You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Related to #963
In the configuration documentation here (https://pysaml2.readthedocs.io/en/latest/howto/config.html#signing-algorithm), it is suggested that the signing_algorithm and digest_algorithm may be set by setting those values in the configuration file under "service" and either "idp" or "sp". This means that they will be placed under the "sp" or "idp" context in the config object and can only be retrieved by specifying that context, e.g. self.config.getattr("signing_algorithm", "sp") . However, the values are read from within the Entity constructor, which does not respect the context and instead looks for top-level configs:
If configs are set in the nested location, they will not be picked up and the default, SHA1 will be used. This is particularly problematic as RHEL9 has recently removed all SHA1 support for security reasons, so xmlsec1 throws errors when called with a SHA1 algorithm specified.
Code Version
pysaml2 7.5.0
Expected Behavior
Either setting the config in the place specified by the docs (i.e. nested in "service""sp") should set the signing and digest algorithms used in the XML file, or the documentation needs to be updated to reflect the correct place to specify signing_algorithm and digest_algorithm.
Current Behavior
SHA1 is used for both signing_algorithm and digest_algorithm if the values are set in the locations specified in the documentation.
Possible Solution
Alter the docs or check both locations for the config values.
Steps to Reproduce
With a functioning service provider: Set the signing_algorithm and digest_algorithm configs as specified in the docs to any value other than SHA1.
Run the SAML workflow with a SAML tracer and look at the GET request sent to the IdP. in the <ns2:Signature Id="Signature1"> block, you should see <ns2:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />, and <ns2:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> regardless of what was set in the config.
Edit the config such that signing_algorithm and digest_algorithm are top-level instead of nested values.
Repeat the SAML workflow and you will see that the configured algorithms are used
The text was updated successfully, but these errors were encountered:
Related to #963
In the configuration documentation here (https://pysaml2.readthedocs.io/en/latest/howto/config.html#signing-algorithm), it is suggested that the
signing_algorithmanddigest_algorithmmay be set by setting those values in the configuration file under"service"and either"idp"or"sp". This means that they will be placed under the "sp" or "idp" context in the config object and can only be retrieved by specifying that context, e.g.self.config.getattr("signing_algorithm", "sp"). However, the values are read from within theEntityconstructor, which does not respect the context and instead looks for top-level configs:pysaml2/src/saml2/entity.py
Lines 143 to 144 in 7cb4f09
If configs are set in the nested location, they will not be picked up and the default,
SHA1will be used. This is particularly problematic as RHEL9 has recently removed allSHA1support for security reasons, soxmlsec1throws errors when called with aSHA1algorithm specified.Code Version
pysaml2 7.5.0
Expected Behavior
Either setting the config in the place specified by the docs (i.e. nested in
"service""sp") should set the signing and digest algorithms used in the XML file, or the documentation needs to be updated to reflect the correct place to specifysigning_algorithmanddigest_algorithm.Current Behavior
SHA1is used for bothsigning_algorithmanddigest_algorithmif the values are set in the locations specified in the documentation.Possible Solution
Alter the docs or check both locations for the config values.
Steps to Reproduce
signing_algorithmanddigest_algorithmconfigs as specified in the docs to any value other thanSHA1.<ns2:Signature Id="Signature1">block, you should see<ns2:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />, and<ns2:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />regardless of what was set in the config.signing_algorithmanddigest_algorithmare top-level instead of nested values.The text was updated successfully, but these errors were encountered: