SHA-256 signature for AuthnRequest

May 9, 2014 at 1:58 PM
In the current version of the code when the AuthnRequest is signed there is no choice of the algorithm. SHA-1 is used by default. It would be nice to support SHA-256 for AuthnRequest also.

And as a result it should be necessary to find a way to configure the signing requirements for the different IdP ? I don't think that SAML 2.0 metadata supports specifying the signature algorithm but maybe I'm wrong.
Coordinator
Jun 4, 2014 at 4:04 AM
https://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf

Section 5.4.1:

SAML processors SHOULD support the use of RSA signing and verification for public key
operations in accordance with the algorithm identified by http://www.w3.org/2000/09/xmldsig#rsa-sha1.

I believe that this is in conformance with the spec.
Jun 5, 2014 at 7:25 AM
Yes, indeed 'SHOULD support' means that every SAML compliant solution should support the '' algorithm.
It doesn't mean it cannot support other algorithms as well.

As SHA-1 is considered nowadays more and more insecure most SAML 2.0 compliant products supports now SHA-256 with 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' to improve security. Obviously it is always possible to get back to SHA-1 if SHA-256 isn't available with these products but this lower the security.

After more digging into specs and SAML metadata specification I see that it exists now an extension to support additional algorithms and list them in metadata : http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-metadata-algsupport-v1.0-cs01.html

It is also documented in that very good SAML V2.0 Metadata Guide: https://www.oasis-open.org/committees/download.php/51890/SAML%20MD%20simplified%20overview.pdf

So I think it would be an added value to support more encryption/signature algorithms in the Library.
Jun 16, 2014 at 8:32 AM
I agree with oblaise. I am working on a Proof of Technology for the dutch government (eID) which is based on SAML2.0 . One of the requirements was that all signing needs to be in SHA-256. I build this into the SAML2 source code but that required me to bump the .NET version to at least 4.0 since .NET 3.5 doens't support SHA-256 at all. (They say support has been partly added in .NET 3.5 SP1 but I couldn't get it to work). Since I have done some more refactoring in the library to make it more generic and flexible, my plan was to submit these in some pull requests when I have time to clean it up a bit. But if you want I can tell you how I build in the SHA-256.
Coordinator
Jun 18, 2014 at 2:41 PM
I am open to adding them, though I have no way of testing your changes at the moment (which is why I haven't been updating things lately). If you can split your changes into two pull requests, I'd like to keep refactorings separate from new feature additions if possible.
Jul 4, 2014 at 10:59 AM
For information I just saw that the original OIOSAML2.NET project now supports SHA-256 signature in its latest version. Maybe a good starting point.

http://digitaliser.dk/resource/2662584
Jul 4, 2014 at 11:07 AM
They only support verifying SHA-256 signatures. Not encrypting/decrypting and signing itself. I already added it in the code I use now but I need to clean it up and make nice selfsustaining pull requests of them when I have time :).
Coordinator
Aug 16, 2014 at 4:16 PM
This is really a change (messing with signature methods) that I shouldn't make without a testing IDP unfortunately. Rutix, if you can supply a pull request or a brief explanation of the steps you took, I can look it over for inclusion.
Aug 20, 2014 at 6:46 PM
I am currently enjoying my vacation but when I get back from that my plan was to start cleaning up the code and at pull requests for the features I added :). I will also do some more testing in different scenario's (I only tested the changes I made now with .NET 4.5, will test 4.0 and 3.5 too). You should see some of the pull requests pop up at the end of this month ;).