WIP: Update SAML WebSSO Documentation to Clarify signatureMethodAlgorithm as Minimum Required Algorithm #8058
Description
Feature epic details
- For the title of this issue, type: Documentation, Development epic name
- Link to development epic:
- Target GA release:
Operating systems
Does the documentation apply to all operating systems?
- Yes
- No; specify operating systems: ______
Summary
Provide a concise summary of your feature. What is the update, why does it matter, and to whom? What do 80% of target users need to know to be most easily productive using your runtime update?
Update the SAML Web inbound propagation documentation to clarify how signatureMethodAlgorithm attribute is enforced. The documentation must explain that this attribute defines the minimum required algorithm strength that must be used in inbound SAML response signatures. If the inbound assertion uses a weaker signing algorithm than what is configured, the server will throw an exception for the request.
Updates to existing topics
To update existing topics, specify a link to the topics that are affected. Include a copy of the current text and the exact text to which it will change. For example: Change ABC to XYZ
Update the Inbound Section description.
from:
"""
The following example configuration demonstrates how to configure inbound propagation for the defaultSP SAML configuration by specifying the inboundPropagation attribute and the pkixTrustEngine element.
<samlWebSso20 id="defaultSP"
inboundPropagation="required"
headerName="saml_token"
signatureMethodAlgorithm="SHA1">
<pkixTrustEngine trustAnchor="serverStore" />
</samlWebSso20>
"""
to be updated to add more information:
"""
The signatureMethodAlgorithm attribute specifies the minimum required signature algorithm that the server will accept for inbound SAML responses. If the inbound SAML assertion is signed with a weaker algorithm than what is set in signatureMethodAlgorithm, the request will be rejected.
For example, if signatureMethodAlgorithm="SHA256" is configured, and the inbound SAML response uses SHA1, the server will reject the request because SHA1 does not meet the minimum required security level.
The following example configuration demonstrates how to configure inbound propagation for the defaultSP SAML configuration by specifying the inboundPropagation attribute, the signatureMethodAlgorithm requirement, and the pkixTrustEngine element.
<samlWebSso20 id="defaultSP"
inboundPropagation="required"
headerName="saml_token"
signatureMethodAlgorithm="SHA256"> // UPDATED HERE
<pkixTrustEngine trustAnchor="serverStore" />
</samlWebSso20>
"""