SAML: Change the default signatureAlgorithm setting

python-social-auth / social-core

Python Social Auth - Core

BSD 3-Clause "New" or "Revised" License

849 stars 545 forks source link

SAML: Change the default signatureAlgorithm setting #625

Open mateuszmandera opened 3 years ago

mateuszmandera commented 3 years ago

As mentioned in https://github.com/onelogin/python-saml/issues/269, the default signatureAlgorithm used for signing SAMLRequests is rsa-sha1. With SHA1 being insecure, that's clearly not ideal (and may cause issues with certain providers who may reject such signatures) and until upstream changes this default, the setting should probably be overriden in python-social-auth to use http://www.w3.org/2001/04/xmldsig-more#rsa-sha256.

timabbott commented 2 years ago

@nijel @omab would you take a PR to do this override?

https://github.com/onelogin/python-saml/issues/289 is the latest version of the above issue (the original was closed with only a documentation change, which is not insufficient).

nijel commented 2 years ago

I'd really prefer this to be addressed in python-saml. Having override in every library using it will again need updating all libraries once there is a better default instead of sha256.