social-core icon indicating copy to clipboard operation
social-core copied to clipboard

Published 20 hours ago verified publisher icon python-social-auth

SAML: Change the default signatureAlgorithm setting

Open mateuszmandera opened this issue 4 years ago • 2 comments

As mentioned in https://github.com/onelogin/python-saml/issues/269, the default signatureAlgorithm used for signing SAMLRequests is rsa-sha1. With SHA1 being insecure, that's clearly not ideal (and may cause issues with certain providers who may reject such signatures) and until upstream changes this default, the setting should probably be overriden in python-social-auth to use http://www.w3.org/2001/04/xmldsig-more#rsa-sha256.

mateuszmandera avatar Oct 21 '21 14:10 mateuszmandera

@nijel @omab would you take a PR to do this override?

https://github.com/onelogin/python-saml/issues/289 is the latest version of the above issue (the original was closed with only a documentation change, which is not insufficient).

timabbott avatar Jan 06 '22 22:01 timabbott

I'd really prefer this to be addressed in python-saml. Having override in every library using it will again need updating all libraries once there is a better default instead of sha256.

nijel avatar Jan 07 '22 10:01 nijel