feat(saml): add SignatureMethod config for SAML IDP (#10520)

# Which Problems Are Solved When a SAML IDP is created, the signing algorithm defaults to `RSA-SHA1`. This PR adds the functionality to configure the signing algorithm while creating or updating a SAML IDP. When nothing is specified, `RSA-SHA1` is the default. Available options: * RSA_SHA1 * RSA_SHA256 * RSA_SHA512 # How the Problems Are Solved By introducing a new optional config to specify the Signing Algorithm. # Additional Changes N/A # Additional Context - Closes #9842 An existing bug in the UpdateSAMLProvider API will be fixed as a followup in a different [PR](https://github.com/zitadel/zitadel/pull/10557). --------- Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com> (cherry picked from commit 255d42da65)
2025-12-06 17:12:22 +00:00 · 2025-08-27 11:07:13 +02:00
parent 39c76a94a8
commit a3dac4d5cd
42 changed files with 413 additions and 7 deletions
--- a/internal/command/idp.go
+++ b/internal/command/idp.go
@@ -120,6 +120,7 @@ type SAMLProvider struct {
 	MetadataURL                   string
 	Binding                       string
 	WithSignedRequest             bool
+	SignatureAlgorithm            string
 	NameIDFormat                  *domain.SAMLNameIDFormat
 	TransientMappingAttributeName string
 	FederatedLogoutEnabled        bool
--- a/internal/command/idp_intent_test.go
+++ b/internal/command/idp_intent_test.go
@@ -737,6 +737,7 @@ func TestCommands_AuthFromProvider_SAML(t *testing.T) {
 								[]byte("certificate"),
 								"",
 								false,
+								"",
 								gu.Ptr(domain.SAMLNameIDFormatUnspecified),
 								"",
 								false,
@@ -758,6 +759,7 @@ func TestCommands_AuthFromProvider_SAML(t *testing.T) {
 								}, []byte("-----BEGIN CERTIFICATE-----\nMIIC2zCCAcOgAwIBAgIIAy/jm1gAAdEwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UE\nChMHWklUQURFTDAeFw0yMzA4MzAwNzExMTVaFw0yNDA4MjkwNzExMTVaMBIxEDAO\nBgNVBAoTB1pJVEFERUwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDE\nd3TztGgSb3LBVZn8f60NbFCyZW+F9HPiMCr9F9T45Zc0fgmMwxId0WzRD5Y/3yc1\ndHJzt+Bsxvw12aUHbIPiothqk3lINoFzl2H/cSfIW3nehKyNOUqdBQ8B4mvaqH81\njTjoJ/JTJAwzglHk6JAWjhOyx9aep1yBqYa3QASeTaW9sxkpB0Co1L2UPNhuMwZq\n8RA9NkTfmYVcVBeNqihler5MhruFtqrv+J0ftwc1stw8uCN89ADyr4Ni+e+FeWar\nQs9Bkfc6KLF/5IXa9HCsHNPaaoYPY6I6RSaG4/DKoSKIEe1/GSVG1FTpZ8trUZxv\nU+xXS6gEalXcrJsiX8aXAgMBAAGjNTAzMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUE\nDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQCx\n/dRNIj0N/16zJhZR/ahkc2AkvDXYxyr4JRT5wK9GQDNl/oaX3debRuSi/tfaXFIX\naJA6PxM4J49ZaiEpLrKfxMz5kAhjKchCBEMcH3mGt+iNZH7EOyTvHjpGrP2OZrsh\nO17yrvN3HuQxIU6roJlqtZz2iAADsoPtwOO4D7hupm9XTMkSnAmlMWOo/q46Jz89\n1sMxB+dXmH/zV0wgwh0omZfLV0u89mvdq269VhcjNBpBYSnN1ccqYWd5iwziob3I\nvaavGHGfkbvRUn/tKftYuTK30q03R+e9YbmlWZ0v695owh2e/apCzowQsCKfSVC8\nOxVyt5XkHq1tWwVyBmFp\n-----END CERTIFICATE-----\n"),
 								"",
 								false,
+								"",
 								gu.Ptr(domain.SAMLNameIDFormatUnspecified),
 								"",
 								false,
@@ -828,6 +830,7 @@ func TestCommands_AuthFromProvider_SAML(t *testing.T) {
 								[]byte("certificate"),
 								"",
 								false,
+								"",
 								gu.Ptr(domain.SAMLNameIDFormatUnspecified),
 								"",
 								false,
@@ -849,6 +852,7 @@ func TestCommands_AuthFromProvider_SAML(t *testing.T) {
 								}, []byte("-----BEGIN CERTIFICATE-----\nMIIC2zCCAcOgAwIBAgIIAy/jm1gAAdEwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UE\nChMHWklUQURFTDAeFw0yMzA4MzAwNzExMTVaFw0yNDA4MjkwNzExMTVaMBIxEDAO\nBgNVBAoTB1pJVEFERUwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDE\nd3TztGgSb3LBVZn8f60NbFCyZW+F9HPiMCr9F9T45Zc0fgmMwxId0WzRD5Y/3yc1\ndHJzt+Bsxvw12aUHbIPiothqk3lINoFzl2H/cSfIW3nehKyNOUqdBQ8B4mvaqH81\njTjoJ/JTJAwzglHk6JAWjhOyx9aep1yBqYa3QASeTaW9sxkpB0Co1L2UPNhuMwZq\n8RA9NkTfmYVcVBeNqihler5MhruFtqrv+J0ftwc1stw8uCN89ADyr4Ni+e+FeWar\nQs9Bkfc6KLF/5IXa9HCsHNPaaoYPY6I6RSaG4/DKoSKIEe1/GSVG1FTpZ8trUZxv\nU+xXS6gEalXcrJsiX8aXAgMBAAGjNTAzMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUE\nDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQCx\n/dRNIj0N/16zJhZR/ahkc2AkvDXYxyr4JRT5wK9GQDNl/oaX3debRuSi/tfaXFIX\naJA6PxM4J49ZaiEpLrKfxMz5kAhjKchCBEMcH3mGt+iNZH7EOyTvHjpGrP2OZrsh\nO17yrvN3HuQxIU6roJlqtZz2iAADsoPtwOO4D7hupm9XTMkSnAmlMWOo/q46Jz89\n1sMxB+dXmH/zV0wgwh0omZfLV0u89mvdq269VhcjNBpBYSnN1ccqYWd5iwziob3I\nvaavGHGfkbvRUn/tKftYuTK30q03R+e9YbmlWZ0v695owh2e/apCzowQsCKfSVC8\nOxVyt5XkHq1tWwVyBmFp\n-----END CERTIFICATE-----\n"),
 								"",
 								false,
+								"",
 								gu.Ptr(domain.SAMLNameIDFormatUnspecified),
 								"",
 								false,
--- a/internal/command/idp_model.go
+++ b/internal/command/idp_model.go
@@ -1758,6 +1758,7 @@ type SAMLIDPWriteModel struct {
 	Certificate                   []byte
 	Binding                       string
 	WithSignedRequest             bool
+	SignatureAlgorithm            string
 	NameIDFormat                  *domain.SAMLNameIDFormat
 	TransientMappingAttributeName string
 	FederatedLogoutEnabled        bool
@@ -1787,6 +1788,7 @@ func (wm *SAMLIDPWriteModel) reduceAddedEvent(e *idp.SAMLIDPAddedEvent) {
 	wm.Certificate = e.Certificate
 	wm.Binding = e.Binding
 	wm.WithSignedRequest = e.WithSignedRequest
+	wm.SignatureAlgorithm = e.SignatureAlgorithm
 	wm.NameIDFormat = e.NameIDFormat
 	wm.TransientMappingAttributeName = e.TransientMappingAttributeName
 	wm.FederatedLogoutEnabled = e.FederatedLogoutEnabled
@@ -1813,6 +1815,9 @@ func (wm *SAMLIDPWriteModel) reduceChangedEvent(e *idp.SAMLIDPChangedEvent) {
 	if e.WithSignedRequest != nil {
 		wm.WithSignedRequest = *e.WithSignedRequest
 	}
+	if e.SignatureAlgorithm != nil {
+		wm.SignatureAlgorithm = *e.SignatureAlgorithm
+	}
 	if e.NameIDFormat != nil {
 		wm.NameIDFormat = e.NameIDFormat
 	}
@@ -1833,6 +1838,7 @@ func (wm *SAMLIDPWriteModel) NewChanges(
 	secretCrypto crypto.EncryptionAlgorithm,
 	binding string,
 	withSignedRequest bool,
+	signatureAlgorithm string,
 	nameIDFormat *domain.SAMLNameIDFormat,
 	transientMappingAttributeName string,
 	federatedLogoutEnabled bool,
@@ -1861,6 +1867,9 @@ func (wm *SAMLIDPWriteModel) NewChanges(
 	if wm.WithSignedRequest != withSignedRequest {
 		changes = append(changes, idp.ChangeSAMLWithSignedRequest(withSignedRequest))
 	}
+	if wm.SignatureAlgorithm != signatureAlgorithm {
+		changes = append(changes, idp.ChangeSAMLSignatureAlgorithm(signatureAlgorithm))
+	}
 	if wm.NameIDFormat != nameIDFormat {
 		changes = append(changes, idp.ChangeSAMLNameIDFormat(nameIDFormat))
 	}
@@ -1902,6 +1911,9 @@ func (wm *SAMLIDPWriteModel) ToProvider(callbackURL string, idpAlg crypto.Encryp
 	if wm.Binding != "" {
 		opts = append(opts, saml2.WithBinding(wm.Binding))
 	}
+	if wm.WithSignedRequest && wm.SignatureAlgorithm != "" {
+		opts = append(opts, saml2.WithSignatureAlgorithm(wm.SignatureAlgorithm))
+	}
 	if wm.NameIDFormat != nil {
 		opts = append(opts, saml2.WithNameIDFormat(*wm.NameIDFormat))
 	}
--- a/internal/command/instance_idp.go
+++ b/internal/command/instance_idp.go
@@ -1793,6 +1793,7 @@ func (c *Commands) prepareAddInstanceSAMLProvider(a *instance.Aggregate, writeMo
 					cert,
 					provider.Binding,
 					provider.WithSignedRequest,
+					provider.SignatureAlgorithm,
 					provider.NameIDFormat,
 					provider.TransientMappingAttributeName,
 					provider.FederatedLogoutEnabled,
@@ -1847,6 +1848,7 @@ func (c *Commands) prepareUpdateInstanceSAMLProvider(a *instance.Aggregate, writ
 				c.idpConfigEncryption,
 				provider.Binding,
 				provider.WithSignedRequest,
+				provider.SignatureAlgorithm,
 				provider.NameIDFormat,
 				provider.TransientMappingAttributeName,
 				provider.FederatedLogoutEnabled,
@@ -1893,6 +1895,7 @@ func (c *Commands) prepareRegenerateInstanceSAMLProviderCertificate(a *instance.
 				c.idpConfigEncryption,
 				writeModel.Binding,
 				writeModel.WithSignedRequest,
+				writeModel.SignatureAlgorithm,
 				writeModel.NameIDFormat,
 				writeModel.TransientMappingAttributeName,
 				writeModel.FederatedLogoutEnabled,
--- a/internal/command/instance_idp_model.go
+++ b/internal/command/instance_idp_model.go
@@ -921,6 +921,7 @@ func (wm *InstanceSAMLIDPWriteModel) NewChangedEvent(
 	secretCrypto crypto.EncryptionAlgorithm,
 	binding string,
 	withSignedRequest bool,
+	signatureAlgorithm string,
 	nameIDFormat *domain.SAMLNameIDFormat,
 	transientMappingAttributeName string,
 	federatedLogoutEnabled bool,
@@ -934,6 +935,7 @@ func (wm *InstanceSAMLIDPWriteModel) NewChangedEvent(
 		secretCrypto,
 		binding,
 		withSignedRequest,
+		signatureAlgorithm,
 		nameIDFormat,
 		transientMappingAttributeName,
 		federatedLogoutEnabled,
--- a/internal/command/instance_idp_test.go
+++ b/internal/command/instance_idp_test.go
@@ -5435,6 +5435,7 @@ func TestCommandSide_AddInstanceSAMLIDP(t *testing.T) {
 							[]byte("certificate"),
 							"",
 							false,
+							"",
 							nil,
 							"",
 							false,
@@ -5477,6 +5478,7 @@ func TestCommandSide_AddInstanceSAMLIDP(t *testing.T) {
 							[]byte("certificate"),
 							"binding",
 							true,
+							"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
 							gu.Ptr(domain.SAMLNameIDFormatTransient),
 							"customAttribute",
 							true,
@@ -5500,6 +5502,7 @@ func TestCommandSide_AddInstanceSAMLIDP(t *testing.T) {
 					Metadata:                      validSAMLMetadata,
 					Binding:                       "binding",
 					WithSignedRequest:             true,
+					SignatureAlgorithm:            "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
 					NameIDFormat:                  gu.Ptr(domain.SAMLNameIDFormatTransient),
 					TransientMappingAttributeName: "customAttribute",
 					FederatedLogoutEnabled:        true,
@@ -5666,6 +5669,7 @@ func TestCommandSide_UpdateInstanceGenericSAMLIDP(t *testing.T) {
 								[]byte("certificate"),
 								"",
 								false,
+								"",
 								nil,
 								"",
 								false,
@@ -5705,6 +5709,7 @@ func TestCommandSide_UpdateInstanceGenericSAMLIDP(t *testing.T) {
 								[]byte("certificate"),
 								"binding",
 								false,
+								"",
 								gu.Ptr(domain.SAMLNameIDFormatUnspecified),
 								"",
 								false,
@@ -5850,6 +5855,7 @@ func TestCommandSide_RegenerateInstanceSAMLProviderCertificate(t *testing.T) {
 								[]byte("certificate"),
 								"binding",
 								false,
+								"",
 								gu.Ptr(domain.SAMLNameIDFormatUnspecified),
 								"",
 								false,
--- a/internal/command/org_idp.go
+++ b/internal/command/org_idp.go
@@ -1766,6 +1766,7 @@ func (c *Commands) prepareAddOrgSAMLProvider(a *org.Aggregate, writeModel *OrgSA
 					cert,
 					provider.Binding,
 					provider.WithSignedRequest,
+					provider.SignatureAlgorithm,
 					provider.NameIDFormat,
 					provider.TransientMappingAttributeName,
 					provider.FederatedLogoutEnabled,
@@ -1820,6 +1821,7 @@ func (c *Commands) prepareUpdateOrgSAMLProvider(a *org.Aggregate, writeModel *Or
 				c.idpConfigEncryption,
 				provider.Binding,
 				provider.WithSignedRequest,
+				provider.SignatureAlgorithm,
 				provider.NameIDFormat,
 				provider.TransientMappingAttributeName,
 				provider.FederatedLogoutEnabled,
@@ -1866,6 +1868,7 @@ func (c *Commands) prepareRegenerateOrgSAMLProviderCertificate(a *org.Aggregate,
 				c.idpConfigEncryption,
 				writeModel.Binding,
 				writeModel.WithSignedRequest,
+				writeModel.SignatureAlgorithm,
 				writeModel.NameIDFormat,
 				writeModel.TransientMappingAttributeName,
 				writeModel.FederatedLogoutEnabled,
--- a/internal/command/org_idp_model.go
+++ b/internal/command/org_idp_model.go
@@ -933,6 +933,7 @@ func (wm *OrgSAMLIDPWriteModel) NewChangedEvent(
 	secretCrypto crypto.EncryptionAlgorithm,
 	binding string,
 	withSignedRequest bool,
+	signatureAlgorithm string,
 	nameIDFormat *domain.SAMLNameIDFormat,
 	transientMappingAttributeName string,
 	federatedLogoutEnabled bool,
@@ -946,6 +947,7 @@ func (wm *OrgSAMLIDPWriteModel) NewChangedEvent(
 		secretCrypto,
 		binding,
 		withSignedRequest,
+		signatureAlgorithm,
 		nameIDFormat,
 		transientMappingAttributeName,
 		federatedLogoutEnabled,
--- a/internal/command/org_idp_test.go
+++ b/internal/command/org_idp_test.go
@@ -5517,6 +5517,7 @@ func TestCommandSide_AddOrgSAMLIDP(t *testing.T) {
 							[]byte("certificate"),
 							"",
 							false,
+							"",
 							nil,
 							"",
 							false,
@@ -5559,6 +5560,7 @@ func TestCommandSide_AddOrgSAMLIDP(t *testing.T) {
 							[]byte("certificate"),
 							"binding",
 							true,
+							"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
 							gu.Ptr(domain.SAMLNameIDFormatTransient),
 							"customAttribute",
 							true,
@@ -5583,6 +5585,7 @@ func TestCommandSide_AddOrgSAMLIDP(t *testing.T) {
 					Metadata:                      validSAMLMetadata,
 					Binding:                       "binding",
 					WithSignedRequest:             true,
+					SignatureAlgorithm:            "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
 					NameIDFormat:                  gu.Ptr(domain.SAMLNameIDFormatTransient),
 					TransientMappingAttributeName: "customAttribute",
 					FederatedLogoutEnabled:        true,
@@ -5757,6 +5760,7 @@ func TestCommandSide_UpdateOrgSAMLIDP(t *testing.T) {
 								[]byte("certificate"),
 								"",
 								false,
+								"",
 								nil,
 								"",
 								false,
@@ -5797,6 +5801,7 @@ func TestCommandSide_UpdateOrgSAMLIDP(t *testing.T) {
 								[]byte("certificate"),
 								"binding",
 								false,
+								"",
 								gu.Ptr(domain.SAMLNameIDFormatUnspecified),
 								"",
 								false,
@@ -5948,6 +5953,7 @@ func TestCommandSide_RegenerateOrgSAMLProviderCertificate(t *testing.T) {
 								[]byte("certificate"),
 								"binding",
 								false,
+								"",
 								gu.Ptr(domain.SAMLNameIDFormatUnspecified),
 								"",
 								false,