I tried to set up AWX with SAML2 and found out that the default signing algorithm used by lasso is still RSA-SHA1. AWX (and most likely others using the same python-saml library) reject this algo and unfortunately, there is no way (as it seems) to configure an alternative one in Ipsilon. As RSA-SHA1 has been deprecated for quite some time now, I think it would be nice to use at least SHA256 by default.
For now, I've patched the IdentityProvider class as follows:
class IdentityProvider(Log): def __init__(self, config, sessionfactory): self.server = lasso.Server(config.idp_metadata_file, config.idp_key_file, None, config.idp_certificate_file) self.server.role = lasso.PROVIDER_ROLE_IDP self.server.signatureMethod = lasso.SIGNATURE_METHOD_RSA_SHA256 self.sessionfactory = sessionfactory
Other options available are: - Rebuilding lasso with SHA256 as the default signing algorithm - Add an option to configure the signing algorithm for each SP or globally.
I would love to see a patch for lasso to change defaults
Metadata Update from @simo: - Custom field component adjusted to None - Custom field type adjusted to None - Custom field version adjusted to None
I just pushed https://src.fedoraproject.org/rpms/lasso/pull-request/9, let me know if that works for you.
lasso has now been updated with SHA256 as the default signing algorithm.
Metadata Update from @darknao: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.