How to change SignatureMethod to SHA 256?

[Aravin]

By default it is taking

<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />

But I need SHA256

<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha256" />

How to configure?

[Aravin]

From this defect #4 I come to know that SHA256 is not support!

Can you suggest me where SH1 encoding is happening? so that I can modify as per my requirement?

[Aravin]

Also, I come to know that SHA256 is available after .NET 4.6.2

[Aravin]

@i8beef

[i8beef]

I'll help you with this, but I don't have an IDP for testing anymore, so we have to be very careful with this. I recommend pulling down the repo and familiarizing yourself with it. Here's a basic guide to where I'd look.

1. Configuration - Start in Config/Saml2Config / Saml2Section. I believe that this will need to be extended to specify the signing algorithm (as that URI) for the SP.
2. IDP metadata parsing - Saml20MetadataDocument I think. IDP checking MIGHT just work as it's based on the built in SignedXml stuff, and as long as the IDP metadata has the SigningMethod node .NET might pick that up right... However the internal representation of the IDP metadata will need to provide a method for getting / setting the signing algorithm, as you are going to need it below for specifying it on message signatures.
3. SP metadata signing - Saml20MetadataDocument I think. Specifically, I believe this is hard coded to SHA1...
4. Message signing - Your best bet here is to start in the handlers (Protocol/*Handler) and follow the calls down. That's the only entry point for messages. You'll need to find the locations where it signs outgoing messages, and the location where it verifies incoming messages and ensure that they take the IDP config into consideration. Ensure that SP messages are signed with the right algorithm specified in SP configuration as well!

These are just the areas I can think of off the top of my head.

[Aravin]

@i8beef , In the AuthRequest, <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> is just string or does perform any signing using RSA-SHA256>?

Can I just replace SHA1 to SHA256?

[i8beef]

No, the code actually has to be changed to generate the signature with the specified algorithm. You can't just claim that a SHA1 signature is a SHA256 signature. It won't validate. Both sides (IDP and SP) will specify their signing method and validation cert public key in their metadata exchange.

In theory, I think you might be able to have a mismatch here, where the IDP says they will sign with SHA256, and your SP can still say its going to sign IT'S messages with SHA1, but I don't think I'd actually do that in practice when setting up my application, I'd try and make them match.

But if your IDP allowed this, you could conceivably change just the metadata and IDP message signature validation to support other algorithms, and let it always use SHA1 for the SP messages you send. As a feature though, if I accept a PR on this I think I'd want to make sure we covered both sides on this.

[tafs7]

I hate to comment on a closed thread, @i8beef , but has anyone attempted this yet?

I've got a client who's now changing IdP to Okta, and we're having issues using SHA1 with them. We were hoping this would have been a simple config change, but doesn't appear that way.

[i8beef]

No, no one has picked this up. Unfortunately, I no longer have testing environments for this library, so I rely on others to verify requested changes. The original spec only really supported SHA1 at the time, so SHA256, etc. weren't an option until recently.

For this one, it cuts to several places that are hard coded that need to be made configurable, so someone needs to be able to test both the original behavior as well as the new configurable SHA256 path. That's sort of a tall order, but if you want to undertake it, I will review as best I can.

[JCohen1963]

I am working on this problem. I am new to github, and don't really know the processes or etiquette yet. When I get it working properly I'll post a pull request and transfer the code. I have a limited testing environment, so I am hoping that others with more robust IdPs will help test it out.