feat(saml): add SignatureMethod config for SAML IDP (#10520)

# Which Problems Are Solved When a SAML IDP is created, the signing algorithm defaults to `RSA-SHA1`. This PR adds the functionality to configure the signing algorithm while creating or updating a SAML IDP. When nothing is specified, `RSA-SHA1` is the default. Available options: * RSA_SHA1 * RSA_SHA256 * RSA_SHA512 # How the Problems Are Solved By introducing a new optional config to specify the Signing Algorithm. # Additional Changes N/A # Additional Context - Closes #9842 An existing bug in the UpdateSAMLProvider API will be fixed as a followup in a different [PR](https://github.com/zitadel/zitadel/pull/10557). --------- Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com> (cherry picked from commit 255d42da65)
2025-12-06 15:12:14 +00:00 · 2025-08-27 11:07:13 +02:00
parent 39c76a94a8
commit a3dac4d5cd
42 changed files with 413 additions and 7 deletions
--- a/internal/idp/providers/saml/saml.go
+++ b/internal/idp/providers/saml/saml.go
@@ -32,6 +32,7 @@ type Provider struct {
 	spOptions *samlsp.Options

 	binding                       string
+	signatureAlgorithm            string
 	nameIDFormat                  saml.NameIDFormat
 	transientMappingAttributeName string

@@ -84,6 +85,12 @@ func WithBinding(binding string) ProviderOpts {
 	}
 }

+func WithSignatureAlgorithm(signatureAlgorithm string) ProviderOpts {
+	return func(p *Provider) {
+		p.signatureAlgorithm = signatureAlgorithm
+	}
+}
+
 func WithNameIDFormat(format domain.SAMLNameIDFormat) ProviderOpts {
 	return func(p *Provider) {
 		p.nameIDFormat = nameIDFormatFromDomain(format)
@@ -219,6 +226,9 @@ func (p *Provider) GetSP() (*samlsp.Middleware, error) {
 	if p.binding != "" {
 		sp.Binding = p.binding
 	}
+	if p.signatureAlgorithm != "" {
+		sp.ServiceProvider.SignatureMethod = p.signatureAlgorithm
+	}
 	sp.ServiceProvider.MetadataValidDuration = time.Until(sp.ServiceProvider.Certificate.NotAfter)
 	return sp, nil
 }
--- a/internal/idp/providers/saml/saml_test.go
+++ b/internal/idp/providers/saml/saml_test.go
@@ -165,6 +165,7 @@ func TestProvider_Options(t *testing.T) {
 		nameIDFormat                  saml.NameIDFormat
 		transientMappingAttributeName string
 		withSignedRequest             bool
+		signatureAlgorithm            string
 		requesttracker                samlsp.RequestTracker
 		entityID                      string
 	}
@@ -257,6 +258,7 @@ func TestProvider_Options(t *testing.T) {
 					WithAutoUpdate(),
 					WithBinding("binding"),
 					WithSignedRequest(),
+					WithSignatureAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"),
 					WithCustomRequestTracker(&requesttracker.RequestTracker{}),
 					WithEntityID("entityID"),
 					WithNameIDFormat(domain.SAMLNameIDFormatTransient),
@@ -274,6 +276,7 @@ func TestProvider_Options(t *testing.T) {
 				nameIDFormat:                  saml.TransientNameIDFormat,
 				transientMappingAttributeName: "attribute",
 				withSignedRequest:             true,
+				signatureAlgorithm:            "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512",
 				requesttracker:                &requesttracker.RequestTracker{},
 			},
 		},
@@ -297,6 +300,7 @@ func TestProvider_Options(t *testing.T) {
 				a.Equal(tt.want.nameIDFormat, provider.nameIDFormat)
 				a.Equal(tt.want.transientMappingAttributeName, provider.transientMappingAttributeName)
 				a.Equal(tt.want.withSignedRequest, provider.spOptions.SignRequest)
+				a.Equal(tt.want.signatureAlgorithm, provider.signatureAlgorithm)
 				a.Equal(tt.want.requesttracker, provider.requestTracker)
 				a.Equal(tt.want.entityID, provider.spOptions.EntityID)
 			}