feat(saml): add SignatureMethod config for SAML IDP (#10520)

# Which Problems Are Solved When a SAML IDP is created, the signing algorithm defaults to `RSA-SHA1`. This PR adds the functionality to configure the signing algorithm while creating or updating a SAML IDP. When nothing is specified, `RSA-SHA1` is the default. Available options: * RSA_SHA1 * RSA_SHA256 * RSA_SHA512 # How the Problems Are Solved By introducing a new optional config to specify the Signing Algorithm. # Additional Changes N/A # Additional Context - Closes #9842 An existing bug in the UpdateSAMLProvider API will be fixed as a followup in a different [PR](https://github.com/zitadel/zitadel/pull/10557). --------- Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com> (cherry picked from commit 255d42da65)
2025-12-06 14:42:26 +00:00 · 2025-08-27 11:07:13 +02:00
parent 39c76a94a8
commit a3dac4d5cd
42 changed files with 413 additions and 7 deletions
--- a/internal/command/idp_model.go
+++ b/internal/command/idp_model.go
@@ -1758,6 +1758,7 @@ type SAMLIDPWriteModel struct {
 	Certificate                   []byte
 	Binding                       string
 	WithSignedRequest             bool
+	SignatureAlgorithm            string
 	NameIDFormat                  *domain.SAMLNameIDFormat
 	TransientMappingAttributeName string
 	FederatedLogoutEnabled        bool
@@ -1787,6 +1788,7 @@ func (wm *SAMLIDPWriteModel) reduceAddedEvent(e *idp.SAMLIDPAddedEvent) {
 	wm.Certificate = e.Certificate
 	wm.Binding = e.Binding
 	wm.WithSignedRequest = e.WithSignedRequest
+	wm.SignatureAlgorithm = e.SignatureAlgorithm
 	wm.NameIDFormat = e.NameIDFormat
 	wm.TransientMappingAttributeName = e.TransientMappingAttributeName
 	wm.FederatedLogoutEnabled = e.FederatedLogoutEnabled
@@ -1813,6 +1815,9 @@ func (wm *SAMLIDPWriteModel) reduceChangedEvent(e *idp.SAMLIDPChangedEvent) {
 	if e.WithSignedRequest != nil {
 		wm.WithSignedRequest = *e.WithSignedRequest
 	}
+	if e.SignatureAlgorithm != nil {
+		wm.SignatureAlgorithm = *e.SignatureAlgorithm
+	}
 	if e.NameIDFormat != nil {
 		wm.NameIDFormat = e.NameIDFormat
 	}
@@ -1833,6 +1838,7 @@ func (wm *SAMLIDPWriteModel) NewChanges(
 	secretCrypto crypto.EncryptionAlgorithm,
 	binding string,
 	withSignedRequest bool,
+	signatureAlgorithm string,
 	nameIDFormat *domain.SAMLNameIDFormat,
 	transientMappingAttributeName string,
 	federatedLogoutEnabled bool,
@@ -1861,6 +1867,9 @@ func (wm *SAMLIDPWriteModel) NewChanges(
 	if wm.WithSignedRequest != withSignedRequest {
 		changes = append(changes, idp.ChangeSAMLWithSignedRequest(withSignedRequest))
 	}
+	if wm.SignatureAlgorithm != signatureAlgorithm {
+		changes = append(changes, idp.ChangeSAMLSignatureAlgorithm(signatureAlgorithm))
+	}
 	if wm.NameIDFormat != nameIDFormat {
 		changes = append(changes, idp.ChangeSAMLNameIDFormat(nameIDFormat))
 	}
@@ -1902,6 +1911,9 @@ func (wm *SAMLIDPWriteModel) ToProvider(callbackURL string, idpAlg crypto.Encryp
 	if wm.Binding != "" {
 		opts = append(opts, saml2.WithBinding(wm.Binding))
 	}
+	if wm.WithSignedRequest && wm.SignatureAlgorithm != "" {
+		opts = append(opts, saml2.WithSignatureAlgorithm(wm.SignatureAlgorithm))
+	}
 	if wm.NameIDFormat != nil {
 		opts = append(opts, saml2.WithNameIDFormat(*wm.NameIDFormat))
 	}