I am trying to set
DigestMethod Algorithm to
http://www.w3.org/2001/04/xmlenc#sha256
and SignatureMethod Algorithm to
http://www.w3.org/2000/09/xmldsig#rsa-sha1
I have set
'metadata.sign.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
and
'signature.algorithm' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
I saw from a changelog that metadata.sign.algorithm was introduced as the digest algorithm. However both digest algorithm and signature algorithm seem to be taking from the value signature.algorithm. I am using SimpleSamlP v1.18.4.
Thanks in advance for your help.
It looks like SimpleSamlPHP does not allow this to be done. However I patched Utils.php inside SAML2 library to get this working
diff --git a/src/SAML2/Utils.php b/src/SAML2/Utils.php
index e894a3e..4894f84 100644
--- a/src/SAML2/Utils.php
+++ b/src/SAML2/Utils.php
@@ -339,6 +339,11 @@ class Utils
$type = XMLSecurityDSig::SHA1;
}
+ // Patch to get SimpleSAMLPHP to return different
+ // algorithms for signature and digest
+ // to address Login.gov logout issue.
+ $type = XMLSecurityDSig::SHA256;
+
$objXMLSecDSig->addReferenceList(
[$root],
$type,
I set the signature algorithm to SHA1 in the config and applied this patch via composer to have digest use the SHA256 algorithm.