Versions Compared

Old Version 5

changes.mady.by.user Sovann Huynh

Saved on

compared with

New Version 6

changes.mady.by.user Sovann Huynh

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

SHA versions supported by OpenSAML and CXF can be specified in saml.properties in the CONNECT properties directory. Note that while multiple versions can be specified, a default must also be specified and can be overridden in the entity request (described in Overriding default SHA version section below).

  • saml.digestAlgorithms - comma separated list of SignatureConstants/URIs, of the desired digest algorithms to support
  • saml.signatureAlgorithms - comma separated list of SignatureConstants/URIs, of the desired signature algorithms to support
  • saml.defaultDigestAlgorithm - default digest algorithm to use if an override is not provided in the entity message. Defaults to SHA1 if not set.
  • saml.defaultSignatureAlgorithm - default signature algorithm to use if an override is not provided in the entity message. Defaults to RSA-SHA1 if not set.

See https://github.com/apigee/java-xmltooling/blob/master/src/main/java/org/opensaml/xml/signature/SignatureConstants.java for all supported SHA versions.

Code Block
titleSample saml.digestAlogrithms
saml.signatureAlgorithms=ALGO_ID_SIGNATURE_RSA_SHA512,ALGO_ID_SIGNATURE_RSA_SHA1,ALGO_ID_SIGNATURE_RSA_SHA256


Code Block
titleSample saml.signatureAlogrithms
saml.digestAlgorithms=ALGO_ID_DIGEST_SHA512,ALGO_ID_SIGNATURE_RSA_SHA1,ALGO_ID_SIGNATURE_RSA_SHA256


Code Block
titleSample saml.defaultDigestAlogrithm
saml.defaultDigestAlgorithm=ALGO_ID_DIGEST_SHA512

...

Overriding default SHA version

Once a list of allowable SHA versions and a default has been specified, a specific version can be specified in the entity request. An example algorithm override follows:<urn1:signatureAlgorithm‌‌>http

Code Block
         <urn:assertion>
			<urn1:signatureAlgorithm‌‌>http://www.w3.org/2001/04/xmldsig-more#rsa-

...

sha256</urn1:signatureAlgorithm>

...


			<urn1:digestAlgorithm‌‌>http://www.w3.org/2001/04/

...

xmlenc#sha256</urn1:digestAlgorithm>
            <urn1:homeCommunity>
               <urn1:description>${#Project#LocalHCDescription}</urn1:description>
               <urn1:homeCommunityId>${#Project#LocalHCID}</urn1:homeCommunityId>
               <urn1:name>${#Project#LocalHCDescription}</urn1:name>
            </urn1:homeCommunity>

Responding gateways

All versions specfied in saml.xxx can be accepted by a responding CONNECT gateway