Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-7778

XML Signature DigestMethod should be configurable when using SAML2

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 12.0.0, 12.0.1, 12.0.2, 12.0.3
    • Fix Version/s: 12.0.3, 12.0.4, 13.5.0
    • Component/s: SAML
    • Environment:
      OpenAM in tomcat 7.0.54 as service provider on Virtual machine
    • Support Ticket IDs:

      Description

      As per the configuration for SAML2 in openam version 12.0.0, one can set the Signature method algorithm to SHA256 which is more secured compared to SHA1. Same cannot be done for DigestMethod as SHA1 is hardcoded in FMSigProvider.java . As per an ongoing project with client we need to comply with this requirement of having SHA256 as the digest method also. Appreciate if we can get this fixed asap.

      Following are the logs showcasing this behaviour -

      SAML2Utils.createSOAPMessage: soap message = <soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/"><soap-env:Body><samlp:ArtifactResolve xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://idp.example.net:9443/am2/ArtifactResolver/metaAlias/idp" ID="s24501d0918a8db703c37c6929d3a97c0f50064ed7" IssueInstant="2015-12-08T08:13:20Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://openamsp.gov.com:8443/openam</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
      <ds:Reference URI="#s24501d0918a8db703c37c6929d3a97c0f50064ed7">
      <ds:Transforms>
      <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
      <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </ds:Transforms>
      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
      <ds:DigestValue>Abn9xn935Q2LR0A2cBo5n45ufPg=</ds:DigestValue>
      </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>
      fIKrAvLvRvvXqRU3a7Y65N+jjNpi1Gn5hXKRPGWCaVjXIzja7W071Yxd3DSN4gpPQ+q/dJNPI0lx
      IA62o3N6qYCEMywAlUpTXUNLYSJrliMcE5Yq0l4k+DIHbrmnMl9FG+xSCTryCHqPOgddQpbLP5bE
      PsvTo3TZWakRRWjbkH8=
      </ds:SignatureValue>
      <ds:KeyInfo>
      <ds:X509Data>
      <ds:X509Certificate>
      MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
      bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
      ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
      CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
      BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
      AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of+
      RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
      Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
      QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
      cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
      /FfwWigmrW0Y0Q==
      </ds:X509Certificate>
      </ds:X509Data>
      </ds:KeyInfo>
      </ds:Signature><samlp:Artifact xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">AAQAANr+uUuGnr+CEyBVFvFuPAhW8JFBvD+7jJ2o0LlaU0JKOKXCmL8sMDE=</samlp:Artifact></samlp:ArtifactResolve></soap-env:Body></soap-env:Envelope>
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                chee-weng.chea C-Weng C
                Reporter:
                ajay.biyani Ajay Biyani
                QA Assignee:
                Filip Kubáň [X] (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 10h
                  10h
                  Remaining:
                  Remaining Estimate - 10h
                  10h
                  Logged:
                  Time Spent - Not Specified
                  Not Specified