Merge branch 'releases/2.8'

* releases/2.8:
  Nuova gestione degli errori nelle risposte SAML

modules/easyspid/conf/authnreq_post.html

@@ -10,7 +10,7 @@
             <input type='hidden' name='SAMLRequest' value="%AUTHNREQUEST%" />
             <input type='hidden' name='RelayState' value="%RELAYSTATE%" />
             <noscript>
-                <h2 style='color:0000FF'>Sapienza "SPID - Gateway"</h2>
+                <h2 style='color:0000FF'>Sapienza "SAML2 - Gateway"</h2>
                 <h3 style='color: red;'>Javascript disabilitato</h3>
                 <input type='submit' value='Invia Autorizzazione di Autenticazione' />
             </noscript>

modules/easyspid/conf/easyspid.ini

@@ -5,12 +5,15 @@ dbname = easyspid
 user = easyspid
 password = easyspid
 application_name = samlMaster
+auto_create = False
 
 # il pool e separato per master e slave
 # max_conn deve essere uguale a min_conn per il corretto funzionamento di PREPARE
 [dbpool]
 max_conn  = 1
 min_conn  = 0
+max_queries = 50000
+max_inactive_connection_lifetime = 300.0
 
 [AuthnRequest]
 # path relative to modules folder or absolute path
@@ -25,6 +28,11 @@ checkInResponseTo = True
 checkCertificateValidity = True
 checkCertificateAllowed = True
 
+[Errors]
+# default url where redirect SAML response errors
+default_url = http://localhost/samlerrors
+saml_errors = easyspid/conf/saml_errors.json
+
 [proxy]
 #originIP_header = X-Forwarded-For
 originIP_header = X-Real-IP

modules/easyspid/conf/errors.ini

@@ -77,3 +77,13 @@ message = Saml Response iussuer or audience unspecified
 [easyspid119]
 code = easyspid119
 message = No Signature node found.
+
+[easyspid120]
+code = easyspid120
+message = None SAML request found corresponding to SAML response
+
+[easyspid121]
+code = easyspid121
+message = SAML response error
+
+

modules/easyspid/conf/response_post.html

@@ -10,7 +10,7 @@
             <input type='hidden' name='JSONResponse' value="%RESPONSE%" />
             <input type='hidden' name='RelayState' value="%RELAYSTATE%" />
             <noscript>
-                <h2 style='color:0000FF'>Sapienza "SPID - Gateway"</h2>
+                <h2 style='color:0000FF'>Sapienza "SAML2 - Gateway"</h2>
                 <h3 style='color: red;'>Javascript disabilitato</h3>
                 <input type='submit' value='Invia Risposta di Autenticazione' />
             </noscript>

modules/easyspid/conf/response_post_saml.html

@@ -10,7 +10,7 @@
             <input type='hidden' name='SAMLResponse' value="%RESPONSE%" />
             <input type='hidden' name='RelayState' value="%RELAYSTATE%" />
             <noscript>
-                <h2 style='color:0000FF'>Sapienza "SPID - Gateway"</h2>
+                <h2 style='color:0000FF'>Sapienza "SAML2 - Gateway"</h2>
                 <h3 style='color: red;'>Javascript disabilitato</h3>
                 <input type='submit' value='Invia Risposta di Autenticazione' />
             </noscript>

modules/easyspid/conf/saml_errors.json

@@ -0,0 +1,46 @@
+{
+  "SAML": [
+    {
+      "statusCode": "urn:oasis:names:tc:SAML:2.0:status:Responder",
+      "subStatusCode": "urn:oasis:names:tc:SAML:2.0:statuss:AuthnFailed",
+      "statusMessage": "ErrorCode nr19",
+      "ITMessage": "Superato massimo numero di tentativi permessi secondo le policy adottate. Autenicazione fallita",
+      "ENMessage": "Max numbers of authentication attempts exeded. Authentication failed"
+    },
+    {
+      "statusCode": "urn:oasis:names:tc:SAML:2.0:status:Responder",
+      "subStatusCode": "urn:oasis:names:tc:SAML:2.0:statuss:AuthnFailed",
+      "statusMessage": "ErrorCode nr20",
+      "ITMessage": "Livello di sicurezza richiesto incompatibile con le credenziali dell'utente",
+      "ENMessage": "Security level requested incompatible whith user's credentials"
+    },
+    {
+      "statusCode": "urn:oasis:names:tc:SAML:2.0:status:Responder",
+      "subStatusCode": "urn:oasis:names:tc:SAML:2.0:statuss:AuthnFailed",
+      "statusMessage": "ErrorCode nr21",
+      "ITMessage": "Timeout durante l’autenticazione. SL’operazione di autenticazione deve essere completata entro un determinato periodo di tempo",
+      "ENMessage": "Authentication timeout. Authentication must be completed in a fixed time"
+    },
+    {
+      "statusCode": "urn:oasis:names:tc:SAML:2.0:status:Responder",
+      "subStatusCode": "urn:oasis:names:tc:SAML:2.0:statuss:AuthnFailed",
+      "statusMessage": "ErrorCode nr22",
+      "ITMessage": "Consenso all’invio dati negato. L’operazione di autenticazione richiede il consenso all'invio dei dati",
+      "ENMessage": "Consent denied to send data. To complete authentication is necessary give consent to send data"
+    },
+    {
+      "statusCode": "urn:oasis:names:tc:SAML:2.0:status:Responder",
+      "subStatusCode": "urn:oasis:names:tc:SAML:2.0:statuss:AuthnFailed",
+      "statusMessage": "ErrorCode nr23",
+      "ITMessage": "Identità sospesa/revocata o con credenziali bloccate",
+      "ENMessage": "Identity expired, locked or revoked"
+    },
+    {
+      "statusCode": "urn:oasis:names:tc:SAML:2.0:status:Responder",
+      "subStatusCode": "urn:oasis:names:tc:SAML:2.0:statuss:AuthnFailed",
+      "statusMessage": "ErrorCode nr25",
+      "ITMessage": "Autenticazione annullata dall’utente",
+      "ENMessage": "Authentication canceled by user"
+    }
+  ]
+}