-
Notifications
You must be signed in to change notification settings - Fork 22
Defining SPID IdPs
Keycloak is running and the SPID provider is loaded. Now, download all the latest SPID IdPs metadata documents at https://registry.spid.gov.it/identity-providers and create a new SPID Identity Provider for each one of them.
- In the
Identity Providersconfiguration, click onAdd provider, thenSPID; - In the
Add Identity Providerpage, scroll to the bottom andImport from filethe provider metadata downloaded above. Click on theImportbutton; - Most of the fields will be filled in automatically - we'll now take care of the remaining ones.
-
Alias: enter a name for the provider.
TIP: since it will be used as an URL component, avoid entering space characters; -
Trust Email: set to
ON; -
Sync Mode: set to
Force. This setting always updates the user data in Keycloak with the latest from the SPID IdP;
-
Service Provider Entity ID: set to the Entity ID you want to use to identify your Service Provider;
TIP: While the Service Provider Entity ID has to be an URI, there is no need for it to be a real, working internet address. It is just an identifier for your organization Service Provider. Make sure to choose it wisely, as it can't be changed once it has been shared with the federation; -
NameID Policy Format: Set to
urn:oasis:names:tc:SAML:2.0:nameid-format:transient -
Principal Type: set to
Attribute [Name]; -
Principal Attribute: appears when
Principal Typeis set. Set it tofiscalNumber; -
Want AuthnRequests Signed: set to
ON; -
Want Assertions Signed: set to
ON; -
Validate Signature: set to
ON; -
Sign Service Provider Metadata: set to
ON; -
SAML Signature Key Name: set to
None; -
Force Authentication: must be set to
ONto be able to use SPID Authentication level 2 or 3; -
Attribute Consuming Service Index: set to
1. This corresponds to the index of the Attribute Consuming Service defined in your SP metadata - if you have more than one, you can change it to the value you need.
The next attributes are used to automatically generate a SPID compliant SAML SP metadata document. If you plan on handcrafting your metadata document there is no need to fill them, but I strongly suggest to set them in order to have an automatically-built guideline for your customization. As the SPID SP metadata is actually the union of all of the metadata for the different IdPs, you will only need to set those in the first SPID IdP in alphabetical order. The values for all the other providers will be ignored, so just let them blank.
-
Attribute Consuming Service Names: Comma separated list of localized service names. Each string should be entered in the format
<locale>|<text>, i.e.en|Online services,it|Servizi online; - Organization Names, Organization Display Names, Organization URLs: Localized data for the organization, same format as above;
-
Private SP: set to
ONif your organization is a private entity,OFFif it is a Public Administration; - IPA Code (Public SP only): Enter the IPA Code of the Public Administration;
- VAT Number, Fiscal Code (Private SP only): Enter the VAT Number and the Fiscal Code of the private entity;
- Company Name (Other), Phone (Other), Email (Other): Technical contact info for the organization;
- Company Name (Billing), Phone (Billing), Email (Billing) (Private SP only): Billing contact info for the organization.
Here you can specify which SPID Level you want to request to the IdP:
-
Comparison: set to
MinimumorExactdepending on your needs; -
AuthnContext ClassRefs: only one AuthnContexClassRef element MUST be present - valid values are:
https://www.spid.gov.it/SpidL3https://www.spid.gov.it/SpidL2https://www.spid.gov.it/SpidL1
TIP: Remember to click the
+symbol after adding an element, otherwise it won't be saved!
Repeat the operations above for each of the SPID IdPs. Now we are ready to define the attribute mappings.