Parameters for signing certificate algorithm

101 views
Skip to first unread message

Giacomo Sommavilla

unread,
Mar 25, 2021, 12:22:39 PM3/25/21
to CAS Community
Hi everybody,

I built an Apereo CAS demo server with a WAR overlay (with which
different services should be authenticated).  I have set up delegated
authentication with SAML2 (for integrating with italian SPID system).

I need to sign the certificate with an algorithm different than the
default SHA-1.

The Apereo CAS documentation
has the following parameter,
cas.authn.pac4j.saml[].signature-algorithms, which is a "Collection
of signing signature algorithms, if any, to override the global
defaults."  Its type is java.util.List<String>.

I think this should be the right parameter for choosing the algorithm,
but I don't understand what values I can set up there.  I tried
something like "sha256", "sha256WithRSAEncryption", or "SHA256withRSA"
but with no luck.

I always get the error 

org.pac4j.saml.exceptions.SAMLException: org.pac4j.saml.exceptions.SAMLException: Could not determine the signature parameters
at org.pac4j.saml.crypto.DefaultSignatureSigningParametersProvider.build(DefaultSignatureSigningParametersProvider.java:60)
    ...

Can anyone tell me what values are allowed for that parameter?

Thanks and regards,
Giacomo

Misagh

unread,
Mar 25, 2021, 12:26:32 PM3/25/21
to CAS Community
> Can anyone tell me what values are allowed for that parameter?

Not the relevant setting. The setting you want to modify should
control the generation of the certificate; not what algorithms should
be allowed/used during the metadata resolution process.

...and that setting is supported by pac4j-saml, but support for it has
not been brought over to CAS. You're welcome to send a pull request to
handle that part.

Misagh

unread,
Mar 25, 2021, 12:27:26 PM3/25/21
to CAS Community
Or generate everything manually, if the software can't do it for you, yet.

Giacomo Sommavilla

unread,
Mar 26, 2021, 9:08:34 AM3/26/21
to CAS Community, Misagh Moayyed
Hi Misagh,

I have been able to comply to the SHA-256 requirement by creating certificates manually:

  • Firstly I created the files saml-signing-cert-SAML2Client.crt, saml-signing-cert-SAML2Client.key, saml-signing-cert-SAML2Client.pem with openssl
  • Then I created samlKeystore.jks with keytool
  • Finally, since sp-metadata.xml should contain the public certificate, I copied the content of the .pem certificate where relevant in the sp-metadata.xml file
Thanks,
Giacomo
Reply all
Reply to author
Forward
0 new messages