9:21 p.m.
On 2017-05-11 01:03, Scott Koranda wrote:
concur and the default should be sha2
Hi,
I submitted a pull request with my suggested implementation.
I changed the implementation of how the signature/digest algorithm would
be read from the configuration just a bit.
A SAML2 IdP frontend default would be set like this:
config:
idp_config:
service:
idp:
policy:
default:
sign_alg: SIG_RSA_SHA1
A per-SP override applied if configured would be set like this:
config:
idp_config:
service:
idp:
policy:
default:
sign_alg: SIG_RSA_SHA1
https://shibtest.my.org/shibboleth:
sign_alg: SIG_RSA_512
If neither an IdP default nor a SP override is present than the defaults
are
signing -> SIG_RSA_SHA256 (ie.
"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256")
digest -> DIGEST_SHA256 (ie. "http://www.w3.org/2001/04/xmlenc#sha256")
Thanks,
Scott K
Not
really, the default for pysaml2 is SHA1 but there exists support for
several other algs.
See src/saml2/xmldsig/__init__.py
Thanks Roland.
I see then how I can easily patch satosa/frontends/saml2.py so that the
signing and digest can be passed into pysaml2.
My proposal is that the configuration saml2_frontend.yaml be (leaving
out the other configuration details) something like
module: satosa.frontends.saml2.SAMLFrontend
name: Saml2IDP
config:
idp_config:
key_file: /etc/satosa/frontend.key
cert_file: /etc/satosa/frontend.crt
sign_alg: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
digest_alg: 'http://www.w3.org/2001/04/xmlenc#sha256'
If sign_alg or digest_alg is not present than SATOSA will set them to be
the defaults for pysaml2, ie.
saml2.xmldsig.sig_default
saml2.xmldsig.digest_default