Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow setting signing_algorithm and digest_algorithm of pysaml2 library #358

Open
robertaistleitner opened this issue Jan 20, 2025 · 5 comments
Open

Allow setting signing_algorithm and digest_algorithm of pysaml2 library #358

robertaistleitner opened this issue Jan 20, 2025 · 5 comments
Labels
enhancement New feature or request no-issue-activity Stale action

Comments

@robertaistleitner
Copy link

I have the requirement to set a custom signing_algorithm as well as digest_algorithm for our SP which is (as far as I've seen) is not possible at the moment because those settings are not passed to the pysaml2 library config (

django-saml2-auth/django_saml2_auth/saml.py

Line 284 in 801bdb2

sp_config = Saml2Config()
).

Is there a workaround on how to implement this or is this something that needs to be implemented?
@mostafa
Copy link
Member

mostafa commented Jan 22, 2025

Hey @robertaistleitner,

I am not sure of the usage of these specific settings, as the algorithms are automatically picked up by the pysaml2 library from the metadata autoconf URL and the authn request/response, but I'd be happy to see contributions.

@mostafa mostafa added the enhancement New feature or request label Jan 22, 2025
@robertaistleitner
Copy link
Author

Here is the relevant part of the metadata XML of the IDP which says that sha256 should be used as signing method, but it looks like this is ignored since the signed authn request shows that it's signed using sha1.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor entityID="https://..." xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query" xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:xenc11="http://www.w3.org/2009/xmlenc11#" xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" xmlns:x509qry="urn:oasis:names:tc:SAML:metadata:X509:query" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <Extensions>
            <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
            <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
        </Extensions>

@Christofon
Copy link

Christofon commented Feb 4, 2025
edited
Loading

Any updates here?

@mostafa
Copy link
Member

mostafa commented Feb 4, 2025

@Christofon As I mentioned above, feel free to contribute.

@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 7, 2025

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

@github-actions github-actions bot added the no-issue-activity Stale action label Mar 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request no-issue-activity Stale action
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mostafa @robertaistleitner @Christofon