Open Aravin opened 6 years ago
From this defect https://github.com/i8beef/SAML2/issues/4 I come to know that SHA256 is not support!
Can you suggest me where SH1 encoding is happening? so that I can modify as per my requirement?
Also, I come to know that SHA256 is available after .NET 4.6.2
@i8beef
I'll help you with this, but I don't have an IDP for testing anymore, so we have to be very careful with this. I recommend pulling down the repo and familiarizing yourself with it. Here's a basic guide to where I'd look.
These are just the areas I can think of off the top of my head.
@i8beef , In the AuthRequest,
Can I just replace SHA1 to SHA256?
No, the code actually has to be changed to generate the signature with the specified algorithm. You can't just claim that a SHA1 signature is a SHA256 signature. It won't validate. Both sides (IDP and SP) will specify their signing method and validation cert public key in their metadata exchange.
In theory, I think you might be able to have a mismatch here, where the IDP says they will sign with SHA256, and your SP can still say its going to sign IT'S messages with SHA1, but I don't think I'd actually do that in practice when setting up my application, I'd try and make them match.
But if your IDP allowed this, you could conceivably change just the metadata and IDP message signature validation to support other algorithms, and let it always use SHA1 for the SP messages you send. As a feature though, if I accept a PR on this I think I'd want to make sure we covered both sides on this.
I hate to comment on a closed thread, @i8beef , but has anyone attempted this yet?
I've got a client who's now changing IdP to Okta, and we're having issues using SHA1 with them. We were hoping this would have been a simple config change, but doesn't appear that way.
No, no one has picked this up. Unfortunately, I no longer have testing environments for this library, so I rely on others to verify requested changes. The original spec only really supported SHA1 at the time, so SHA256, etc. weren't an option until recently.
For this one, it cuts to several places that are hard coded that need to be made configurable, so someone needs to be able to test both the original behavior as well as the new configurable SHA256 path. That's sort of a tall order, but if you want to undertake it, I will review as best I can.
I am working on this problem. I am new to github, and don't really know the processes or etiquette yet. When I get it working properly I'll post a pull request and transfer the code. I have a limited testing environment, so I am hoping that others with more robust IdPs will help test it out.
By default it is taking
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
But I need SHA256
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha256" />
How to configure?