feat(saml): add SignatureMethod config for SAML IDP (#10520)

# Which Problems Are Solved When a SAML IDP is created, the signing algorithm defaults to `RSA-SHA1`. This PR adds the functionality to configure the signing algorithm while creating or updating a SAML IDP. When nothing is specified, `RSA-SHA1` is the default. Available options: * RSA_SHA1 * RSA_SHA256 * RSA_SHA512 # How the Problems Are Solved By introducing a new optional config to specify the Signing Algorithm. # Additional Changes N/A # Additional Context - Closes #9842 An existing bug in the UpdateSAMLProvider API will be fixed as a followup in a different [PR](https://github.com/zitadel/zitadel/pull/10557). --------- Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com> (cherry picked from commit 255d42da65)
2025-11-02 07:58:46 +00:00 · 2025-08-27 11:07:13 +02:00
parent 39c76a94a8
commit a3dac4d5cd
42 changed files with 413 additions and 7 deletions
--- a/cmd/setup/61.go
+++ b/cmd/setup/61.go
@@ -0,0 +1,27 @@
+package setup
+
+import (
+	"context"
+	_ "embed"
+
+	"github.com/zitadel/zitadel/internal/database"
+	"github.com/zitadel/zitadel/internal/eventstore"
+)
+
+var (
+	//go:embed 61.sql
+	addSAMLSignatureAlgorithm string
+)
+
+type IDPTemplate6SAMLSignatureAlgorithm struct {
+	dbClient *database.DB
+}
+
+func (mig *IDPTemplate6SAMLSignatureAlgorithm) Execute(ctx context.Context, _ eventstore.Event) error {
+	_, err := mig.dbClient.ExecContext(ctx, addSAMLSignatureAlgorithm)
+	return err
+}
+
+func (mig *IDPTemplate6SAMLSignatureAlgorithm) String() string {
+	return "61_idp_templates6_add_saml_signature_algorithm"
+}
--- a/cmd/setup/61.sql
+++ b/cmd/setup/61.sql
@@ -0,0 +1 @@
+ALTER TABLE IF EXISTS projections.idp_templates6_saml ADD COLUMN IF NOT EXISTS signature_algorithm TEXT;
--- a/cmd/setup/config.go
+++ b/cmd/setup/config.go
@@ -157,6 +157,7 @@ type Steps struct {
 	s58ReplaceLoginNames3View               *ReplaceLoginNames3View
 	s59SetupWebkeys                         *SetupWebkeys
 	s60GenerateSystemID                     *GenerateSystemID
+	s61IDPTemplate6SAMLSignatureAlgorithm   *IDPTemplate6SAMLSignatureAlgorithm
 }

 func MustNewSteps(v *viper.Viper) *Steps {
--- a/cmd/setup/setup.go
+++ b/cmd/setup/setup.go
@@ -218,6 +218,7 @@ func Setup(ctx context.Context, config *Config, steps *Steps, masterKey string)
 	steps.s57CreateResourceCounts = &CreateResourceCounts{dbClient: dbClient}
 	steps.s58ReplaceLoginNames3View = &ReplaceLoginNames3View{dbClient: dbClient}
 	steps.s60GenerateSystemID = &GenerateSystemID{eventstore: eventstoreClient}
+	steps.s61IDPTemplate6SAMLSignatureAlgorithm = &IDPTemplate6SAMLSignatureAlgorithm{dbClient: dbClient}

 	err = projection.Create(ctx, dbClient, eventstoreClient, config.Projections, nil, nil, nil)
 	logging.OnError(err).Fatal("unable to start projections")
@@ -266,6 +267,7 @@ func Setup(ctx context.Context, config *Config, steps *Steps, masterKey string)
 		steps.s57CreateResourceCounts,
 		steps.s58ReplaceLoginNames3View,
 		steps.s60GenerateSystemID,
+		steps.s61IDPTemplate6SAMLSignatureAlgorithm,
 	} {
 		setupErr = executeMigration(ctx, eventstoreClient, step, "migration failed")
 		if setupErr != nil {
				`@@ -0,0 +1 @@`
				`ALTER TABLE IF EXISTS projections.idp_templates6_saml ADD COLUMN IF NOT EXISTS signature_algorithm TEXT;`