Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(authn/saml): Configurable signature digest algorithm #1269

Merged
merged 2 commits into from
Jul 2, 2020
Merged

feat(authn/saml): Configurable signature digest algorithm #1269

merged 2 commits into from
Jul 2, 2020

Conversation

german-muzquiz
Copy link
Contributor

@german-muzquiz german-muzquiz commented Jul 2, 2020
edited
Loading

When Spinnaker is configured with SAML authentication, the SAMLRequest is always signed with the SHA1 digest algorithm (SignatureMethod and DigestMethod of the request):

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://localhost:8084/saml/SSO" Destination="https://armory.okta.com/app/armory_germansamltest_1/exk7nc0r0hHggwnG32p7/sso/saml" ForceAuthn="false" ID="a3a56cde732h83fd5a8gh0cd7j15h14" IsPassive="false" IssueInstant="2020-07-01T19:16:17.698Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">io.armory.spinnaker.german</saml2:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                <ds:Reference URI="#a3a56cde732h83fd5a8gh0cd7j15h14">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                    <ds:DigestValue>YbPj3/ETyDJVZ1rCkGhM2dTsjc8=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo> 
            <ds:SignatureValue></ds:SignatureValue>
        </ds:Signature>
        ...
</saml2p:AuthnRequest>

For security reasons, SHA1 may not work with IdP's that mandate a stronger digest algorithm. We also cannot just bump to SHA256 or higher because there's the risk of breaking older IdP's that don't support stronger algorithms.

This PR introduces a new SAML optional configuration setting signatureDigest, used for signing both Signature and Digest parts of the SAML request. Valid values are SHA1, SHA256, SHA384, SHA512, RIPEMD160, MD5 which come from the constants defined in opensaml SignatureConstants, which is the underlying implementation being used. If the setting is not defined, it defaults to SHA1 for keeping compatibility with existing installations.

@cfieber cfieber added the ready to merge Approved and ready for merge label Jul 2, 2020
@mergify mergify bot merged commit 9f8669a into spinnaker:master Jul 2, 2020
@mergify mergify bot added the auto merged label Jul 2, 2020
This was referenced Jul 6, 2020
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cfieber cfieber cfieber approved these changes

Assignees
No one assigned
Labels
auto merged ready to merge Approved and ready for merge target-release/1.22
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@german-muzquiz @cfieber @spinnakerbot