Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change the default value of SAML response`s signature algorithm for security #262

Open
ogis-song opened this issue Oct 18, 2022 · 0 comments
Open

Change the default value of SAML response`s signature algorithm for security #262

ogis-song opened this issue Oct 18, 2022 · 0 comments
Assignees
@ogis-miyamura @OGIS-RyoKobayashi @ogis-song
Labels
type:enhancement New feature or request

Comments

@ogis-song
Copy link
Contributor

Description

The default value of the signature algorithm for SAML responses should be changed to SHA-256.
In the current implementation, the default value of the signature algorithm for SAML responses is SHA-1.
SHA-1 is at risk due to the existence of a vulnerability that allows spoofing attacks to be performed.

Trouble spots:CONFIGURE-GLOBAL SERVICE-Common Federation Configuration

  • XML signature algorithm
  • XML digest algorithm

Solution

Correct as follows:

  • file:openam-server-only\src\main\resources\services\famFederationCommon.xml
  • Correction method:
    • XML signature algorithm:Change the value of DefaultValues in SignatureAlgorithm to http://www.w3.org/2001/04/xmldsig-more#rsa-sha256.
    • XML digest algorithm:Change the value of DefaultValues in DigestAlgorithm to http://www.w3.org/2001/04/xmlenc#sha256.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ogis-miyamura ogis-miyamura

@OGIS-RyoKobayashi OGIS-RyoKobayashi

@ogis-song ogis-song

Labels
type:enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ogis-miyamura @OGIS-RyoKobayashi @ogis-song