testenv2 finds the authnrequest from spid-php non compliant

[simevo]

errors reported by spid-testenv2:

Error ID	Elemento	Dettagli errore
1	samlp:AuthnRequest	AttributeConsumingServiceIndex: 0 non corrisponde a nessuno dei valori contenuti in []
2	saml:Issuer	NameQualifier: L'attributo è obbligatorio; Format: L'attributo è obbligatorio
3	samlp:NameIDPolicy	AllowCreate: L'attributo non è richiesto
4	saml:AuthnContext	Comparison: L'attributo è obbligatorio

screenshot:

metadata for spid-php (digest and x509 data skipped):

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://sp.simevo.com" ID="pfxcac9ef02-c970-fb85-bc1a-6cc51506c172"><ds:Signature>
  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
  <ds:Reference URI="#pfxcac9ef02-c970-fb85-bc1a-6cc51506c172"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>...</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>...</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol" AuthnRequestsSigned="true">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>...</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>...</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sp.simevo.com/myservice/module.php/saml/sp/saml2-logout.php/service-l1"/>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sp.simevo.com/myservice/module.php/saml/sp/saml2-acs.php/service-l1" index="0"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://sp.simevo.com/myservice/module.php/saml/sp/saml1-acs.php/service-l1" index="1"/>
  </md:SPSSODescriptor>
</md:EntityDescriptor>

authnrequest generated by spid-php:

<samlp:AuthnRequest
  xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
  ID="_fe4589f2b156246207d3e2eabb9d228599ffae0109"
  Version="2.0"
  IssueInstant="2018-08-09T13:40:33Z"
  Destination="https://idp.simevo.com/sso"
  AssertionConsumerServiceURL="https://sp.simevo.com/myservice/module.php/saml/sp/saml2-acs.php/service-l1"
  ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
  AttributeConsumingServiceIndex="0">
  <saml:Issuer>https://sp.simevo.com</saml:Issuer>
  <samlp:NameIDPolicy
    Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
    AllowCreate="true"/>
  <samlp:RequestedAuthnContext>
    <saml:AuthnContextClassRef>https://www.spid.gov.it/SpidL1</saml:AuthnContextClassRef>
  </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

[simevo]

notes:

1. the SP metadata does not contain attribute consuming service array; this has to be configured in ssp
2. same as item 1 in generated AuthnRequest is not compliant with the "regole tecniche" simevo/spid-php2#2
3. similar to item 2 in generated AuthnRequest is not compliant with the "regole tecniche" simevo/spid-php2#2
4. as mentioned here it could be hardwired to minimum

[simevo]

re. point 2: simplesamlphp/saml2#67

[damikael]

Solved by #43