[OPENAM-7778] XML Signature DigestMethod should be configurable when using SAML2 - ForgeRock JIRA

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 12.0.0, 12.0.1, 12.0.2, 12.0.3
Fix Version/s: 12.0.3, 12.0.4, 13.5.0
Component/s: SAML
Labels:
- EDISON
- release-notes
Environment:
OpenAM in tomcat 7.0.54 as service provider on Virtual machine

Target Version/s:

12.0.4, 13.5.0

Sprint:
AM Sustaining Sprint 20
Epic Link:
SAML Improvements

Support Ticket IDs:

Verified Version/s:

12.0.4

Description

As per the configuration for SAML2 in openam version 12.0.0, one can set the Signature method algorithm to SHA256 which is more secured compared to SHA1. Same cannot be done for DigestMethod as SHA1 is hardcoded in FMSigProvider.java . As per an ongoing project with client we need to comply with this requirement of having SHA256 as the digest method also. Appreciate if we can get this fixed asap.

Following are the logs showcasing this behaviour -

SAML2Utils.createSOAPMessage: soap message = <soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/"><soap-env:Body><samlp:ArtifactResolve xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://idp.example.net:9443/am2/ArtifactResolver/metaAlias/idp" ID="s24501d0918a8db703c37c6929d3a97c0f50064ed7" IssueInstant="2015-12-08T08:13:20Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://openamsp.gov.com:8443/openam</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#s24501d0918a8db703c37c6929d3a97c0f50064ed7">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>Abn9xn935Q2LR0A2cBo5n45ufPg=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
fIKrAvLvRvvXqRU3a7Y65N+jjNpi1Gn5hXKRPGWCaVjXIzja7W071Yxd3DSN4gpPQ+q/dJNPI0lx
IA62o3N6qYCEMywAlUpTXUNLYSJrliMcE5Yq0l4k+DIHbrmnMl9FG+xSCTryCHqPOgddQpbLP5bE
PsvTo3TZWakRRWjbkH8=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of+
RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
/FfwWigmrW0Y0Q==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature><samlp:Artifact xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">AAQAANr+uUuGnr+CEyBVFvFuPAhW8JFBvD+7jJ2o0LlaU0JKOKXCmL8sMDE=</samlp:Artifact></samlp:ArtifactResolve></soap-env:Body></soap-env:Envelope>

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

Federation
56 kB
08/Dec/15 8:20 AM

Issue Links

relates to

OPENAM-11266 SAML signing algorithm settings should not be global

Resolved

Activity

People

Assignee:

C-Weng C

Reporter:

Ajay Biyani

QA Assignee:

Filip Kubáň [X] (Inactive)

Votes:

0 Vote for this issue

Watchers:

5 Start watching this issue

Dates

Created:

08/Dec/15 8:20 AM

Updated:

25/Sep/17 1:04 AM

Resolved:

12/Apr/16 2:08 AM

Time Tracking

Estimated:

10h

Remaining:

10h

Logged:

Not Specified