feat(saml): add SignatureMethod config for SAML IDP (#10520)

# Which Problems Are Solved When a SAML IDP is created, the signing algorithm defaults to `RSA-SHA1`. This PR adds the functionality to configure the signing algorithm while creating or updating a SAML IDP. When nothing is specified, `RSA-SHA1` is the default. Available options: * RSA_SHA1 * RSA_SHA256 * RSA_SHA512 # How the Problems Are Solved By introducing a new optional config to specify the Signing Algorithm. # Additional Changes N/A # Additional Context - Closes #9842 An existing bug in the UpdateSAMLProvider API will be fixed as a followup in a different [PR](https://github.com/zitadel/zitadel/pull/10557). --------- Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com> (cherry picked from commit 255d42da65)
2025-12-06 14:52:35 +00:00 · 2025-08-27 11:07:13 +02:00
parent 39c76a94a8
commit a3dac4d5cd
42 changed files with 413 additions and 7 deletions
--- a/internal/api/grpc/admin/idp_converter.go
+++ b/internal/api/grpc/admin/idp_converter.go
@@ -3,6 +3,7 @@ package admin
 import (
 	"github.com/crewjam/saml"
 	"github.com/muhlemmer/gu"
+	dsig "github.com/russellhaering/goxmldsig"

 	idp_grpc "github.com/zitadel/zitadel/internal/api/grpc/idp"
 	"github.com/zitadel/zitadel/internal/api/grpc/object"
@@ -480,12 +481,14 @@ func addSAMLProviderToCommand(req *admin_pb.AddSAMLProviderRequest) *command.SAM
 	if req.NameIdFormat != nil {
 		nameIDFormat = gu.Ptr(idp_grpc.SAMLNameIDFormatToDomain(req.GetNameIdFormat()))
 	}
+
 	return &command.SAMLProvider{
 		Name:                          req.Name,
 		Metadata:                      req.GetMetadataXml(),
 		MetadataURL:                   req.GetMetadataUrl(),
 		Binding:                       bindingToCommand(req.Binding),
 		WithSignedRequest:             req.WithSignedRequest,
+		SignatureAlgorithm:            signatureAlgorithmToCommand(req.GetSignatureAlgorithm()),
 		NameIDFormat:                  nameIDFormat,
 		TransientMappingAttributeName: req.GetTransientMappingAttributeName(),
 		FederatedLogoutEnabled:        req.GetFederatedLogoutEnabled(),
@@ -498,12 +501,14 @@ func updateSAMLProviderToCommand(req *admin_pb.UpdateSAMLProviderRequest) *comma
 	if req.NameIdFormat != nil {
 		nameIDFormat = gu.Ptr(idp_grpc.SAMLNameIDFormatToDomain(req.GetNameIdFormat()))
 	}
+
 	return &command.SAMLProvider{
 		Name:                          req.Name,
 		Metadata:                      req.GetMetadataXml(),
 		MetadataURL:                   req.GetMetadataUrl(),
 		Binding:                       bindingToCommand(req.Binding),
 		WithSignedRequest:             req.WithSignedRequest,
+		SignatureAlgorithm:            signatureAlgorithmToCommand(req.GetSignatureAlgorithm()),
 		NameIDFormat:                  nameIDFormat,
 		TransientMappingAttributeName: req.GetTransientMappingAttributeName(),
 		FederatedLogoutEnabled:        req.GetFederatedLogoutEnabled(),
@@ -525,3 +530,18 @@ func bindingToCommand(binding idp_pb.SAMLBinding) string {
 		return ""
 	}
 }
+
+func signatureAlgorithmToCommand(signatureAlgorithm idp_pb.SAMLSignatureAlgorithm) string {
+	switch signatureAlgorithm {
+	case idp_pb.SAMLSignatureAlgorithm_SAML_SIGNATURE_UNSPECIFIED:
+		return ""
+	case idp_pb.SAMLSignatureAlgorithm_SAML_SIGNATURE_RSA_SHA1:
+		return dsig.RSASHA1SignatureMethod
+	case idp_pb.SAMLSignatureAlgorithm_SAML_SIGNATURE_RSA_SHA256:
+		return dsig.RSASHA256SignatureMethod
+	case idp_pb.SAMLSignatureAlgorithm_SAML_SIGNATURE_RSA_SHA512:
+		return dsig.RSASHA512SignatureMethod
+	default:
+		return ""
+	}
+}
--- a/internal/api/grpc/admin/idp_converter_test.go
+++ b/internal/api/grpc/admin/idp_converter_test.go
@@ -3,6 +3,8 @@ package admin
 import (
 	"testing"

+	"github.com/stretchr/testify/require"
+
 	"github.com/zitadel/zitadel/internal/test"
 	admin_pb "github.com/zitadel/zitadel/pkg/grpc/admin"
 	"github.com/zitadel/zitadel/pkg/grpc/idp"
@@ -157,3 +159,40 @@ func Test_updateOIDCConfigToDomain(t *testing.T) {
 		})
 	}
 }
+
+func Test_signatureAlgorithmToCommand(t *testing.T) {
+	t.Parallel()
+	tests := []struct {
+		name                   string
+		signatureAlgorithm     idp.SAMLSignatureAlgorithm
+		wantSignatureAlgorithm string
+	}{
+		{
+			name:                   "signature algorithm default value",
+			signatureAlgorithm:     11,
+			wantSignatureAlgorithm: "",
+		},
+		{
+			name:                   "RSA_SHA1",
+			signatureAlgorithm:     idp.SAMLSignatureAlgorithm_SAML_SIGNATURE_RSA_SHA1,
+			wantSignatureAlgorithm: "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
+		},
+		{
+			name:                   "RSA_SHA256",
+			signatureAlgorithm:     idp.SAMLSignatureAlgorithm_SAML_SIGNATURE_RSA_SHA256,
+			wantSignatureAlgorithm: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
+		},
+		{
+			name:                   "RSA_SHA512",
+			signatureAlgorithm:     idp.SAMLSignatureAlgorithm_SAML_SIGNATURE_RSA_SHA512,
+			wantSignatureAlgorithm: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			got := signatureAlgorithmToCommand(tt.signatureAlgorithm)
+			require.Equal(t, tt.wantSignatureAlgorithm, got)
+		})
+	}
+}