Greetings All,
In helping a deployer on my campus configure automated metadata signing (per the documentation here: https://simplesamlphp.org/docs/1.14/simplesamlphp-advancedfeatures#section_6) we discovered that the metadata signing algorithm is not user configurable.
While SAML assertion signing preferences can be configured in config/authsources.php to use either SHA-1 or SHA-2, with the stated intent (as I understand it) being to change the default to SHA-2 in SimpleSAMLphp 2.0, metadata signing is currently hard-coded to use SHA-1.
As far as I can tell, this is set in a combination of the files “simplesamlphp-[version]/lib/SimpleSAML/XML/Signer.php” (around lines 99 and 249) and “simplesamlphp-[version]/lib/SimpleSAML/Metadata/Signer.php” (around lines 190 and 210).
Further, as I understand it (though apologies in advance, I could be wrong here – I’m more familiar with the Shibboleth products, but we have a handful of SimpleSAMLphp users on campus) the SimpleSAMLphp project uses PHP xmlseclibs (https://github.com/robrichards/xmlseclibs) under the hood, which ought to support the SHA-2 suite.
A PHP developer, I am not, so as a feature request, could this metadata signing algorithm either be updated to SHA-2, or made user configurable in some way?
Apologies in advance if I’m posting to the wrong list, and feel free to steer me toward the developers list if that would be more appropriate.
Best regards,
Michael Domingues
Directory and Authentication Services, AIS, ITS
University of Iowa
--
You received this message because you are subscribed to a topic in the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/simplesamlphp/8YZ3louCROI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at https://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/d/optout.