparison == "minimum") ? "true" : "false";

@umigliore
Copy link

cfr https://docs.italia.it/italia/spid/spid-regole-tecniche/it/stabile/single-sign-on.html#authnrequest

The comparison attribute should be minimum because of this note in the doc:

"N.B. L’Identity Provider ha facoltà di utilizzare per l’autenticazione un livello SPID più alto rispetto a quelli risultanti dall’indicazione del richiedente mediante l’attributo Comparison. Tale scelta non deve comportare un esito negativo della richiesta."

If the Level can be greater than 1, the request should present the flag ForceAuthn:

The ForceAuthn flag is required if the level could be grater than 1.

@simevo
Copy link
Collaborator Author

simevo commented Jan 13, 2020

looking at saml-core-2.0-os.pdf from http://docs.oasis-open.org/security/saml/v2.0/

line 1804:

The <RequestedAuthnContext> element specifies the authentication context requirements of
authentication statements returned in response to a request or query. Its RequestedAuthnContextType
complex type defines the following elements and attributes: <saml:AuthnContextClassRef> or <saml:AuthnContextDeclRef> [One or More]

for SPID, it can be: https://www.spid.gov.it/SpidL1, https://www.spid.gov.it/SpidL2 or https://www.spid.gov.it/SpidL3

line 1812:

Comparison [Optional] Specifies the comparison method used to evaluate the requested context classes or statements, one of "exact", "minimum", "maximum", or "better". The default is "exact". Either a set of class references or a set of declaration references can be used. The set of supplied
references MUST be evaluated as an ordered set, where the first element is the most preferred
authentication context class or declaration. If none of the specified classes or declarations can be satisfied in accordance with the rules below, then the responder MUST return a message with a second-level of urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext.
If Comparison is set to "exact" or omitted, then the resulting authentication context in the authentication statement MUST be the exact match of at least one of the authentication contexts specified.
If Comparison is set to "minimum", then the resulting authentication context in the authentication
statement MUST be at least as strong (as deemed by the responder) as one of the authentication
contexts specified.
If Comparison is set to "better", then the resulting authentication context in the authentication
statement MUST be stronger (as deemed by the responder) than any one of the authentication contexts specified.
If Comparison is set to "maximum", then the resulting authentication context in the authentication
statement MUST be as strong as possible (as deemed by the responder) without exceeding the strength of at least one of the authentication contexts specified.

for SPID, any of the 4 values is possible: exact, minimum, better or maximum

line 2042:

ForceAuthn [Optional] A Boolean value. If "true", the identity provider MUST authenticate the presenter directly rather than rely on a previous security context. If a value is not provided, the default is "false". However, if both ForceAuthn and IsPassive are "true", the identity provider MUST NOT freshly authenticate the presenter unless the constraints of IsPassive can be met.

for SPID, ForceAuthn must be true for SpidL2 and SpidL3

sooo, if I request SpidL1 with comparison = minimum, I think ForceAuthn can be false

@umigliore
Copy link

In the Spid Saml Check tool, it waits in test AuthnRequest for flag set to true.
It says:

 # ForceAuthn must be true if 'Comparison' is 'minimum' and SPID level is L1

https://github.com/italia/spid-saml-check/blob/ed5962b085b6bf2e46367dc7c4b8f5d8623f2272/specs-compliance-tests/test/sp/authn_request_extra.py

@simevo
Copy link
Collaborator Author

simevo commented Jan 14, 2020

Ok let's check why is that italia/spid-saml-check#50

@simevo simevo added this to the 0.35 milestone Jan 14, 2020
@simevo simevo self-assigned this Jan 14, 2020
@ctrlaltca
Copy link

A quanto descritto in https://docs.italia.it/italia/spid/spid-regole-tecniche/it/stabile/single-sign-on.html#authnrequest :

  • è obbligatoriol’attributo ForceAuthn nel caso in cui si richieda livelli di autenticazione superiori a SpidL1 (SpidL2 o SpidL3)
  • L’elemento <RequestedAuthnContext> prevede un attributo Comparison con il quale indicare il metodo per stabilire il rispetto del vincolo sul contesto di abilitazione: i valori ammessi per questo attributo sono: exact, minimum, better, maximum
  • N.B. L’Identity Provider ha facoltà di utilizzare per l’autenticazione un livello SPID più alto rispetto a quelli risultanti dall’indicazione del richiedente mediante l’attributo Comparison. Tale scelta non deve comportare un esito negativo della richiesta.

Quindi anche impostando nella richiesta un livello minimo SpidL1, l'Idp può autenticare utilizzando un livello SpidL2 o SpidL3, per i quali è obbligatorio prevedere l’attributo ForceAuthn=true.

La necessità di questo attributo è stato notato inizialmente indicato come problema nel test-environment ufficiale qui: italia/spid-testenv#37
Lo stesso giorno è stato aggiunto un test specifico per controllare questa condizione nel validatore ufficiale: italia/spid-saml-check@b9d3183

Non ho trovato un'indicazione precisa nella normativa di questo obbligo, se non uno desumibile dalle condizioni qui esposte.

@simevo
Copy link
Collaborator Author

simevo commented Jan 26, 2020

Grazie per tutti i commenti, ora mi sono convinto anche io che anche mancando un'indicazione normativa deve essere così se no Comparison di fatto diventa exact dal momento che l'IdP con ForceAuthn=false potrebbe restituire solo SPID L1. La fix sarà inclusa nella nuova release !

@simevo simevo added bug Something isn't working and removed question Further information is requested labels Jan 26, 2020
@simevo simevo closed this as completed in f3062e9 Jan 26, 2020
lussoluca pushed a commit that referenced this issue Oct 10, 2022
@lussoluca
ForceAuthn = true if Comparison is minimum and level is L1, fixes #94
1461137
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@simevo simevo

Labels
bug Something isn't working
Projects
None yet
Milestone
0.35
Development

No branches or pull requests
3 participants
@ctrlaltca @umigliore @simevo