Allow SHA1 inbound sigs from Idp (#1047)

bitwarden_license/src/Portal/Models/SsoConfigDataViewModel.cs

@@ -47,6 +47,7 @@ namespace Bit.Portal.Models
             SpSigningBehavior = configurationData.SpSigningBehavior;
             SpWantAssertionsSigned = configurationData.SpWantAssertionsSigned;
             SpValidateCertificates = configurationData.SpValidateCertificates;
+            SpMinIncomingSigningAlgorithm = configurationData.SpMinIncomingSigningAlgorithm ?? SamlSigningAlgorithms.Sha256;
         }
 
         [Required]
@@ -86,6 +87,8 @@ namespace Bit.Portal.Models
         public bool SpWantAssertionsSigned { get; set; }
         [Display(Name = "SpValidateCertificates")]
         public bool SpValidateCertificates { get; set; }
+        [Display(Name = "MinIncomingSigningAlgorithm")]
+        public string SpMinIncomingSigningAlgorithm { get; set; }
 
         // SAML2 IDP
         [Display(Name = "EntityId")]
@@ -211,6 +214,7 @@ namespace Bit.Portal.Models
                 SpSigningBehavior = SpSigningBehavior,
                 SpWantAssertionsSigned = SpWantAssertionsSigned,
                 SpValidateCertificates = SpValidateCertificates,
+                SpMinIncomingSigningAlgorithm = SpMinIncomingSigningAlgorithm,
             };
         }
 

bitwarden_license/src/Portal/Views/Sso/Index.cshtml

@@ -194,6 +194,13 @@
                             class="form-control"></select>
                 </div>
             </div>
+            <div class="row">
+                <div class="col-7 form-group">
+                    <label asp-for="Data.SpMinIncomingSigningAlgorithm">@i18nService.T("MinIncomingSigningAlgorithm")</label>
+                    <select asp-for="Data.SpMinIncomingSigningAlgorithm" asp-items="Model.SigningAlgorithms"
+                            class="form-control"></select>
+                </div>
+            </div>
             <div class="form-group">
                 <div class="form-check">
                     <input asp-for="Data.SpWantAssertionsSigned" type="checkbox" class="form-check-input">

bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs

@@ -9,6 +9,7 @@ using Bit.Core.Enums;
 using Bit.Core.Models.Data;
 using Bit.Core.Models.Table;
 using Bit.Core.Repositories;
+using Bit.Core.Sso;
 using Bit.Sso.Models;
 using Bit.Sso.Utilities;
 using IdentityModel;
@@ -358,6 +359,10 @@ namespace Bit.Core.Business.Sso
                 AuthenticateRequestSigningBehavior = GetSigningBehavior(config.SpSigningBehavior),
                 ValidateCertificates = config.SpValidateCertificates,
             };
+            if (!string.IsNullOrWhiteSpace(config.SpMinIncomingSigningAlgorithm))
+            {
+                spOptions.MinIncomingSigningAlgorithm = config.SpMinIncomingSigningAlgorithm;
+            }
             if (!string.IsNullOrWhiteSpace(config.SpOutboundSigningAlgorithm))
             {
                 spOptions.OutboundSigningAlgorithm = config.SpOutboundSigningAlgorithm;

src/Core/Models/Data/SsoConfigurationData.cs

@@ -39,6 +39,7 @@ namespace Bit.Core.Models.Data
         public Saml2SigningBehavior SpSigningBehavior { get; set; } = Saml2SigningBehavior.IfIdpWantAuthnRequestsSigned;
         public bool SpWantAssertionsSigned { get; set; }
         public bool SpValidateCertificates { get; set; }
+        public string SpMinIncomingSigningAlgorithm { get; set; } = SamlSigningAlgorithms.Sha256;
 
         public string BuildCallbackPath(string ssoUri = null)
         {

src/Core/Resources/SharedResources.en.resx

@@ -331,6 +331,9 @@
   <data name="SigningBehavior" xml:space="preserve">
     <value>Signing Behavior</value>
   </data>
+  <data name="MinIncomingSigningAlgorithm" xml:space="preserve">
+    <value>Minimum Incoming Signing Algorithm</value>
+  </data>
   <data name="BindingType" xml:space="preserve">
     <value>Binding Type</value>
   </data>