There are enough XML-related functions to deserve own submodule eidas_node.xml:

• eidas_node.utils contains 5 XML-related functions.
• eidas_node.saml contains decrypt_xml
• A new function remove_extra_xml_whitespace should be extracted from the code in decrypt_xml
• More functions are expected: sign_xml (#10, #27), verify_xml_signature (#9), encrypt_xml (#45)

In addition, IdentityProviderResponseView.get_saml_response should not call decrypt_xml directly but via SAMLResponse.decrypt.

It was introduced to fix #14 but it is no longer needed because token id is not used as SAML id since #26.

In the INFO logging level there is a need to log the CountryCode in the request and repeat the same CountryCode in the response together with StatusCode and SubStatusCode. This is the same for both roles of Connector and ProxyService.

NIA requests attributes that Generic eIDAS Node cannot handle:

ERROR : SpecificCommunicationException {} eu.eidas.specificcommunication.exception.SpecificCommunicationException: Attribute http://schemas.microsoft.com/cgg/2010/identity/claims/profileid not present in the registry at eu.eidas.specificcommunication.protocol.impl.LightJAXBCodec.getByName(LightJAXBCodec.java:169) ~[eidas-specific-communication-definition-2.3.1.jar:na]

Design:

• New settings: CONNECTOR_ALLOWED_ATTRIBUTES (Set[str], optional, default set(eidas_node.attributes.ATTRIBUTE_MAP)): Attributes that a service provider can request. Other attributes are dropped from the authentication request. Empty set disables the filter.
• eidas_node.connector.views.ServiceProviderRequestView.adjust_requested_attributes: If CONNECTOR_ALLOWED_ATTRIBUTES is not empty, all requested attributes not present in the set are dropped and logged with WARNING level.

@jtalir got a response from NAKIT about why our encrypted SAML responses are not accepted: 'saml2' is an undeclared prefix. Line 1, position 2.

We should check whether xmlsec adds XML namespaces declarations inherited from parent elements. If it doesn't, the decrypted <samp2:Assertion> cannot act as an independent XML document. (It doesn't matter in our decryption method where the decrypted <samp2:Assertion> is a part of the XML document with all namespaces declared.)

Master is currently broken:

• Mypy.
• New NIA certificate.
• Incompatibility with django appsettings 0.7.1

These fields shouldn't be optional according to XML schema (eIDAS-Node National IdP and SP Integration Guide, Version 2.3, page 47):

• <xs:element name="subject" type="xs:string" minOccurs="1" maxOccurs="1" />
• <xs:element name="subjectNameIdFormat" minOccurs="1" maxOccurs="1" />
• <xs:element name="levelOfAssurance" minOccurs="1" maxOccurs="1" />

However, they are optional for failed responses: eIDAS node accepts and provides light responses without these fields.

Changes to implement:

• LightResponse.validate() - treat subject, subject_name_id_format, and level_of_assurance as optional if status.failure is True.
• SAMLResponse.create_light_response() - stop providing dummy data for subject, subject_name_id_format, and level_of_assurance in case of failure responses.

Specification

• Specification of RequestAbstractType (the base type for requests):

<complexType name="RequestAbstractType" abstract="true">
  <sequence>
    <element ref="saml:Issuer" minOccurs="0"/>
    <element ref="ds:Signature" minOccurs="0"/>
    <element ref="samlp:Extensions" minOccurs="0"/>
  </sequence>
...
</complexType>

• Specification of StatusResponseType (the base type for responses)

<complexType name="StatusResponseType">
  <sequence>
    <element ref="saml:Issuer" minOccurs="0"/>
    <element ref="ds:Signature" minOccurs="0"/>
    <element ref="samlp:Extensions" minOccurs="0"/>
    <element ref="samlp:Status"/>
  </sequence>
...
</complexType>

• Specification of AssertionType:

<element name="Assertion" type="saml:AssertionType"/>
<complexType name="AssertionType">
  <sequence>
   <element ref="saml:Issuer"/>
    <element ref="ds:Signature" minOccurs="0"/>
    <element ref="saml:Subject" minOccurs="0"/>
    <element ref="saml:Conditions" minOccurs="0"/>
    <element ref="saml:Advice" minOccurs="0"/>
    ...
  </sequence>
...
</complexType>

Implementation

• eidas_node.xml.sign_xml_node(): New parameter position: int = 0 to specify the position of the signature.
• SAMLRequest.sign_request(), SAMLResponse.sign_response(), SAMLResponse.sign_assertion(): If <Issuer> element is present, insert signature after it.

This might be related to issue #87.

I updated our specific connector to version 0.6.0 and got it working with assertion encryption disabled. However, when I enable the encryption I get an error from our sp which says the signature of the assertion is not valid. I fixed this issue in our development version by temporarily disabling assertion signing and leaving the encryption on. So I can either have the assertions signed or encrypted but when I enable both the signature of the assertions seems to be invalid.

Templates and LICENSE are missing.

Required by NIA.

Sample:

<saml2:Conditions NotBefore="2019-10-22T14:25:05.928Z"
                  NotOnOrAfter="2019-10-22T14:30:05.928Z">
  <saml2:AudienceRestriction>
    <saml2:Audience>urn:microsoft:cgg2010:fpsts</saml2:Audience>
  </saml2:AudienceRestriction>
</saml2:Conditions>

New mypy release, new errors...

When configuration of Service Provider is based on parsing metadata, Service Provider may indicate requirement for signed assertion in WantAssertionsSigned attribute.
In our case we could add configuration option that would allow having unsigned assertion. Can work also as workaround for #89

Incompatibilities:

• urn:oasis:names:tc:SAML:2.0:status:VersionMismatch is a status code in SAML but a sub status code in light response.
• Only a few sub status codes are recognized by eIDAS.

Implementation:

• SAMLResponse.create_light_response and SAMLResponse.from_light_response: Translate urn:oasis:names:tc:SAML:2.0:status:VersionMismatch.
• SAMLResponse.create_light_response: Ignore sub status codes not recognized by eIDAS.

Views:

• ServiceProviderRequestView (/ServiceProviderRequest)

  • Receives an authorization request (SAML) from a service provider
  • Verifies the request.
  • Shows a country selector unless a country is provided.
  • Converts SAML request to a light request.
  • Stores the light request in a light cache.
  • Redirects to eIDAS Node with a light token.

• ConnectorResponseView (/ConnectorResponse)

  • Receives and verifies a light token.
  • Retrieves a light response from a light cache.
  • Converts the light response to a SAML response.
  • Signs and encrypts the SAML response (optional).
  • Redirects to the service provider.

• Remove headings.
• Connector: "Identity Provider" → "eIDAS node"
• Proxy Service: "Service Provider" → "eIDAS node"
• Title → "eIDAS node"
• Styles as close as possible to the original selector.

Add optional encryption of SAML Responses generated by Specific Connector.

It's required by NIA.

It is a good idea to add check for function complexity.

Add max_complexity = 15 to flake section in setup.cfg.

• Directory eidas_node/cznic/
  • __init__.py: Helper constants TEMPLATE_DIR and STATIC_DIR.
  • templates/eidas_node/connector/base.html: Based on eidas_selector/templates/eidas_selector/selector.html
  • templates/eidas_node/proxy_service/base.html: Likewise.
  • static/eidas_node/css/screen.css: Based on eidas_selector/static/eidas_selector/css/screen.css
  • static/eidas_node/img/logo.svg: Logo CZ.NIC.
• Deployment settings:
  • Add from eidas_node import cznic.
  • Add STATICFILES_DIRS = [cznic.STATIC_DIR].
  • Add TEMPLATES['DIRS'] = [cznic.TEMPLATE_DIR].

...
from eidas_node import cznic
...

STATIC_ROOT = '/var/www/eidas/static'
STATIC_URL = '/static/'
STATICFILES_DIRS = [cznic.STATIC_DIR]

...

TEMPLATES = [
    {
        'BACKEND': 'django.template.backends.django.DjangoTemplates',
        'APP_DIRS': True,
        'DIRS': [cznic.TEMPLATE_DIR],
        'OPTIONS': {
            'context_processors': [
                'django.contrib.messages.context_processors.messages',
                'django.template.context_processors.debug',
                'django.template.context_processors.request',
                'django.template.context_processors.i18n',
            ]
        }
    }
]

There should be a possibility to use https://aws.amazon.com/kms/ for cryptographic functions. One possible integration is described in the fork master...vrk-kpa:kms_support

Design

API

• abstract class eidas_node.xml.security.XmlSigner - defines the interface
  • abstract sign_node(node: Element, position: int = 0) - sign the XML node
• class XmlSecSigner(XmlSigner) - signs with xmlsec
  • __init__(key_file: str, cert_file: str, signature_method: str, digest_method: str) - initialized with values from settings.
• class AwsKmsSigner(XmlSigner) - signs with AWS KMS.
  • The first implementation may use XmlSecSigner internally and then overwrite the signature with that from AWS KMS.
  • __init__(key_alias: str, cert_file: str, signature_method: str, digest_method: str) - initialized with values from settings.
• Port SAMLRequest.sign_request(key_file: str, cert_file: str, signature_method: str, digest_method: str) to SAMLRequest.sign_request(signer: XmlSigner).
• SAMLResponse.sign_assertion, SAMLResponse.sign_response: As above.

Settings

• PROXY_SERVICE_IDENTITY_PROVIDER['REQUEST_SIGNATURE'] becomes DictSetting. Key class specifies the backend to use (defaults to 'eidas_node.xml.security.XmlSecSigner'). Other parameters are used for initialization.
• CONNECTOR_SERVICE_PROVIDER['RESPONSE_SIGNATURE']: As above.

Requirements

setup.py: extras_require['aws_kms'] = ['boto3']

One country reported issue on our proxy service and corresponding error message is

File "/usr/lib/python3/dist-packages/eidas_node/models.py", line 144, in deserialize_name_id_format
   return NameIdFormat(elm.text) if elm.text else None
File "/usr/lib/python3.5/enum.py", line 241, in __call__
   return cls.__new__(cls, value)
File "/usr/lib/python3.5/enum.py", line 476, in __new__
   raise ValueError("%r is not a valid %s" % (value, cls.__name__))
ValueError: 'urn:oasis:names:tc:saml:1.1:nameid-format:unspecified' is not a valid NameIdFormat

Allowed formats are:

• urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
• urn:oasis:names:tc:SAML:2.0:nameid-format:transient
• urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

The difference is 'SAML' vs 'saml'. The question is if case sensitivity of this string comparison is bug or feature.

There are some cases where code throws exceptions and shows error page, while it could rather create a SAML/Light Response with SAML status code. Those places should be first evaluated. They are mainly in validation of input Requests.

New settings:

• PROXY_SERVICE_IDENTITY_PROVIDER['CERTIFICATE_FILE'] (string, optional) - a path to the file with Identity Provider's certificate used to sign its responses.

It is required by NIA: ID4131: A Saml2SecurityToken cannot be created from the Saml2Assertion because it has no SubjectConfirmation.

Sample

<saml2:Subject>
  <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
                NameQualifier="http://C-PEPS.gov.xx">SE/CZ/199008199391</saml2:NameID>
  <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
    <saml2:SubjectConfirmationData Address="127.0.0.1"
                                   InResponseTo="idf4e3164e4e1b4d8f8836647f779d63d5"
                                   NotOnOrAfter="2019-10-22T14:30:05.928Z"
                                   Recipient="https://tnia.eidentita.cz/fpsts/processRequest.aspx" /></saml2:SubjectConfirmation>
</saml2:Subject>

Path: /saml/idp.xml

• Add import warnings; warnings.simplefilter("error") toeidas_node/tests/settings.py.
• Whitelist any warnings we are ok with.
• Address other warnings. There are a lot of deprecation warnings.

We support only POST request.

Then we need to adjust monitoring to check with GET requests.

Implement possibility to store private keys for SAML signing and decryption in HSM accessible via PKCS11 interface

• Use pyignite.cache.Cache.get_and_remove instead of get.
• Rename LightStorage.get_light_request/get_light_response to pop_light_request/pop_light_response.
• Don't replace original response id in ProxyServiceRequestView.create_saml_request and the response/request pairing in IdentityProviderResponseView.create_light_response becomes unnecessary.

xsd:ID must start with a letter or underscore, and can only contain letters, digits, underscores, hyphens, and periods. However, we use str(uuid4()) which sometimes produces strings starting with a digit.

Logs:

ID4128: The value is not a valid SAML ID.
Parameter name: value
Name cannot begin with the '7' character, hexadecimal value 0x37.

Implementation:

• utils.create_xml_uuid() -> str: create a valid unique XML id (str(uuid4()) prefixed by an underscore).
• utils.is_xml_id_valid(xml_id: str) -> bool: validate a XML id.

We have Debian Stretch packages of 0.3.0 but we need >= 0.4.0 (for NestedSetting).

• Specifications: eIDAS SAML Attribute Profile v1.2 Final.pdf, eIDAS SAML Attribute Profile v1.1_2
• Wrong URI names:
  • LegalAddress → LegalPersonAddress
  • VATRegistration → VATRegistrationNumber

Discussion at eIDAS Technical SubGroup about what should be correct place in LightRequest to Specific ProxyService resulted in temporary solution that in version 2.4 it will reuse element CitizenCountryCode. Final solution will be discussed later and one of the option is OriginCountryCode element that is used in current code.
Code should support both OriginCountryCode and CitizenCountryCode as the source for SPCountry in SamlRequest to IdP

Application fails when IdP responds with something other than LoA. In any case - it should not fail, but continue with LightResponse containing message about failure.
But I also suggest to to have an option to set relaxed mode where if response status is Success (it means that LoA is fullfilled) it would replace LoA from Response with LoA from Request (if it is known).

Cache NameID format in the LightRequest to specific ProxyService and if transient is requested and IdP provides persistant, fill transient in the LightResponse regardless of the IdP response. NameID format is underspecified in eIDAS and has no meaning and no use. There is an initiative to keep the value unspecified only but until then transient must be supported as well.

Name ID Format Matrix

Settings

• PROXY_SERVICE_TRANSIENT_NAME_ID_FALLBACK (bool, default false) - If set to true and transient name id is requested in the request but unspecified/persistent name id is provided in the response, new random transient name id is created.
• PROXY_SERVICE_AUXILIARY_STORAGE (required if the fallback is enabled) - Light storage holding auxiliary data - now only Name ID format of the request. It may be a new Apache Ignite cache or we can reuse any of the two existing caches used by the proxy service.

Implementation

If the fallback is disabled, nothing happens. Otherwise:

• ProxyServiceRequestView.post:
  • Creates self.auxiliary_storage.
  • Stores {"name_id_format": self.light_request.name_id_format} with id specific-aux-{self.light_request.id}
• IdentityProviderResponseView.post:
  • Creates self.auxiliary_storage.
  • Retrieves specific-aux-{self.light_response.in_response_to_id} from cache (with deletion).
  • If cached name id format is transient but self.light_response.subject_name_id_format isn't, it is replaced with new random transient id.

It's handy for debugging.

We have a sample dockerfile for our specific parts. We could dockerize the entire stack.

New/changed settings:

• PROXY_SERVICE_IDENTITY_PROVIDER['KEY_FILE'] renamed to PROXY_SERVICE_IDENTITY_PROVIDER['ENCRYPTION_KEY_FILE'] (string, optional, default None) - The path of a key to decrypt Identity Provider's authentication response.
• PROXY_SERVICE_IDENTITY_PROVIDER['SIGNING_KEY_FILE'] (string, optional, default None) - The path to a key to sign authentication requests.

Should we reuse PROXY_SERVICE_IDENTITY_PROVIDER['KEY_FILE'] or add new settings PROXY_SERVICE_IDENTITY_PROVIDER['SIGNING_KEY_FILE']?

Upstream ticket: EID-977 in CEF issue tracker.

Our light response stored by Specific Proxy Service:

<?xml version='1.0' encoding='utf-8' standalone='yes'?>
<lightResponse>
  <id>T94492c61-c8a8-4a6a-aee9-6ef6b02f213a</id>
  <inResponseToId>_cUZBLMtWjycfF4XeCy-nWYQXfJ98N0sDFuAlQzrFRDWTi1laUtkPIWlwuEtQccX</inResponseToId>
  <issuer>specific-proxy-service</issuer>
  <ipAddress>217.31.205.1</ipAddress>
  <relayState>xxxx</relayState>
  <subject>e9ef6043-99f6-4a6d-bf7b-956b560f6550</subject>
  <subjectNameIdFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</subjectNameIdFormat>
  <levelOfAssurance>http://eidas.europa.eu/LoA/substantial</levelOfAssurance>
  <status>
    <failure>false</failure>
    <statusCode>urn:oasis:names:tc:SAML:2.0:status:Success</statusCode>
  </status>
  <attributes>
    <attribute>
      <definition>http://eidas.europa.eu/attributes/naturalperson/CurrentFamilyName</definition>
      <value>DVOŘÁKOVÁ</value>
    </attribute>
    <attribute>
      <definition>http://eidas.europa.eu/attributes/naturalperson/CurrentGivenName</definition>
      <value>PAVLA</value>
    </attribute>
    <attribute>
      <definition>http://eidas.europa.eu/attributes/naturalperson/DateOfBirth</definition>
      <value>1955-06-07</value>
    </attribute>
    <attribute>
      <definition>http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier</definition>
      <value>e9ef6043-99f6-4a6d-bf7b-956b560f6550</value>
    </attribute>
  </attributes>
</lightResponse>

Light response provided by Generic Connector:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<lightResponse>
    <id>_c.fR2g8Vq1miFuxjORQlvumxjzU4XQqbqNPn-Z-gRTZegbXmaM2qRbGZmYLfMwK</id>
    <issuer>http://pokuston:8888/EidasNode/ConnectorMetadata</issuer>
    <ipAddress>2001:1488:fffe:2:b86f:bcfd:5dc7:8228</ipAddress>
    <subject>e9ef6043-99f6-4a6d-bf7b-956b560f6550</subject>
    <subjectNameIdFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</subjectNameIdFormat>
    <status>
        <failure>false</failure>
        <statusCode>urn:oasis:names:tc:SAML:2.0:status:Success</statusCode>
        <statusMessage>urn:oasis:names:tc:SAML:2.0:status:Success</statusMessage>
        <subStatusCode>##</subStatusCode>
    </status>
    <inResponseToId>_16f32676-1c31-44d8-a2fe-3a100cf29c0e</inResponseToId>
    <levelOfAssurance>http://eidas.europa.eu/LoA/substantial</levelOfAssurance>
    <attributes>
        <attribute>
            <definition>http://eidas.europa.eu/attributes/naturalperson/CurrentFamilyName</definition>
            <value>DVOŘÁKOVÁ</value>
        </attribute>
        <attribute>
            <definition>http://eidas.europa.eu/attributes/naturalperson/CurrentGivenName</definition>
            <value>PAVLA</value>
        </attribute>
        <attribute>
            <definition>http://eidas.europa.eu/attributes/naturalperson/DateOfBirth</definition>
            <value>1955-06-07</value>
        </attribute>
        <attribute>
            <definition>http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier</definition>
            <value>CA/CA/e9ef6043-99f6-4a6d-bf7b-956b560f6550</value>
        </attribute>
    </attributes>
</lightResponse>

<relayState>xxxx</relayState> is missing in the latter.

New settings:

• CONNECTOR_SERVICE_PROVIDER['CERT_FILE] (optional, default None): The path of a certificate to verify the signature of Service Provider's authentication requests.

Implementation:

• SAMLRequest.request_signature() -> Optional[Element]: returns <ds:Signature> element is there is any.
• SAMLRequest.verify_request(cert_file: str) -> None: Verifies the signature. Raises SecurityError if there is no signature or the signature is invalid.
• ServiceProviderRequestView.get_saml_requestcountry_parameter: str, cert_file: Optional[str]) -> SAMLRequest: Modified to verify the signature if cert_key is provided.
• DemoServiceProviderRequestView.post: Modified to sign the SAML request reusing CONNECTOR_SERVICE_PROVIDER['RESPONSE_SIGNATURE'].
• SAMLRequest.sign_request(key_file: str, cert_file: str, signature_method: str, digest_method: str) -> None: Sign SAML request.

We should specify in README:

• Copyright: Copyright 2019 CZ.NIC, z. s. p. o.
• License: [Licensed under GPL-3+](COPYRIGHT)
• Flags Copyright 2013 Panayiotis Lipiridis, MIT license

File COPYRIGHT:

Copyright (C) 2019 CZ.NIC, z. s. p. o.

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see <https://www.gnu.org/licenses/>.

Source files should contain at least copyright information and a reference to license notice:

# Copyright (C) 2019 CZ.NIC, z. s. p. o.
# Licensed under GPL-3+, see file COPYRIGHT.

A follow-up from #53 (comment)

Upstream ticket: EID-979 in CEF issue tracker

Our light response from Specific Proxy Service is:

LightResponse(
  id='_232731ca12d9461caf9eb32abf684aee',
  in_response_to_id='_pz-oy4.BYeLVIFvQv73NCtPrBCNa5giQcHCby4638MD3Ng3N-5PgWF-Itgc1crZ',
  issuer='specific-proxy-service',
  ip_address='217.31.205.1',
  relay_state='xxx',
  subject='b983d4ca-4812-4755-af51-f1d65fbd365e',
  subject_name_id_format='urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
  level_of_assurance='http://eidas.europa.eu/LoA/substantial',
  status=Status(
    failure=False,
    status_code='urn:oasis:names:tc:SAML:2.0:status:Success',
    sub_status_code=None,
    status_message=None),
  attributes=OrderedDict([
    ('http://eidas.europa.eu/attributes/naturalperson/CurrentFamilyName', ['NOSKOVÁ']),
    ('http://eidas.europa.eu/attributes/naturalperson/CurrentGivenName', ['PETRA']),
    ('http://eidas.europa.eu/attributes/naturalperson/DateOfBirth', ['1981-09-26']),
    ('http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier',
     ['b983d4ca-4812-4755-af51-f1d65fbd365e'])
  ]))

Generic Connector provides us with:

<lightResponse>
    <id>_U_6MhGsSwNLGZGjQD6AiHO1-1gc-.HnQDmvVPawHo2eLRZ4TUxoxhFVWnGrmNAE</id>
    <issuer>http://pokuston:8888/EidasNode/ConnectorMetadata</issuer>
    <ipAddress>2001:1488:fffe:2:f1a6:e430:89d7:eadf</ipAddress>
    <subject>b983d4ca-4812-4755-af51-f1d65fbd365e</subject>
    <subjectNameIdFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</subjectNameIdFormat>
    <status>
        <failure>false</failure>
        <statusCode>urn:oasis:names:tc:SAML:2.0:status:Success</statusCode>
        <statusMessage>urn:oasis:names:tc:SAML:2.0:status:Success</statusMessage>
        <subStatusCode>##</subStatusCode>
    </status>
    <inResponseToId>_944b6f1f-c938-4412-b2aa-fde36d5e872c</inResponseToId>
    <levelOfAssurance>http://eidas.europa.eu/LoA/substantial</levelOfAssurance>
    <attributes>
        <attribute>
            <definition>http://eidas.europa.eu/attributes/naturalperson/CurrentFamilyName</definition>
            <value>NOSKOVÁ</value>
        </attribute>
        <attribute>
            <definition>http://eidas.europa.eu/attributes/naturalperson/CurrentGivenName</definition>
            <value>PETRA</value>
        </attribute>
        <attribute>
            <definition>http://eidas.europa.eu/attributes/naturalperson/DateOfBirth</definition>
            <value>1981-09-26</value>
        </attribute>
        <attribute>
            <definition>http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier</definition>
            <value>CA/CA/b983d4ca-4812-4755-af51-f1d65fbd365e</value>
        </attribute>
    </attributes>
</lightResponse>

• Neither ## nor urn:oasis:names:tc:SAML:2.0:status:Success are valid sub status codes (the latter is a valid status code).
• Failure responses are ok (urn:oasis:names:tc:SAML:2.0:status:AuthnFailed as a sub status code, ## as a status message).

Workaround:

• Status.deserialize_status_code(): Ignore the sub status code if it contains ##.

• eIDAS-Node Error and Event Logging

We use it only in tests. Let's drop it.

At least on some mobile phones responsive design of country selector doesn't look well.

We compare light token timestamps in local time with timestamps in UTC, which is definitely not correct.

eIDAS-Node National IdP and SP Integration Guide doesn't specify whether the timestamp is in the local timezone or UTC, but the embedded Python example uses datetime.now(), which returns local time. We need to verify that eIDAS Generic Node uses local time too.

Internally, we should use timezone-aware timestamps everywhere and convert to bare timestamps converted to the correct timezone as needed.

Related CZ.NIC ticket

New settings:

• PROXY_SERVICE_IDENTITY_PROVIDER['METADATA_URL'] (string, optional) - URL or Identity Provider's metadata.

Implementation:

• eidas_node.proxy_service.apps.ProxyServiceConfig.ready: If PROXY_SERVICE_IDENTITY_PROVIDER['METADATA_URL'] is set, PROXY_SERVICE_IDENTITY_PROVIDER['SIGNING_KEY'] and PROXY_SERVICE_IDENTITY_PROVIDER['ENDPOINT'] are extracted from that URL.

We already use Sphinx-style docstrings, but without any check for format correctness. The generation of documentation is the next step forward.