Add "Encryption algorithm" option of SAML IDP (#4240)

* Add "Encryption algorithm" option of SAML IDP
closes #4173

* Apply review feedback

Co-authored-by: Jon Koops <jonkoops@gmail.com>
This commit is contained in:
Douglas Palmer 2023-01-22 22:48:32 -08:00 committed by GitHub
parent ba2fc5f4ec
commit 12ea4e16f3
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 39 additions and 0 deletions

View file

@ -53,6 +53,7 @@
"httpPostBindingLogout": "Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.", "httpPostBindingLogout": "Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.",
"wantAuthnRequestsSigned": "Indicates whether the identity provider expects a signed AuthnRequest.", "wantAuthnRequestsSigned": "Indicates whether the identity provider expects a signed AuthnRequest.",
"signatureAlgorithm": "The signature algorithm to use to sign documents. Note that 'SHA1' based algorithms are deprecated and can be removed in the future. It is recommended to stick to some more secure algorithm instead of '*_SHA1'", "signatureAlgorithm": "The signature algorithm to use to sign documents. Note that 'SHA1' based algorithms are deprecated and can be removed in the future. It is recommended to stick to some more secure algorithm instead of '*_SHA1'",
"encryptionAlgorithm": "Encryption algorithm, which is used by SAML IDP for encryption of SAML documents, assertions or IDs. The corresponding decryption key for decrypt SAML document parts will be chosen based on this configured algorithm and should be available in realm keys for the encryption (ENC) usage. If algorithm is not configured, then any supported algorithm is allowed and decryption key will be chosen based on the algorithm configured in SAML document itself.",
"samlSignatureKeyName": "Signed SAML documents contain identification of signing key in KeyName element. For Keycloak / RH-SSO counter-party, use KEY_ID, for MS AD FS use CERT_SUBJECT, for others check and use NONE if no other option works.", "samlSignatureKeyName": "Signed SAML documents contain identification of signing key in KeyName element. For Keycloak / RH-SSO counter-party, use KEY_ID, for MS AD FS use CERT_SUBJECT, for others check and use NONE if no other option works.",
"wantAssertionsSigned": "Indicates whether this service provider expects a signed Assertion.", "wantAssertionsSigned": "Indicates whether this service provider expects a signed Assertion.",
"wantAssertionsEncrypted": "Indicates whether this service provider expects an encrypted Assertion.", "wantAssertionsEncrypted": "Indicates whether this service provider expects an encrypted Assertion.",

View file

@ -75,6 +75,7 @@
"httpPostBindingLogout": "HTTP-POST binding logout", "httpPostBindingLogout": "HTTP-POST binding logout",
"wantAuthnRequestsSigned": "Want AuthnRequests signed", "wantAuthnRequestsSigned": "Want AuthnRequests signed",
"signatureAlgorithm": "Signature algorithm", "signatureAlgorithm": "Signature algorithm",
"encryptionAlgorithm": "Encryption Algorithm",
"samlSignatureKeyName": "SAML signature key name", "samlSignatureKeyName": "SAML signature key name",
"wantAssertionsSigned": "Want Assertions signed", "wantAssertionsSigned": "Want Assertions signed",
"wantAssertionsEncrypted": "Want Assertions encrypted", "wantAssertionsEncrypted": "Want Assertions encrypted",

View file

@ -37,6 +37,8 @@ const Fields = ({ readOnly }: DescriptorSettingsProps) => {
useState(false); useState(false);
const [signatureAlgorithmDropdownOpen, setSignatureAlgorithmDropdownOpen] = const [signatureAlgorithmDropdownOpen, setSignatureAlgorithmDropdownOpen] =
useState(false); useState(false);
const [encryptionAlgorithmDropdownOpen, setEncryptionAlgorithmDropdownOpen] =
useState(false);
const [ const [
samlSignatureKeyNameDropdownOpen, samlSignatureKeyNameDropdownOpen,
setSamlSignatureKeyNameDropdownOpen, setSamlSignatureKeyNameDropdownOpen,
@ -374,6 +376,41 @@ const Fields = ({ readOnly }: DescriptorSettingsProps) => {
)} )}
></Controller> ></Controller>
</FormGroup> </FormGroup>
<FormGroup
label={t("encryptionAlgorithm")}
labelIcon={
<HelpItem
helpText={th("encryptionAlgorithm")}
fieldLabelId="identity-provider:encryptionAlgorithm"
/>
}
fieldId="kc-encryptionAlgorithm"
>
<Controller
name="config.encryptionAlgorithm"
defaultValue="RSA-OAEP"
control={control}
render={({ field }) => (
<Select
toggleId="kc-encryptionAlgorithm"
onToggle={(isExpanded) =>
setEncryptionAlgorithmDropdownOpen(isExpanded)
}
isOpen={encryptionAlgorithmDropdownOpen}
onSelect={(_, value) => {
field.onChange(value.toString());
setEncryptionAlgorithmDropdownOpen(false);
}}
selections={field.value}
variant={SelectVariant.single}
isDisabled={readOnly}
>
<SelectOption value="RSA-OAEP" />
<SelectOption value="RSA1_5" />
</Select>
)}
></Controller>
</FormGroup>
<FormGroup <FormGroup
label={t("samlSignatureKeyName")} label={t("samlSignatureKeyName")}
labelIcon={ labelIcon={