TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-12-06 19:36:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(saml): add SignatureMethod config for SAML IDP (#10520)

Browse Source 
# Which Problems Are Solved
When a SAML IDP is created, the signing algorithm defaults to
`RSA-SHA1`.
This PR adds the functionality to configure the signing algorithm while
creating or updating a SAML IDP. When nothing is specified, `RSA-SHA1`
is the default.

Available options:
* RSA_SHA1
* RSA_SHA256
* RSA_SHA512

# How the Problems Are Solved

By introducing a new optional config to specify the Signing Algorithm.

# Additional Changes
N/A

# Additional Context
- Closes #9842

An existing bug in the UpdateSAMLProvider API will be fixed as a
followup in a different
[PR](https://github.com/zitadel/zitadel/pull/10557).

---------

Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
(cherry picked from commit 255d42da65)
This commit is contained in:
Gayathri Vijayan
2025-08-27 11:07:13 +02:00
committed by Livio Spring
parent 39c76a94a8
commit a3dac4d5cd
42 changed files with 413 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
internal/query/idp_template.go
View File

@@ -163,6 +163,7 @@ type SAMLIDPTemplate struct {
Certificate []byte
Binding string
WithSignedRequest bool
SignatureAlgorithm string
NameIDFormat sql.Null[domain.SAMLNameIDFormat]
TransientMappingAttributeName string
FederatedLogoutEnabled bool
@@ -717,6 +718,10 @@ var (
name: projection.SAMLWithSignedRequestCol,
table: samlIdpTemplateTable,
}
SAMLSignatureAlgorithmCol = Column{
name: projection.SAMLSignatureAlgorithmCol,
table: samlIdpTemplateTable,
}
SAMLNameIDFormatCol = Column{
name: projection.SAMLNameIDFormatCol,
table: samlIdpTemplateTable,
@@ -951,6 +956,7 @@ func prepareIDPTemplateByIDQuery() (sq.SelectBuilder, func(*sql.Row) (*IDPTempla
SAMLCertificateCol.identifier(),
SAMLBindingCol.identifier(),
SAMLWithSignedRequestCol.identifier(),
SAMLSignatureAlgorithmCol.identifier(),
SAMLNameIDFormatCol.identifier(),
SAMLTransientMappingAttributeNameCol.identifier(),
SAMLFederatedLogoutEnabledCol.identifier(),
@@ -1071,6 +1077,7 @@ func prepareIDPTemplateByIDQuery() (sq.SelectBuilder, func(*sql.Row) (*IDPTempla
var samlCertificate []byte
samlBinding := sql.NullString{}
samlWithSignedRequest := sql.NullBool{}
samlSignatureAlgorithm := sql.NullString{}
samlNameIDFormat := sql.Null[domain.SAMLNameIDFormat]{}
samlTransientMappingAttributeName := sql.NullString{}
samlFederatedLogoutEnabled := sql.NullBool{}
@@ -1189,6 +1196,7 @@ func prepareIDPTemplateByIDQuery() (sq.SelectBuilder, func(*sql.Row) (*IDPTempla
&samlCertificate,
&samlBinding,
&samlWithSignedRequest,
&samlSignatureAlgorithm,
&samlNameIDFormat,
&samlTransientMappingAttributeName,
&samlFederatedLogoutEnabled,
@@ -1329,6 +1337,7 @@ func prepareIDPTemplateByIDQuery() (sq.SelectBuilder, func(*sql.Row) (*IDPTempla
Certificate: samlCertificate,
Binding: samlBinding.String,
WithSignedRequest: samlWithSignedRequest.Bool,
SignatureAlgorithm: samlSignatureAlgorithm.String,
NameIDFormat: samlNameIDFormat,
TransientMappingAttributeName: samlTransientMappingAttributeName.String,
FederatedLogoutEnabled: samlFederatedLogoutEnabled.Bool,
@@ -1463,6 +1472,7 @@ func prepareIDPTemplatesQuery() (sq.SelectBuilder, func(*sql.Rows) (*IDPTemplate
SAMLCertificateCol.identifier(),
SAMLBindingCol.identifier(),
SAMLWithSignedRequestCol.identifier(),
SAMLSignatureAlgorithmCol.identifier(),
SAMLNameIDFormatCol.identifier(),
SAMLTransientMappingAttributeNameCol.identifier(),
SAMLFederatedLogoutEnabledCol.identifier(),
@@ -1588,6 +1598,7 @@ func prepareIDPTemplatesQuery() (sq.SelectBuilder, func(*sql.Rows) (*IDPTemplate
var samlCertificate []byte
samlBinding := sql.NullString{}
samlWithSignedRequest := sql.NullBool{}
samlSignatureAlgorithm := sql.NullString{}
samlNameIDFormat := sql.Null[domain.SAMLNameIDFormat]{}
samlTransientMappingAttributeName := sql.NullString{}
samlFederatedLogoutEnabled := sql.NullBool{}
@@ -1706,6 +1717,7 @@ func prepareIDPTemplatesQuery() (sq.SelectBuilder, func(*sql.Rows) (*IDPTemplate
&samlCertificate,
&samlBinding,
&samlWithSignedRequest,
&samlSignatureAlgorithm,
&samlNameIDFormat,
&samlTransientMappingAttributeName,
&samlFederatedLogoutEnabled,
@@ -1845,6 +1857,7 @@ func prepareIDPTemplatesQuery() (sq.SelectBuilder, func(*sql.Rows) (*IDPTemplate
Certificate: samlCertificate,
Binding: samlBinding.String,
WithSignedRequest: samlWithSignedRequest.Bool,
SignatureAlgorithm: samlSignatureAlgorithm.String,
NameIDFormat: samlNameIDFormat,
TransientMappingAttributeName: samlTransientMappingAttributeName.String,
FederatedLogoutEnabled: samlFederatedLogoutEnabled.Bool,

29
internal/query/idp_template_test.go
View File

@@ -97,6 +97,7 @@ var (
` projections.idp_templates6_saml.certificate,` +
` projections.idp_templates6_saml.binding,` +
` projections.idp_templates6_saml.with_signed_request,` +
` projections.idp_templates6_saml.signature_algorithm,` +
` projections.idp_templates6_saml.name_id_format,` +
` projections.idp_templates6_saml.transient_mapping_attribute_name,` +
` projections.idp_templates6_saml.federated_logout_enabled,` +
@@ -227,6 +228,7 @@ var (
"certificate",
"binding",
"with_signed_request",
"signature_algorithm",
"name_id_format",
"transient_mapping_attribute_name",
"federated_logout_enabled",
@@ -344,6 +346,7 @@ var (
` projections.idp_templates6_saml.certificate,` +
` projections.idp_templates6_saml.binding,` +
` projections.idp_templates6_saml.with_signed_request,` +
` projections.idp_templates6_saml.signature_algorithm,` +
` projections.idp_templates6_saml.name_id_format,` +
` projections.idp_templates6_saml.transient_mapping_attribute_name,` +
` projections.idp_templates6_saml.federated_logout_enabled,` +
@@ -475,6 +478,7 @@ var (
"certificate",
"binding",
"with_signed_request",
"signature_algorithm",
"name_id_format",
"transient_mapping_attribute_name",
"federated_logout_enabled",
@@ -635,6 +639,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
nil,
// ldap config
nil,
nil,
@@ -790,6 +795,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
nil,
// ldap config
nil,
nil,
@@ -943,6 +949,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
nil,
// ldap config
nil,
nil,
@@ -1094,6 +1101,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
nil,
// ldap config
nil,
nil,
@@ -1244,6 +1252,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
nil,
// ldap config
nil,
nil,
@@ -1394,6 +1403,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
nil,
// ldap config
nil,
nil,
@@ -1545,6 +1555,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
nil,
// ldap config
nil,
nil,
@@ -1691,7 +1702,8 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
"binding",
false,
true,
"http://www.w3.org/2001/04/xmldsig-more#rsa-sha512",
domain.SAMLNameIDFormatTransient,
"customAttribute",
true,
@@ -1751,7 +1763,8 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
Key: nil,
Certificate: nil,
Binding: "binding",
WithSignedRequest: false,
WithSignedRequest: true,
SignatureAlgorithm: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512",
NameIDFormat: sql.Null[domain.SAMLNameIDFormat]{V: domain.SAMLNameIDFormatTransient, Valid: true},
TransientMappingAttributeName: "customAttribute",
FederatedLogoutEnabled: true,
@@ -1850,6 +1863,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
nil,
// ldap config
"idp-id",
database.TextArray[string]{"server"},
@@ -2021,6 +2035,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
nil,
// ldap config
nil,
nil,
@@ -2173,6 +2188,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
nil,
// ldap config
nil,
nil,
@@ -2353,6 +2369,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
nil,
// ldap config
"idp-id",
database.TextArray[string]{"server"},
@@ -2533,6 +2550,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
nil,
// ldap config
nil,
nil,
@@ -2686,6 +2704,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
nil,
// ldap config
"idp-id-ldap",
database.TextArray[string]{"server"},
@@ -2801,6 +2820,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
"binding",
false,
nil,
domain.SAMLNameIDFormatTransient,
"customAttribute",
true,
@@ -2922,6 +2942,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
nil,
// ldap config
nil,
nil,
@@ -3040,6 +3061,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
nil,
// ldap config
nil,
nil,
@@ -3158,6 +3180,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
nil,
// ldap config
nil,
nil,
@@ -3276,6 +3299,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
nil,
nil,
nil,
nil,
// ldap config
nil,
nil,
@@ -3382,6 +3406,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
Certificate: nil,
Binding: "binding",
WithSignedRequest: false,
SignatureAlgorithm: "",
NameIDFormat: sql.Null[domain.SAMLNameIDFormat]{V: domain.SAMLNameIDFormatTransient, Valid: true},
TransientMappingAttributeName: "customAttribute",
FederatedLogoutEnabled: true,

6
internal/query/projection/idp_template.go
View File

@@ -171,6 +171,7 @@ const (
SAMLCertificateCol = "certificate"
SAMLBindingCol = "binding"
SAMLWithSignedRequestCol = "with_signed_request"
SAMLSignatureAlgorithmCol = "signature_algorithm"
SAMLNameIDFormatCol = "name_id_format"
SAMLTransientMappingAttributeName = "transient_mapping_attribute_name"
SAMLFederatedLogoutEnabled = "federated_logout_enabled"
@@ -376,6 +377,7 @@ func (*idpTemplateProjection) Init() *old_handler.Check {
handler.NewColumn(SAMLCertificateCol, handler.ColumnTypeBytes),
handler.NewColumn(SAMLBindingCol, handler.ColumnTypeText, handler.Nullable()),
handler.NewColumn(SAMLWithSignedRequestCol, handler.ColumnTypeBool, handler.Nullable()),
handler.NewColumn(SAMLSignatureAlgorithmCol, handler.ColumnTypeText, handler.Default("")),
handler.NewColumn(SAMLNameIDFormatCol, handler.ColumnTypeEnum, handler.Nullable()),
handler.NewColumn(SAMLTransientMappingAttributeName, handler.ColumnTypeText, handler.Nullable()),
handler.NewColumn(SAMLFederatedLogoutEnabled, handler.ColumnTypeBool, handler.Default(false)),
@@ -1991,6 +1993,7 @@ func (p *idpTemplateProjection) reduceSAMLIDPAdded(event eventstore.Event) (*han
handler.NewCol(SAMLCertificateCol, idpEvent.Certificate),
handler.NewCol(SAMLBindingCol, idpEvent.Binding),
handler.NewCol(SAMLWithSignedRequestCol, idpEvent.WithSignedRequest),
handler.NewCol(SAMLSignatureAlgorithmCol, idpEvent.SignatureAlgorithm),
handler.NewCol(SAMLTransientMappingAttributeName, idpEvent.TransientMappingAttributeName),
handler.NewCol(SAMLFederatedLogoutEnabled, idpEvent.FederatedLogoutEnabled),
}
@@ -2522,6 +2525,9 @@ func reduceSAMLIDPChangedColumns(idpEvent idp.SAMLIDPChangedEvent) []handler.Col
if idpEvent.WithSignedRequest != nil {
SAMLCols = append(SAMLCols, handler.NewCol(SAMLWithSignedRequestCol, *idpEvent.WithSignedRequest))
}
if idpEvent.SignatureAlgorithm != nil {
SAMLCols = append(SAMLCols, handler.NewCol(SAMLSignatureAlgorithmCol, *idpEvent.SignatureAlgorithm))
}
if idpEvent.NameIDFormat != nil {
SAMLCols = append(SAMLCols, handler.NewCol(SAMLNameIDFormatCol, *idpEvent.NameIDFormat))
}

53
internal/query/projection/idp_template_test.go
View File

@@ -2789,6 +2789,7 @@ func TestIDPTemplateProjection_reducesSAML(t *testing.T) {
"nameIDFormat": 3,
"transientMappingAttributeName": "customAttribute",
"withSignedRequest": true,
"signatureAlgorithm": "",
"isCreationAllowed": true,
"isLinkingAllowed": true,
"isAutoCreation": true,
@@ -2825,7 +2826,7 @@ func TestIDPTemplateProjection_reducesSAML(t *testing.T) {
},
},
{
expectedStmt: "INSERT INTO projections.idp_templates6_saml (idp_id, instance_id, metadata, key, certificate, binding, with_signed_request, transient_mapping_attribute_name, federated_logout_enabled, name_id_format) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)",
expectedStmt: "INSERT INTO projections.idp_templates6_saml (idp_id, instance_id, metadata, key, certificate, binding, with_signed_request, signature_algorithm, transient_mapping_attribute_name, federated_logout_enabled, name_id_format) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11)",
expectedArgs: []interface{}{
"idp-id",
"instance-id",
@@ -2834,6 +2835,7 @@ func TestIDPTemplateProjection_reducesSAML(t *testing.T) {
anyArg{},
"binding",
true,
"",
"customAttribute",
true,
domain.SAMLNameIDFormatTransient,
@@ -2863,6 +2865,7 @@ func TestIDPTemplateProjection_reducesSAML(t *testing.T) {
"nameIDFormat": 3,
"transientMappingAttributeName": "customAttribute",
"withSignedRequest": true,
"signatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512",
"isCreationAllowed": true,
"isLinkingAllowed": true,
"isAutoCreation": true,
@@ -2899,7 +2902,7 @@ func TestIDPTemplateProjection_reducesSAML(t *testing.T) {
},
},
{
expectedStmt: "INSERT INTO projections.idp_templates6_saml (idp_id, instance_id, metadata, key, certificate, binding, with_signed_request, transient_mapping_attribute_name, federated_logout_enabled, name_id_format) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)",
expectedStmt: "INSERT INTO projections.idp_templates6_saml (idp_id, instance_id, metadata, key, certificate, binding, with_signed_request, signature_algorithm, transient_mapping_attribute_name, federated_logout_enabled, name_id_format) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11)",
expectedArgs: []interface{}{
"idp-id",
"instance-id",
@@ -2908,6 +2911,7 @@ func TestIDPTemplateProjection_reducesSAML(t *testing.T) {
anyArg{},
"binding",
true,
"http://www.w3.org/2001/04/xmldsig-more#rsa-sha512",
"customAttribute",
true,
domain.SAMLNameIDFormatTransient,
@@ -2958,6 +2962,47 @@ func TestIDPTemplateProjection_reducesSAML(t *testing.T) {
},
},
},
{
name: "instance reduceSAMLIDPChanged - signature algorithm",
args: args{
event: getEvent(testEvent(
instance.SAMLIDPChangedEventType,
instance.AggregateType,
[]byte(`{
"id": "idp-id",
"name": "custom-zitadel-instance",
"signatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
}`),
), instance.SAMLIDPChangedEventMapper),
},
reduce: (&idpTemplateProjection{}).reduceSAMLIDPChanged,
want: wantReduce{
aggregateType: eventstore.AggregateType("instance"),
sequence: 15,
executer: &testExecuter{
executions: []execution{
{
expectedStmt: "UPDATE projections.idp_templates6 SET (name, change_date, sequence) = ($1, $2, $3) WHERE (id = $4) AND (instance_id = $5)",
expectedArgs: []interface{}{
"custom-zitadel-instance",
anyArg{},
uint64(15),
"idp-id",
"instance-id",
},
},
{
expectedStmt: "UPDATE projections.idp_templates6_saml SET signature_algorithm = $1 WHERE (idp_id = $2) AND (instance_id = $3)",
expectedArgs: []interface{}{
"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
"idp-id",
"instance-id",
},
},
},
},
},
},
{
name: "instance reduceSAMLIDPChanged",
args: args{
@@ -2976,6 +3021,7 @@ func TestIDPTemplateProjection_reducesSAML(t *testing.T) {
"certificate": `+stringToJSONByte("certificate")+`,
"binding": "binding",
"withSignedRequest": true,
"signatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512",
"isCreationAllowed": true,
"isLinkingAllowed": true,
"isAutoCreation": true,
@@ -3007,13 +3053,14 @@ func TestIDPTemplateProjection_reducesSAML(t *testing.T) {
},
},
{
expectedStmt: "UPDATE projections.idp_templates6_saml SET (metadata, key, certificate, binding, with_signed_request, federated_logout_enabled) = ($1, $2, $3, $4, $5, $6) WHERE (idp_id = $7) AND (instance_id = $8)",
expectedStmt: "UPDATE projections.idp_templates6_saml SET (metadata, key, certificate, binding, with_signed_request, signature_algorithm, federated_logout_enabled) = ($1, $2, $3, $4, $5, $6, $7) WHERE (idp_id = $8) AND (instance_id = $9)",
expectedArgs: []interface{}{
[]byte("metadata"),
anyArg{},
anyArg{},
"binding",
true,
"http://www.w3.org/2001/04/xmldsig-more#rsa-sha512",
true,
"idp-id",
"instance-id",