From c3d51eafba25161250bf1c49be684913dedf57b0 Mon Sep 17 00:00:00 2001
From: yvgenycyolo <yvgeny@cyolo.io>
Date: Thu, 20 Jun 2024 13:01:45 +0300
Subject: [PATCH] allow change assertion encrypt algorithm

---
 identity_provider.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/identity_provider.go b/identity_provider.go
index abaaad68..93d49307 100644
--- a/identity_provider.go
+++ b/identity_provider.go
@@ -106,6 +106,7 @@ type IdentityProvider struct {
 	SessionProvider         SessionProvider
 	AssertionMaker          AssertionMaker
 	SignatureMethod         string
+	AssertionDigestMethod   *xmlenc.DigestMethod
 	ValidDuration           *time.Duration
 }
 
@@ -867,7 +868,13 @@ func (req *IdpAuthnRequest) MakeAssertionEl() error {
 
 	encryptor := xmlenc.OAEP()
 	encryptor.BlockCipher = xmlenc.AES128CBC
-	encryptor.DigestMethod = &xmlenc.SHA1
+	// Default to using SHA1 if the signature method isn't set.
+	if req.IDP.AssertionDigestMethod == nil {
+		encryptor.DigestMethod = &xmlenc.SHA1
+	} else {
+		encryptor.DigestMethod = *req.IDP.AssertionDigestMethod
+	}
+
 	encryptedDataEl, err := encryptor.Encrypt(certBuf, signedAssertionBuf, nil)
 	if err != nil {
 		return err