Breaking change for SAML v2 users when we switched to JDK 17

[robotdan]

In JDK 17, some XML signature algorithms were disabled for security purposes.

We upgraded to Java 17 in version 1.32.0.
https://fusionauth.io/docs/v1/tech/release-notes/#version-1-32-0

See:

• https://bugs.openjdk.java.net/browse/JDK-8259709
• https://bugs.openjdk.java.net/browse/JDK-8261246
• openjdk/jdk@a6427c85

If you require the use of this XML signature for use with a 3rd party SAML v2 IdP, it is recommended that you request they use a more modern signature algorithm.

If that is not possible, you can modify the JDK configuration in your Docker image, or on each node in your cluster.

To do this, find the java.security file in conf/security in your Java directory. Then to re-enable RSA-SHA1 for example, remove this value disallowAlg http://www.w3.org/2000/09/xmldsig#rsa-sha1,\ from the configuration value jdk.xml.dsig.secureValidationPolicy.

Here is the default configuration in JDK 17.

jdk.xml.dsig.secureValidationPolicy=\
    disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,\
    disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,\
    disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,\
    disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,\
    disallowAlg http://www.w3.org/2000/09/xmldsig#sha1,\
    disallowAlg http://www.w3.org/2000/09/xmldsig#dsa-sha1,\
    disallowAlg http://www.w3.org/2000/09/xmldsig#rsa-sha1,\
    disallowAlg http://www.w3.org/2007/05/xmldsig-more#sha1-rsa-MGF1,\
    disallowAlg http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1,\
    maxTransforms 5,\
    maxReferences 30,\
    disallowReferenceUriSchemes file http https,\
    minKeySize RSA 1024,\
    minKeySize DSA 1024,\
    minKeySize EC 224,\
    noDuplicateIds,\
    noRetrievalMethodLoops

[robotdan]

Added to release notes for 1.32.0

[robotdan]

Related

• Re-enable the following XML sig algorithms that the JDK removed in 17 fusionauth-issues#1814

[nodesocket]

If using the official FusionAuth Helm chart and version 1.42.0, is there a flag or how can I disable disallowAlg http://www.w3.org/2000/09/xmldsig#rsa-sha1? We don't control the container, so we need a automated way of making this change to support our legacy SAML customers.

[mooreds]

@nodesocket can you please file an issue in our main issues repo detailing this problem? I'm not quite sure I follow it, and your issue will get more visibility if it is a separate issue in the main issues repo rather than a comment on a closed issue on our website repo. Alternatively, if you have support, please file a ticket; that'll get attention as well.

Thanks for using FusionAuth!

[robotdan]

It looks like this may not be totally solved by re-enabling this in the JDK. The Java XML API also turns this off by default - they really don't want you using this algorithm.

I think by default secure validation is enabled, and my guess is that this is causing the XML sig API to fail.

• https://docs.oracle.com/javase/8/docs/technotes/guides/security/xmldsig/XMLDigitalSignature.html#xmlsig-secure-validation-mode
• It is forbidden to use algorithm http://www.w3.org/2000/09/xmldsig#sha1 when secure validation is enabled fusionauth-issues#2160