Allow the use of certificate alias for request signature validation

[deshankoswatte]

Description

When migrating from WSO2 IS 6.0.0 to WSO2 IS 7.0.0 and SAML service providers are used. It is possible to configure the service provider certificates in the WSO2 IS keystore and set the certificate alias [1], with the option to enable signature validation for authentication and logout requests. With this configuration, WSO2 IS uses the selected certificate for request signature validation as per the provided documentation.

However, when migrating to WSO2 IS 7.0.0, the "Enable Signature Validation" option becomes tied to the certificate. As a result, even though it is possible to display the migrated certificate alias using the following configuration, updating the certificate alias causes the "Enable Signature Validation" option to be disabled.

[console.applications.ui]
certificate_alias_enabled=true

Since signature validation using the certificate alias is supported [1], this should be addressed in the console to ensure backward compatibility.

[1] - https://is.docs.wso2.com/en/6.0.0/guides/login/saml-app-config-advanced/#certificate-alias

Steps to Reproduce

• Add the following configuration to the deployment.toml file located in the <IS_HOME>/repository/conf directory.
• Create a SAML application.
• Try to update the certificate alias and enable signature validation through an API request, as shown below.

curl --location --request PUT 'https://localhost:9443/t/carbon.super/api/server/v1/applications/e4c64f52-c308-4684-b120-cee8b1fb080d/inbound-protocols/saml' \
--data '{
    "manualConfiguration": {
        "assertionConsumerUrls": [
            "https://www.test2.com"
        ],
        "attributeProfile": {
            "alwaysIncludeAttributesInResponse": false,
            "enabled": false
        },
        "defaultAssertionConsumerUrl": "https://www.test2.com",
        "enableAssertionQueryProfile": false,
        "idpEntityIdAlias": "",
        "issuer": "test2",
        "requestValidation": {
            "enableSignatureValidation": true,
            "signatureValidationCertAlias": "ou_epki_root_certification_authority,o_chunghwa_telecom_co__ltd,c_tw"
        },
        "responseSigning": {
            "enabled": false,
            "signingAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
        },
        "serviceProviderQualifier": "",
        "singleLogoutProfile": {
            "enabled": false,
            "idpInitiatedSingleLogout": {
                "enabled": false,
                "returnToUrls": []
            },
            "logoutMethod": "BACKCHANNEL",
            "logoutRequestUrl": "",
            "logoutResponseUrl": ""
        },
        "singleSignOnProfile": {
            "assertion": {
                "audiences": [],
                "digestAlgorithm": "http://www.w3.org/2001/04/xmlenc#sha256",
                "encryption": {
                    "assertionEncryptionAlgorithm": "http://www.w3.org/2001/04/xmlenc#aes256-cbc",
                    "enabled": false,
                    "keyEncryptionAlgorithm": "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"
                },
                "nameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
                "recipients": []
            },
            "bindings": [
                "HTTP_POST",
                "HTTP_REDIRECT"
            ],
            "enableIdpInitiatedSingleSignOn": false,
            "enableSignatureValidationForArtifactBinding": false
        }
    }
}'

• Navigate back to the Console application, return to the SAML application, and attempt to update the certificate alias to a different one. The "Enable Signature Validation" option will be disabled.

Version

wso2is-7.0.0

Environment Details (with versions)

• OS: Mac OS
• Database: H2
• Userstore: JDBC