SHA-256 signature for AuthnRequest

May 9, 2014 at 12:58 PM
In the current version of the code when the AuthnRequest is signed there is no choice of the algorithm. SHA-1 is used by default. It would be nice to support SHA-256 for AuthnRequest also.

And as a result it should be necessary to find a way to configure the signing requirements for the different IdP ? I don't think that SAML 2.0 metadata supports specifying the signature algorithm but maybe I'm wrong.
Coordinator
Jun 4, 2014 at 3:04 AM
https://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf

Section 5.4.1:

SAML processors SHOULD support the use of RSA signing and verification for public key
operations in accordance with the algorithm identified by http://www.w3.org/2000/09/xmldsig#rsa-sha1.

I believe that this is in conformance with the spec.
Jun 5, 2014 at 6:25 AM
Yes, indeed 'SHOULD support' means that every SAML compliant solution should support the '' algorithm.
It doesn't mean it cannot support other algorithms as well.

As SHA-1 is considered nowadays more and more insecure most SAML 2.0 compliant products supports now SHA-256 with 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' to improve security. Obviously it is always possible to get back to SHA-1 if SHA-256 isn't available with these products but this lower the security.

After more digging into specs and SAML metadata specification I see that it exists now an extension to support additional algorithms and list them in metadata : http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-metadata-algsupport-v1.0-cs01.html

It is also documented in that very good SAML V2.0 Metadata Guide: https://www.oasis-open.org/committees/download.php/51890/SAML%20MD%20simplified%20overview.pdf

So I think it would be an added value to support more encryption/signature algorithms in the Library.
Jun 16, 2014 at 7:32 AM
I agree with oblaise. I am working on a Proof of Technology for the dutch government (eID) which is based on SAML2.0 . One of the requirements was that all signing needs to be in SHA-256. I build this into the SAML2 source code but that required me to bump the .NET version to at least 4.0 since .NET 3.5 doens't support SHA-256 at all. (They say support has been partly added in .NET 3.5 SP1 but I couldn't get it to work). Since I have done some more refactoring in the library to make it more generic and flexible, my plan was to submit these in some pull requests when I have time to clean it up a bit. But if you want I can tell you how I build in the SHA-256.
Coordinator
Jun 18, 2014 at 1:41 PM
I am open to adding them, though I have no way of testing your changes at the moment (which is why I haven't been updating things lately). If you can split your changes into two pull requests, I'd like to keep refactorings separate from new feature additions if possible.
Jul 4, 2014 at 9:59 AM
For information I just saw that the original OIOSAML2.NET project now supports SHA-256 signature in its latest version. Maybe a good starting point.

http://digitaliser.dk/resource/2662584
Jul 4, 2014 at 10:07 AM
They only support verifying SHA-256 signatures. Not encrypting/decrypting and signing itself. I already added it in the code I use now but I need to clean it up and make nice selfsustaining pull requests of them when I have time :).
Coordinator
Aug 16, 2014 at 3:16 PM
This is really a change (messing with signature methods) that I shouldn't make without a testing IDP unfortunately. Rutix, if you can supply a pull request or a brief explanation of the steps you took, I can look it over for inclusion.
Aug 20, 2014 at 5:46 PM
I am currently enjoying my vacation but when I get back from that my plan was to start cleaning up the code and at pull requests for the features I added :). I will also do some more testing in different scenario's (I only tested the changes I made now with .NET 4.5, will test 4.0 and 3.5 too). You should see some of the pull requests pop up at the end of this month ;).