feat(saml): add SignatureMethod config for SAML IDP (#10520)

# Which Problems Are Solved When a SAML IDP is created, the signing algorithm defaults to `RSA-SHA1`. This PR adds the functionality to configure the signing algorithm while creating or updating a SAML IDP. When nothing is specified, `RSA-SHA1` is the default. Available options: * RSA_SHA1 * RSA_SHA256 * RSA_SHA512 # How the Problems Are Solved By introducing a new optional config to specify the Signing Algorithm. # Additional Changes N/A # Additional Context - Closes #9842 An existing bug in the UpdateSAMLProvider API will be fixed as a followup in a different [PR](https://github.com/zitadel/zitadel/pull/10557). --------- Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com> (cherry picked from commit 255d42da65)
2025-12-07 04:52:03 +00:00 · 2025-08-27 11:07:13 +02:00
parent 39c76a94a8
commit a3dac4d5cd
42 changed files with 413 additions and 7 deletions
--- a/internal/query/idp_template.go
+++ b/internal/query/idp_template.go
@@ -163,6 +163,7 @@ type SAMLIDPTemplate struct {
 	Certificate                   []byte
 	Binding                       string
 	WithSignedRequest             bool
+	SignatureAlgorithm            string
 	NameIDFormat                  sql.Null[domain.SAMLNameIDFormat]
 	TransientMappingAttributeName string
 	FederatedLogoutEnabled        bool
@@ -717,6 +718,10 @@ var (
 		name:  projection.SAMLWithSignedRequestCol,
 		table: samlIdpTemplateTable,
 	}
+	SAMLSignatureAlgorithmCol = Column{
+		name:  projection.SAMLSignatureAlgorithmCol,
+		table: samlIdpTemplateTable,
+	}
 	SAMLNameIDFormatCol = Column{
 		name:  projection.SAMLNameIDFormatCol,
 		table: samlIdpTemplateTable,
@@ -951,6 +956,7 @@ func prepareIDPTemplateByIDQuery() (sq.SelectBuilder, func(*sql.Row) (*IDPTempla
 			SAMLCertificateCol.identifier(),
 			SAMLBindingCol.identifier(),
 			SAMLWithSignedRequestCol.identifier(),
+			SAMLSignatureAlgorithmCol.identifier(),
 			SAMLNameIDFormatCol.identifier(),
 			SAMLTransientMappingAttributeNameCol.identifier(),
 			SAMLFederatedLogoutEnabledCol.identifier(),
@@ -1071,6 +1077,7 @@ func prepareIDPTemplateByIDQuery() (sq.SelectBuilder, func(*sql.Row) (*IDPTempla
 			var samlCertificate []byte
 			samlBinding := sql.NullString{}
 			samlWithSignedRequest := sql.NullBool{}
+			samlSignatureAlgorithm := sql.NullString{}
 			samlNameIDFormat := sql.Null[domain.SAMLNameIDFormat]{}
 			samlTransientMappingAttributeName := sql.NullString{}
 			samlFederatedLogoutEnabled := sql.NullBool{}
@@ -1189,6 +1196,7 @@ func prepareIDPTemplateByIDQuery() (sq.SelectBuilder, func(*sql.Row) (*IDPTempla
 				&samlCertificate,
 				&samlBinding,
 				&samlWithSignedRequest,
+				&samlSignatureAlgorithm,
 				&samlNameIDFormat,
 				&samlTransientMappingAttributeName,
 				&samlFederatedLogoutEnabled,
@@ -1329,6 +1337,7 @@ func prepareIDPTemplateByIDQuery() (sq.SelectBuilder, func(*sql.Row) (*IDPTempla
 					Certificate:                   samlCertificate,
 					Binding:                       samlBinding.String,
 					WithSignedRequest:             samlWithSignedRequest.Bool,
+					SignatureAlgorithm:            samlSignatureAlgorithm.String,
 					NameIDFormat:                  samlNameIDFormat,
 					TransientMappingAttributeName: samlTransientMappingAttributeName.String,
 					FederatedLogoutEnabled:        samlFederatedLogoutEnabled.Bool,
@@ -1463,6 +1472,7 @@ func prepareIDPTemplatesQuery() (sq.SelectBuilder, func(*sql.Rows) (*IDPTemplate
 			SAMLCertificateCol.identifier(),
 			SAMLBindingCol.identifier(),
 			SAMLWithSignedRequestCol.identifier(),
+			SAMLSignatureAlgorithmCol.identifier(),
 			SAMLNameIDFormatCol.identifier(),
 			SAMLTransientMappingAttributeNameCol.identifier(),
 			SAMLFederatedLogoutEnabledCol.identifier(),
@@ -1588,6 +1598,7 @@ func prepareIDPTemplatesQuery() (sq.SelectBuilder, func(*sql.Rows) (*IDPTemplate
 				var samlCertificate []byte
 				samlBinding := sql.NullString{}
 				samlWithSignedRequest := sql.NullBool{}
+				samlSignatureAlgorithm := sql.NullString{}
 				samlNameIDFormat := sql.Null[domain.SAMLNameIDFormat]{}
 				samlTransientMappingAttributeName := sql.NullString{}
 				samlFederatedLogoutEnabled := sql.NullBool{}
@@ -1706,6 +1717,7 @@ func prepareIDPTemplatesQuery() (sq.SelectBuilder, func(*sql.Rows) (*IDPTemplate
 					&samlCertificate,
 					&samlBinding,
 					&samlWithSignedRequest,
+					&samlSignatureAlgorithm,
 					&samlNameIDFormat,
 					&samlTransientMappingAttributeName,
 					&samlFederatedLogoutEnabled,
@@ -1845,6 +1857,7 @@ func prepareIDPTemplatesQuery() (sq.SelectBuilder, func(*sql.Rows) (*IDPTemplate
 						Certificate:                   samlCertificate,
 						Binding:                       samlBinding.String,
 						WithSignedRequest:             samlWithSignedRequest.Bool,
+						SignatureAlgorithm:            samlSignatureAlgorithm.String,
 						NameIDFormat:                  samlNameIDFormat,
 						TransientMappingAttributeName: samlTransientMappingAttributeName.String,
 						FederatedLogoutEnabled:        samlFederatedLogoutEnabled.Bool,