Versions Compared

Old Version 3

changes.mady.by.user Sovann Huynh

Saved on

compared with

New Version Current

changes.mady.by.user Tabassum Jafri

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info
titleCXF and OpenSAML

Latest CONNECT release (5.23) leverages CXF 3.1.9 and OpenSAML 23.61.61

Specifying SHA versions

SHA versions supported by OpenSAML and CXF can be specified in saml.properties in the CONNECT properties directory:. Note that while multiple versions can be specified, a default must also be specified and can be overridden in the entity request (described in section Overriding default SHA version ). Make sure the properties include backslash after comma.  Refer to sample entries in saml.properties

  • saml.digestAlgorithms - comma separated list of SignatureConstants/URIs, of the desired digest algorithms to support
  • saml.signatureAlgorithms - comma separated list of SignatureConstants/URIs, of the desired signature algorithms to support
  • saml.defaultDigestAlgorithm - default digest algorithm to use if an override is not provided in the entity message. Defaults to SHA1 if not set.
  • saml.defaultSignatureAlgorithm - default signature algorithm to use if an override is not provided in the entity message. Defaults to RSA-SHA1 if not set.

See https://github.com/apigee/java-xmltooling/blob/master/src/main/java/org/opensaml/xml/signature/SignatureConstants.java for all supported SHA versions.

Anchor
sample entries in saml.properties
sample entries in saml.properties

Code Block
titleSample saml.digestAlogrithmsproperties SHA version configuration
saml.signatureAlgorithms=ALGO_ID_SIGNATURE_RSA_SHA512
Code Block
titleSample saml.signatureAlogrithms
\,ALGO_ID_SIGNATURE_RSA_SHA1\,ALGO_ID_SIGNATURE_RSA_SHA256
saml.digestAlgorithms=ALGO_ID_DIGEST_SHA512
Code Block
titleSample saml.defaultDigestAlogrithm
saml.defaultDigestAlgorithm=\,ALGO_ID_DIGEST_SHA1\,ALGO_ID_DIGEST_SHA512
Code Block
titleSample saml.defaultSignatureAlogrithm
SHA256
saml.defaultSignatureAlgorithm=ALGO_ID_SIGNATURE_RSA_SHA512SHA1
saml.defaultDigestAlgorithm=ALGO_ID_DIGEST_SHA1

Anchor
Overriding default SHA version
Overriding default SHA version
Overriding default SHA version

Once a list of allowable SHA versions and a default has been specified, a specific version from the allowable list can be specified in the entity request. An example algorithm override follows:<urn1:signatureAlgorithm‌‌>http

Code Block
         <urn:assertion>
			<urn1:signatureAlgorithm‌‌>http://www.w3.org/2001/04/xmldsig-more#rsa-

...

sha256</urn1:signatureAlgorithm>

...


			<urn1:digestAlgorithm‌‌>http://www.w3.org/2001/04/

...

xmlenc#sha256</urn1:digestAlgorithm>
            <urn1:homeCommunity>
               <urn1:description>${#Project#LocalHCDescription}</urn1:description>
               <urn1:homeCommunityId>${#Project#LocalHCID}</urn1:homeCommunityId>
               <urn1:name>${#Project#LocalHCDescription}</urn1:name>
            </urn1:homeCommunity>

Responding gateways

All versions specfied specified in saml.signatureAlgortihms and saml.xxx digestAlgorithms can be accepted by a responding CONNECT gateway

Code Block
titlesaml.properties
saml.signatureAlgorithms=ALGO_ID_SIGNATURE_RSA_SHA512\,ALGO_ID_SIGNATURE_RSA_SHA1\,ALGO_ID_SIGNATURE_RSA_SHA256
saml.digestAlgorithms=ALGO_ID_DIGEST_SHA512\,ALGO_ID_DIGEST_SHA1\,ALGO_ID_DIGEST_SHA256