IdentityPython · knaperek · Aug 8, 2017 · Jul 20, 2017 · Jul 20, 2017 · Aug 8, 2017
diff --git a/djangosaml2/views.py b/djangosaml2/views.py
@@ -49,7 +49,7 @@ def csrf_exempt(view_func):
 from saml2.sigver import MissingKey
 from saml2.s_utils import UnsupportedBinding
 from saml2.response import StatusError
-from saml2.xmldsig import SIG_RSA_SHA1  # support for this is required by spec
+from saml2.xmldsig import SIG_RSA_SHA1, SIG_RSA_SHA256  # support for SHA1 is required by spec
 
 from djangosaml2.cache import IdentityCache, OutstandingQueriesCache
 from djangosaml2.cache import StateCache
@@ -168,9 +168,12 @@ def login(request,
     logger.debug('Redirecting user to the IdP via %s binding.', binding)
     if binding == BINDING_HTTP_REDIRECT:
         try:
-            # do not sign the xml itself, instead us the sigalg to
+            # do not sign the xml itself, instead use the sigalg to
             # generate the signature as a URL param
-            sigalg = SIG_RSA_SHA1 if sign_requests else None
+            sig_alg_option_map = {'sha1': SIG_RSA_SHA1,
+                                  'sha256': SIG_RSA_SHA256}
+            sig_alg_option = getattr(conf, '_sp_authn_requests_signed_alg', 'sha1')
+            sigalg = sig_alg_option_map[sig_alg_option] if sign_requests else None
             session_id, result = client.prepare_for_authenticate(
                 entityid=selected_idp, relay_state=came_from,
                 binding=binding, sign=False, sigalg=sigalg)