feat(saml): add SignatureMethod config for SAML IDP (#10520)

# Which Problems Are Solved When a SAML IDP is created, the signing algorithm defaults to `RSA-SHA1`. This PR adds the functionality to configure the signing algorithm while creating or updating a SAML IDP. When nothing is specified, `RSA-SHA1` is the default. Available options: * RSA_SHA1 * RSA_SHA256 * RSA_SHA512 # How the Problems Are Solved By introducing a new optional config to specify the Signing Algorithm. # Additional Changes N/A # Additional Context - Closes #9842 An existing bug in the UpdateSAMLProvider API will be fixed as a followup in a different [PR](https://github.com/zitadel/zitadel/pull/10557). --------- Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com> (cherry picked from commit 255d42da65)
2025-12-06 14:52:35 +00:00 · 2025-08-27 11:07:13 +02:00
parent 39c76a94a8
commit a3dac4d5cd
42 changed files with 413 additions and 7 deletions
--- a/internal/repository/idp/saml.go
+++ b/internal/repository/idp/saml.go
@@ -16,6 +16,7 @@ type SAMLIDPAddedEvent struct {
 	Key                           *crypto.CryptoValue      `json:"key,omitempty"`
 	Certificate                   []byte                   `json:"certificate,omitempty"`
 	Binding                       string                   `json:"binding,omitempty"`
+	SignatureAlgorithm            string                   `json:"signatureAlgorithm,omitempty"`
 	WithSignedRequest             bool                     `json:"withSignedRequest,omitempty"`
 	NameIDFormat                  *domain.SAMLNameIDFormat `json:"nameIDFormat,omitempty"`
 	TransientMappingAttributeName string                   `json:"transientMappingAttributeName,omitempty"`
@@ -32,6 +33,7 @@ func NewSAMLIDPAddedEvent(
 	certificate []byte,
 	binding string,
 	withSignedRequest bool,
+	signatureAlgorithm string,
 	nameIDFormat *domain.SAMLNameIDFormat,
 	transientMappingAttributeName string,
 	federatedLogoutEnabled bool,
@@ -46,6 +48,7 @@ func NewSAMLIDPAddedEvent(
 		Certificate:                   certificate,
 		Binding:                       binding,
 		WithSignedRequest:             withSignedRequest,
+		SignatureAlgorithm:            signatureAlgorithm,
 		NameIDFormat:                  nameIDFormat,
 		TransientMappingAttributeName: transientMappingAttributeName,
 		FederatedLogoutEnabled:        federatedLogoutEnabled,
@@ -84,6 +87,7 @@ type SAMLIDPChangedEvent struct {
 	Certificate                   []byte                   `json:"certificate,omitempty"`
 	Binding                       *string                  `json:"binding,omitempty"`
 	WithSignedRequest             *bool                    `json:"withSignedRequest,omitempty"`
+	SignatureAlgorithm            *string                  `json:"signatureAlgorithm,omitempty"`
 	NameIDFormat                  *domain.SAMLNameIDFormat `json:"nameIDFormat,omitempty"`
 	TransientMappingAttributeName *string                  `json:"transientMappingAttributeName,omitempty"`
 	FederatedLogoutEnabled        *bool                    `json:"federatedLogoutEnabled,omitempty"`
@@ -146,6 +150,12 @@ func ChangeSAMLWithSignedRequest(withSignedRequest bool) func(*SAMLIDPChangedEve
 	}
 }

+func ChangeSAMLSignatureAlgorithm(signatureAlgorithm string) func(*SAMLIDPChangedEvent) {
+	return func(e *SAMLIDPChangedEvent) {
+		e.SignatureAlgorithm = &signatureAlgorithm
+	}
+}
+
 func ChangeSAMLNameIDFormat(nameIDFormat *domain.SAMLNameIDFormat) func(*SAMLIDPChangedEvent) {
 	return func(e *SAMLIDPChangedEvent) {
 		e.NameIDFormat = nameIDFormat