Detect SAML IdP cert fingerprint and explicitly set algorithm
What does this MR do and why?
Detect SAML IdP cert fingerprint and explicitly set algorithm
In the upcoming ruby-saml 2.x upgrade, the default IdP cert fingerprint algorithm will change from SHA1 to SHA256. Many installs use SHA1 fingerprints and would experience a breaking change and need to explicitly set SHA1 as the algorithm after the upgrade. This change ensures we detect the algorithm and set it for installs for backward compatibility. This change also allows installs to start using SHA256 now without specifying the SHA256 algorithm.
This detection works by looking at the length of each fingerprint. A SHA1 fingerprint is 40 characters (20 hex pairs) and SHA256 is 64 characters (32 hex pairs).
This means, installs with the following configuration will continue to work after ruby-saml 2.x upgrade even though the configuration has a SHA1 fingerprint:
gitlab_rails['omniauth_providers'] = [
{
name: "saml",
label: "Provider name", # optional label for login button, defaults to "Saml"
args: {
assertion_consumer_service_url: "https://gitlab.example.com/users/auth/saml/callback",
idp_cert_fingerprint: "43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8", #SHA1 fingerprint
idp_sso_target_url: "https://login.example.com/idp",
issuer: "https://gitlab.example.com",
name_identifier_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
}
}
]Without this change, the install would break unless they added the following algorithm configuration:
idp_cert_fingerprint_algorithm: 'http://www.w3.org/2000/09/xmldsig#sha1',References
Support full certificate or SHA256 for SAML (#524624 - closed)
Screenshots or screen recordings
| Before | After |
|---|---|
How to set up and validate locally
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.