feat(saml): add SignatureMethod config for SAML IDP (#10520)

# Which Problems Are Solved When a SAML IDP is created, the signing algorithm defaults to `RSA-SHA1`. This PR adds the functionality to configure the signing algorithm while creating or updating a SAML IDP. When nothing is specified, `RSA-SHA1` is the default. Available options: * RSA_SHA1 * RSA_SHA256 * RSA_SHA512 # How the Problems Are Solved By introducing a new optional config to specify the Signing Algorithm. # Additional Changes N/A # Additional Context - Closes #9842 An existing bug in the UpdateSAMLProvider API will be fixed as a followup in a different [PR](https://github.com/zitadel/zitadel/pull/10557). --------- Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-12-24 01:47:21 +00:00 · 2025-08-27 11:07:13 +02:00
parent 6699a6f966
commit 255d42da65
42 changed files with 413 additions and 7 deletions
--- a/internal/command/instance_idp_test.go
+++ b/internal/command/instance_idp_test.go
@@ -5435,6 +5435,7 @@ func TestCommandSide_AddInstanceSAMLIDP(t *testing.T) {
 							[]byte("certificate"),
 							"",
 							false,
+							"",
 							nil,
 							"",
 							false,
@@ -5477,6 +5478,7 @@ func TestCommandSide_AddInstanceSAMLIDP(t *testing.T) {
 							[]byte("certificate"),
 							"binding",
 							true,
+							"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
 							gu.Ptr(domain.SAMLNameIDFormatTransient),
 							"customAttribute",
 							true,
@@ -5500,6 +5502,7 @@ func TestCommandSide_AddInstanceSAMLIDP(t *testing.T) {
 					Metadata:                      validSAMLMetadata,
 					Binding:                       "binding",
 					WithSignedRequest:             true,
+					SignatureAlgorithm:            "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
 					NameIDFormat:                  gu.Ptr(domain.SAMLNameIDFormatTransient),
 					TransientMappingAttributeName: "customAttribute",
 					FederatedLogoutEnabled:        true,
@@ -5666,6 +5669,7 @@ func TestCommandSide_UpdateInstanceGenericSAMLIDP(t *testing.T) {
 								[]byte("certificate"),
 								"",
 								false,
+								"",
 								nil,
 								"",
 								false,
@@ -5705,6 +5709,7 @@ func TestCommandSide_UpdateInstanceGenericSAMLIDP(t *testing.T) {
 								[]byte("certificate"),
 								"binding",
 								false,
+								"",
 								gu.Ptr(domain.SAMLNameIDFormatUnspecified),
 								"",
 								false,
@@ -5850,6 +5855,7 @@ func TestCommandSide_RegenerateInstanceSAMLProviderCertificate(t *testing.T) {
 								[]byte("certificate"),
 								"binding",
 								false,
+								"",
 								gu.Ptr(domain.SAMLNameIDFormatUnspecified),
 								"",
 								false,