feat(saml): add SignatureMethod config for SAML IDP (#10520)

# Which Problems Are Solved
When a SAML IDP is created, the signing algorithm defaults to
`RSA-SHA1`.
This PR adds the functionality to configure the signing algorithm while
creating or updating a SAML IDP. When nothing is specified, `RSA-SHA1`
is the default.

Available options:
* RSA_SHA1
* RSA_SHA256
* RSA_SHA512

# How the Problems Are Solved

By introducing a new optional config to specify the Signing Algorithm.

# Additional Changes
N/A

# Additional Context
- Closes #9842

An existing bug in the UpdateSAMLProvider API will be fixed as a
followup in a different
[PR](https://github.com/zitadel/zitadel/pull/10557).

---------

Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
(cherry picked from commit 255d42da65)

internal/api/grpc/idp/converter.go

@@ -3,6 +3,7 @@ package idp
 import (
 	"github.com/crewjam/saml"
 	"github.com/muhlemmer/gu"
+	dsig "github.com/russellhaering/goxmldsig"
 	"google.golang.org/protobuf/types/known/durationpb"
 
 	obj_grpc "github.com/zitadel/zitadel/internal/api/grpc/object"
@@ -667,6 +668,7 @@ func samlConfigToPb(providerConfig *idp_pb.ProviderConfig, template *query.SAMLI
 			MetadataXml:                   template.Metadata,
 			Binding:                       bindingToPb(template.Binding),
 			WithSignedRequest:             template.WithSignedRequest,
+			SignatureAlgorithm:            gu.Ptr(signatureAlgorithmToPb(template.SignatureAlgorithm)),
 			NameIdFormat:                  nameIDFormat,
 			TransientMappingAttributeName: gu.Ptr(template.TransientMappingAttributeName),
 			FederatedLogoutEnabled:        gu.Ptr(template.FederatedLogoutEnabled),
@@ -703,3 +705,16 @@ func nameIDToPb(format domain.SAMLNameIDFormat) idp_pb.SAMLNameIDFormat {
 		return idp_pb.SAMLNameIDFormat_SAML_NAME_ID_FORMAT_UNSPECIFIED
 	}
 }
+
+func signatureAlgorithmToPb(signatureAlgorithm string) idp_pb.SAMLSignatureAlgorithm {
+	switch signatureAlgorithm {
+	case dsig.RSASHA1SignatureMethod:
+		return idp_pb.SAMLSignatureAlgorithm_SAML_SIGNATURE_RSA_SHA1
+	case dsig.RSASHA256SignatureMethod:
+		return idp_pb.SAMLSignatureAlgorithm_SAML_SIGNATURE_RSA_SHA256
+	case dsig.RSASHA512SignatureMethod:
+		return idp_pb.SAMLSignatureAlgorithm_SAML_SIGNATURE_RSA_SHA512
+	default:
+		return idp_pb.SAMLSignatureAlgorithm_SAML_SIGNATURE_UNSPECIFIED
+	}
+}

internal/api/grpc/idp/v2/query.go

@@ -6,6 +6,7 @@ import (
 	"connectrpc.com/connect"
 	"github.com/crewjam/saml"
 	"github.com/muhlemmer/gu"
+	dsig "github.com/russellhaering/goxmldsig"
 	"google.golang.org/protobuf/types/known/durationpb"
 
 	"github.com/zitadel/zitadel/internal/api/grpc/object/v2"
@@ -335,6 +336,7 @@ func samlConfigToPb(idpConfig *idp_pb.IDPConfig, template *query.SAMLIDPTemplate
 			MetadataXml:                   template.Metadata,
 			Binding:                       bindingToPb(template.Binding),
 			WithSignedRequest:             template.WithSignedRequest,
+			SignatureAlgorithm:            signatureAlgorithmToPb(template.SignatureAlgorithm),
 			NameIdFormat:                  nameIDFormat,
 			TransientMappingAttributeName: gu.Ptr(template.TransientMappingAttributeName),
 			FederatedLogoutEnabled:        gu.Ptr(template.FederatedLogoutEnabled),
@@ -371,3 +373,16 @@ func nameIDToPb(format domain.SAMLNameIDFormat) idp_pb.SAMLNameIDFormat {
 		return idp_pb.SAMLNameIDFormat_SAML_NAME_ID_FORMAT_UNSPECIFIED
 	}
 }
+
+func signatureAlgorithmToPb(signatureAlgorithm string) idp_pb.SAMLSignatureAlgorithm {
+	switch signatureAlgorithm {
+	case dsig.RSASHA1SignatureMethod:
+		return idp_pb.SAMLSignatureAlgorithm_SAML_SIGNATURE_RSA_SHA1
+	case dsig.RSASHA256SignatureMethod:
+		return idp_pb.SAMLSignatureAlgorithm_SAML_SIGNATURE_RSA_SHA256
+	case dsig.RSASHA512SignatureMethod:
+		return idp_pb.SAMLSignatureAlgorithm_SAML_SIGNATURE_RSA_SHA512
+	default:
+		return idp_pb.SAMLSignatureAlgorithm_SAML_SIGNATURE_UNSPECIFIED
+	}
+}