From 441b8d163fc112251784f467231588b5a3eded7a Mon Sep 17 00:00:00 2001
From: Nils Vogels <bacardicoke@gmail.com>
Date: Thu, 20 Jul 2017 15:37:56 +0200
Subject: [PATCH 1/4] Adding support for SHA255 signing

---
 djangosaml2/views.py | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/djangosaml2/views.py b/djangosaml2/views.py
index dbffce71..ac21a978 100644
--- a/djangosaml2/views.py
+++ b/djangosaml2/views.py
@@ -49,7 +49,7 @@ def csrf_exempt(view_func):
 from saml2.sigver import MissingKey
 from saml2.s_utils import UnsupportedBinding
 from saml2.response import StatusError
-from saml2.xmldsig import SIG_RSA_SHA1  # support for this is required by spec
+from saml2.xmldsig import SIG_RSA_SHA1, SIG_RSA_SHA256  # support for SHA1 is required by spec
 
 from djangosaml2.cache import IdentityCache, OutstandingQueriesCache
 from djangosaml2.cache import StateCache
@@ -168,9 +168,11 @@ def login(request,
     logger.debug('Redirecting user to the IdP via %s binding.', binding)
     if binding == BINDING_HTTP_REDIRECT:
         try:
-            # do not sign the xml itself, instead us the sigalg to
+            # do not sign the xml itself, instead use the sigalg to
             # generate the signature as a URL param
-            sigalg = SIG_RSA_SHA1 if sign_requests else None
+            sig_alg = getattr(conf, '_sp_authn_requests_signed_alg', False)
+            sigalg = SIG_RSA_SHA1 if sign_requests and sig_alg == 'sha1' else None
+            sigalg = SIG_RSA_SHA256 if sign_requests and sig_alg == 'sha256' else None
             session_id, result = client.prepare_for_authenticate(
                 entityid=selected_idp, relay_state=came_from,
                 binding=binding, sign=False, sigalg=sigalg)

From c5a74c79b455ddc8ad1ce8ff173cf5c970cccbf0 Mon Sep 17 00:00:00 2001
From: Nils Vogels <bacardicoke@gmail.com>
Date: Thu, 20 Jul 2017 14:11:18 +0000
Subject: [PATCH 2/4] making previous default still work

---
 djangosaml2/views.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/djangosaml2/views.py b/djangosaml2/views.py
index ac21a978..4f4353fc 100644
--- a/djangosaml2/views.py
+++ b/djangosaml2/views.py
@@ -171,7 +171,7 @@ def login(request,
             # do not sign the xml itself, instead use the sigalg to
             # generate the signature as a URL param
             sig_alg = getattr(conf, '_sp_authn_requests_signed_alg', False)
-            sigalg = SIG_RSA_SHA1 if sign_requests and sig_alg == 'sha1' else None
+            sigalg = SIG_RSA_SHA1 if sign_requests and sig_alg == 'sha1' or sig_alg==False else None
             sigalg = SIG_RSA_SHA256 if sign_requests and sig_alg == 'sha256' else None
             session_id, result = client.prepare_for_authenticate(
                 entityid=selected_idp, relay_state=came_from,

From dfb0f1d0a4ecc35551025acaaa8ebb10ebf25ef5 Mon Sep 17 00:00:00 2001
From: Jozef <knaperek@users.noreply.github.com>
Date: Tue, 8 Aug 2017 09:55:10 +0200
Subject: [PATCH 3/4] Refactor and clean up logic from PR #66

---
 djangosaml2/views.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/djangosaml2/views.py b/djangosaml2/views.py
index 4f4353fc..b3bb3c95 100644
--- a/djangosaml2/views.py
+++ b/djangosaml2/views.py
@@ -170,9 +170,10 @@ def login(request,
         try:
             # do not sign the xml itself, instead use the sigalg to
             # generate the signature as a URL param
-            sig_alg = getattr(conf, '_sp_authn_requests_signed_alg', False)
-            sigalg = SIG_RSA_SHA1 if sign_requests and sig_alg == 'sha1' or sig_alg==False else None
-            sigalg = SIG_RSA_SHA256 if sign_requests and sig_alg == 'sha256' else None
+            sig_alg_option_map = {'sha1': SIG_RSA_SHA1',
+                                  'sha256': SIG_RSA_SHA256'}
+            sig_alg_option = getattr(conf, '_sp_authn_requests_signed_alg', 'sha1')
+            sigalg = sig_alg_option_map[sig_alg_option] if sign_requests else None
             session_id, result = client.prepare_for_authenticate(
                 entityid=selected_idp, relay_state=came_from,
                 binding=binding, sign=False, sigalg=sigalg)

From ce04e775419c02115c667d17b77afe07e78b1ef2 Mon Sep 17 00:00:00 2001
From: Jozef <knaperek@users.noreply.github.com>
Date: Tue, 8 Aug 2017 10:01:25 +0200
Subject: [PATCH 4/4] Fix typos

---
 djangosaml2/views.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/djangosaml2/views.py b/djangosaml2/views.py
index b3bb3c95..009dc401 100644
--- a/djangosaml2/views.py
+++ b/djangosaml2/views.py
@@ -170,8 +170,8 @@ def login(request,
         try:
             # do not sign the xml itself, instead use the sigalg to
             # generate the signature as a URL param
-            sig_alg_option_map = {'sha1': SIG_RSA_SHA1',
-                                  'sha256': SIG_RSA_SHA256'}
+            sig_alg_option_map = {'sha1': SIG_RSA_SHA1,
+                                  'sha256': SIG_RSA_SHA256}
             sig_alg_option = getattr(conf, '_sp_authn_requests_signed_alg', 'sha1')
             sigalg = sig_alg_option_map[sig_alg_option] if sign_requests else None
             session_id, result = client.prepare_for_authenticate(