I'm working on an integration between Spring SAML and Microsoft ADFS 3.0. Even it is already stated in the documentation of Spring SAML as:
Open the provider by double-clicking it, select tab Advanced and change "Secure hash algorithm" to SHA-1
that I understand that Spring SAML supports currently only SHA-1 as hash algorithm, but my requirement is using SHA-256. If I try configure only in ADFS for SHA-256, it doesn't work. I suppose that I have to do something with Spring SAML. Do you have any idea how to do so?
You should configured the Spring security configuration to use SHA-256
signature algorithm.
You could either override the SAMLBootstrap or configure a initializing bean
like this:
Spring configuration:
<bean id="samlProperties" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="location" value="classpath:saml.properties" />
</bean>
<bean class="your.package.SAMLConfigurationBean">
<property name="signatureAlgorithm" value="${saml.signatureAlgorithm:SHA1}" />
</bean>
properties file (saml.properties):
saml.signatureAlgorithm=SHA256
Initializing bean:
package your.package;
import org.opensaml.Configuration;
import org.opensaml.xml.security.BasicSecurityConfiguration;
import org.opensaml.xml.signature.SignatureConstants;
import org.springframework.beans.factory.InitializingBean;
public class SAMLConfigurationBean implements InitializingBean {
private String signatureAlgorithm ;
private String digestAlgorithm;
public void setSignatureAlgorithm(String algorithm) {
switch (algorithm) {
case "SHA256" :
signatureAlgorithm = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256;
digestAlgorithm = SignatureConstants.ALGO_ID_DIGEST_SHA256;
break;
case "SHA512" :
signatureAlgorithm = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA512;
digestAlgorithm = SignatureConstants.ALGO_ID_DIGEST_SHA512;
break;
default:
signatureAlgorithm = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1;
digestAlgorithm = SignatureConstants.ALGO_ID_DIGEST_SHA1;
}
}
@Override
public void afterPropertiesSet() throws Exception {
BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration();
config.registerSignatureAlgorithmURI("RSA", signatureAlgorithm);
config.setSignatureReferenceDigestMethod(digestAlgorithm);
}
}
You could also skip the configurable part and just settle for this:
Initializing bean:
package your.package;
import org.opensaml.Configuration;
import org.opensaml.xml.security.BasicSecurityConfiguration;
import org.opensaml.xml.signature.SignatureConstants;
import org.springframework.beans.factory.InitializingBean;
public class SAMLConfigurationBean implements InitializingBean {
@Override
public void afterPropertiesSet() throws Exception {
BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration();
config.registerSignatureAlgorithmURI("RSA", SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256);
}
}