From de0a999ac1754bde33be3b27195854ac4f661672 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Thu, 4 Apr 2019 18:37:59 +0200
Subject: [PATCH] saml: use RSA-SHA256 signature method (#32010)

---
 tests/test_saml_auth.py | 2 ++
 wcs/qommon/misc.py      | 1 +
 2 files changed, 3 insertions(+)

diff --git a/tests/test_saml_auth.py b/tests/test_saml_auth.py
index 8381ad717..7ca97aebc 100644
--- a/tests/test_saml_auth.py
+++ b/tests/test_saml_auth.py
@@ -109,6 +109,7 @@ def test_login(pub):
     saml2.perform_login()
     assert req.response.status_code == 302
     assert req.response.headers['location'].startswith('http://sso.example.net/saml2/sso?SAMLRequest')
+    assert 'rsa-sha256' in req.response.headers['location']
 
 def get_authn_response_msg(pub, ni_format=lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT):
     idp_metadata_filepath = os.path.join(pub.app_dir,
@@ -370,6 +371,7 @@ def test_saml_logout(pub):
     assert req.session.user is not None
     body = saml2.slo_sp()
     assert req.response.headers['location'].startswith('http://sso.example.net/saml2/slo?SAMLRequest=')
+    assert 'rsa-sha256' in req.response.headers['location']
     assert req.session.user is None
 
 def test_saml_idp_logout(pub):
diff --git a/wcs/qommon/misc.py b/wcs/qommon/misc.py
index 7c75024a4..6c8ff18ed 100644
--- a/wcs/qommon/misc.py
+++ b/wcs/qommon/misc.py
@@ -81,6 +81,7 @@ def get_lasso_server():
         get_abs_path(get_cfg('sp')['saml2_metadata']),
         get_abs_path(get_cfg('sp')['privatekey']),
         None, None)
+    server.signatureMethod = lasso.SIGNATURE_METHOD_RSA_SHA256
 
     # Set encryption private key
     encryption_privatekey = get_abs_path(get_cfg('sp').get('encryption_privatekey'))