Properly document the signature.algorithm option. Also add configuration examples showing how to start using SHA-256, and warning about SHA-1 being disallowed starting in 2014.
git-svn-id: http://simplesamlphp.googlecode.com/svn/trunk@3297 44740490-163a-0410-bde0-09ae8108e29a
This commit is contained in:
parent
9ad0bd86de
commit
244dc038b2
|
@ -27,6 +27,26 @@ $config = array(
|
|||
// The URL to the discovery service.
|
||||
// Can be NULL/unset, in which case a builtin discovery service will be used.
|
||||
'discoURL' => NULL,
|
||||
|
||||
/*
|
||||
* WARNING: SHA-1 is disallowed starting January the 1st, 2014.
|
||||
*
|
||||
* Uncomment the following option to start using SHA-256 for your signatures.
|
||||
* Currently, simpleSAMLphp defaults to SHA-1, which has been deprecated since
|
||||
* 2011, and will be disallowed by NIST as of 2014. Please refer to the following
|
||||
* document for more information:
|
||||
*
|
||||
* http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
|
||||
*
|
||||
* If you are uncertain about identity providers supporting SHA-256 or other
|
||||
* algorithms of the SHA-2 family, you can configure it individually in the
|
||||
* IdP-remote metadata set for those that support it. Once you are certain that
|
||||
* all your configured IdPs support SHA-2, you can safely remove the configuration
|
||||
* options in the IdP-remote metadata set and uncomment the following option.
|
||||
*
|
||||
* Please refer to the hosted SP configuration reference for more information.
|
||||
*/
|
||||
//'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
|
||||
),
|
||||
|
||||
|
||||
|
|
|
@ -258,6 +258,16 @@ The following SAML 2.0 options are available:
|
|||
specified will be kept in the metadata, making the first binding
|
||||
the default one.
|
||||
|
||||
`signature.algorithm`
|
||||
: The algorithm to use when signing any message generated by this identity provider. Defaults to RSA-SHA1.
|
||||
: Possible values:
|
||||
|
||||
* `http://www.w3.org/2000/09/xmldsig#rsa-sha1`
|
||||
*Note*: the use of SHA1 is **deprecated** and will be disallowed in the future.
|
||||
* `http://www.w3.org/2001/04/xmldsig-more#rsa-sha256`
|
||||
* `http://www.w3.org/2001/04/xmldsig-more#rsa-sha384`
|
||||
* `http://www.w3.org/2001/04/xmldsig-more#rsa-sha512`
|
||||
|
||||
`validate.authnrequest`
|
||||
: Whether we require signatures on authentication requests sent to this IdP.
|
||||
|
||||
|
|
|
@ -142,6 +142,18 @@ The following SAML 2.0 options are available:
|
|||
`SingleLogoutServiceResponse`
|
||||
: Endpoint URL for logout responses. Overrides the `SingleLogoutService`-option for responses.
|
||||
|
||||
`signature.algorithm`
|
||||
: The algorithm to use when signing any message sent to this specific identity provider. Defaults to RSA-SHA1.
|
||||
: Note that this option also exists in the SP configuration.
|
||||
This value in the IdP remote metadata overrides the value in the SP configuration.
|
||||
: Possible values:
|
||||
|
||||
* `http://www.w3.org/2000/09/xmldsig#rsa-sha1`
|
||||
*Note*: the use of SHA1 is **deprecated** and will be disallowed in the future.
|
||||
* `http://www.w3.org/2001/04/xmldsig-more#rsa-sha256`
|
||||
* `http://www.w3.org/2001/04/xmldsig-more#rsa-sha384`
|
||||
* `http://www.w3.org/2001/04/xmldsig-more#rsa-sha512`
|
||||
|
||||
`SPNameQualifier`
|
||||
: This corresponds to the SPNameQualifier in the SAML 2.0 specification. It allows to give subjects a SP specific namespace. This option is rarely used, so if you don't need it, leave it out. When left out, simpleSAMLphp assumes the entityID of your SP as the SPNameQualifier.
|
||||
|
||||
|
|
|
@ -231,6 +231,18 @@ The following SAML 2.0 options are available:
|
|||
: Note that this option also exists in the IdP-hosted metadata.
|
||||
The value in the SP-remote metadata overrides the value in the IdP-hosted metadata.
|
||||
|
||||
`signature.algorithm`
|
||||
: The algorithm to use when signing any message sent to this specific service provider. Defaults to RSA-SHA1.
|
||||
: Note that this option also exists in the IdP-hosted metadata.
|
||||
The value in the SP-remote metadata overrides the value in the IdP-hosted metadata.
|
||||
: Possible values:
|
||||
|
||||
* `http://www.w3.org/2000/09/xmldsig#rsa-sha1`
|
||||
*Note*: the use of SHA1 is **deprecated** and will be disallowed in the future.
|
||||
* `http://www.w3.org/2001/04/xmldsig-more#rsa-sha256`
|
||||
* `http://www.w3.org/2001/04/xmldsig-more#rsa-sha384`
|
||||
* `http://www.w3.org/2001/04/xmldsig-more#rsa-sha512`
|
||||
|
||||
`simplesaml.nameidattribute`
|
||||
: When the value of the `NameIDFormat`-option is set to either
|
||||
`email` or `persistent`, this is the name of the attribute which
|
||||
|
|
|
@ -23,6 +23,26 @@ $metadata['__DYNAMIC:1__'] = array(
|
|||
*/
|
||||
'auth' => 'example-userpass',
|
||||
|
||||
/*
|
||||
* WARNING: SHA-1 is disallowed starting January the 1st, 2014.
|
||||
*
|
||||
* Uncomment the following option to start using SHA-256 for your signatures.
|
||||
* Currently, simpleSAMLphp defaults to SHA-1, which has been deprecated since
|
||||
* 2011, and will be disallowed by NIST as of 2014. Please refer to the following
|
||||
* document for more information:
|
||||
*
|
||||
* http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
|
||||
*
|
||||
* If you are uncertain about service providers supporting SHA-256 or other
|
||||
* algorithms of the SHA-2 family, you can configure it individually in the
|
||||
* SP-remote metadata set for those that support it. Once you are certain that
|
||||
* all your configured SPs support SHA-2, you can safely remove the configuration
|
||||
* options in the SP-remote metadata set and uncomment the following option.
|
||||
*
|
||||
* Please refer to the IdP hosted reference for more information.
|
||||
*/
|
||||
//'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
|
||||
|
||||
/* Uncomment the following to use the uri NameFormat on attributes. */
|
||||
/*
|
||||
'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
|
||||
|
|
|
@ -388,6 +388,16 @@ Options
|
|||
|
||||
: *Note*: SAML 2 specific.
|
||||
|
||||
`signature.algorithm`
|
||||
: The algorithm to use when signing any message generated by this service provider. Defaults to RSA-SHA1.
|
||||
: Possible values:
|
||||
|
||||
* `http://www.w3.org/2000/09/xmldsig#rsa-sha1`
|
||||
*Note*: the use of SHA1 is **deprecated** and will be disallowed in the future.
|
||||
* `http://www.w3.org/2001/04/xmldsig-more#rsa-sha256`
|
||||
* `http://www.w3.org/2001/04/xmldsig-more#rsa-sha384`
|
||||
* `http://www.w3.org/2001/04/xmldsig-more#rsa-sha512`
|
||||
|
||||
`SingleLogoutServiceBinding`
|
||||
: List of SingleLogoutService bindings the IdP will claim support for.
|
||||
: Possible values:
|
||||
|
|
|
@ -24,6 +24,16 @@ class sspmod_saml_Message {
|
|||
|
||||
$algo = $dstMetadata->getString('signature.algorithm', NULL);
|
||||
if ($algo === NULL) {
|
||||
/*
|
||||
* In the NIST Special Publication 800-131A, SHA-1 became deprecated for generating
|
||||
* new digital signatures in 2011, and will be explicitly disallowed starting the 1st
|
||||
* of January, 2014. We'll keep this as a default for the next release and mark it
|
||||
* as deprecated, as part of the transition to SHA-256.
|
||||
*
|
||||
* See http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf for more info.
|
||||
*
|
||||
* TODO: change default to XMLSecurityKey::RSA_SHA256.
|
||||
*/
|
||||
$algo = $srcMetadata->getString('signature.algorithm', XMLSecurityKey::RSA_SHA1);
|
||||
}
|
||||
|
||||
|
|
Reference in New Issue