Skip to content

Remove unusable samlWebSso20 signatureMethodAlgorithm SHA128 #32782

New issue
New issue
Open
Open
Remove unusable samlWebSso20 signatureMethodAlgorithm SHA128#32782
Assignees
Zech-Hein
Labels
serviceabilityLabel used to track serviceability related issuesteam:Security SSO
@Zech-Hein

Description

@Zech-Hein
Zech-Hein
opened on Sep 8, 2025

After checking with @arunavemulapalli we determined SHA128 is not supported by SAML. So the allowed signatureMethodAlgorithm metatype option of SHA128 is unusable.

I initially found this from thinking the metatype description was missing here: https://github.com/OpenLiberty/open-liberty/blob/integration/dev/com.ibm.ws.security.saml.websso.2.0/resources/OSGI-INF/l10n/metatype.properties#L29

but after checking the code, it looks like it was never meant to be used
https://github.com/OpenLiberty/open-liberty/blob/integration/dev/com.ibm.ws.security.saml.websso.2.0/src/com/ibm/ws/security/saml/sso20/rs/RsSamlConfigImpl.java

And after checking the openSAML javadoc I confirmed, no SHA128 options exist
https://shibboleth.net/api/java-opensaml/4.3.2-SNAPSHOT/org/opensaml/xmlsec/signature/support/SignatureConstants.html

Metadata

Metadata

Assignees

Labels

serviceabilityLabel used to track serviceability related issuesteam:Security SSO

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions