providers/saml: auto pull signature algorithm options by PeshekDotDev · Pull Request #17614 · goauthentik/authentik

PeshekDotDev · 2025-10-21T04:17:54Z

Details

In order to receive space, one must sacrifice it.

This PR shall clean up the form, giving us room for new life and features

Closes #19139

Checklist

Local tests pass (ak test authentik/)
The code has been formatted (make lint-fix)

If an API change has been made

The API schema has been updated (make gen-build)

If changes to the frontend have been made

The code has been formatted (make web)

If applicable

The documentation has been updated
The documentation has been formatted (make docs)

netlify · 2025-10-21T04:17:58Z

✅ Deploy Preview for authentik-docs canceled.

Name	Link
🔨 Latest commit	`24dc523`
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-docs/deploys/69407df98a1f980008f34ce8

netlify · 2025-10-21T04:17:58Z

✅ Deploy Preview for authentik-storybook ready!

Name	Link
🔨 Latest commit	`09a8ff0`
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-storybook/deploys/698258607d121e0008096d6a
😎 Deploy Preview	https://deploy-preview-17614--authentik-storybook.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

netlify · 2025-10-21T04:17:58Z

✅ Deploy Preview for authentik-integrations ready!

Name	Link
🔨 Latest commit	`af7d257`
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-integrations/deploys/696011ba98d6fd000819e181
😎 Deploy Preview	https://deploy-preview-17614--authentik-integrations.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

codecov · 2025-10-21T04:24:12Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.26%. Comparing base (457ea95) to head (09a8ff0).
⚠️ Report is 5 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #17614      +/-   ##
==========================================
+ Coverage   93.21%   93.26%   +0.05%     
==========================================
  Files         968      968              
  Lines       53418    53430      +12     
==========================================
+ Hits        49793    49833      +40     
+ Misses       3625     3597      -28

Flag	Coverage Δ
conformance	`38.05% <7.69%> (-0.01%)`	⬇️
e2e	`44.06% <7.69%> (+<0.01%)`	⬆️
integration	`22.76% <0.00%> (-0.01%)`	⬇️
unit	`91.40% <100.00%> (+0.01%)`	⬆️
unit-migrate	`91.44% <100.00%> (+0.06%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

github-actions · 2025-10-21T04:52:06Z

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-09a8ff0836cef8d776913cd444dd7dd9165e3f10
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-09a8ff0836cef8d776913cd444dd7dd9165e3f10

Afterwards, run the upgrade commands from the latest release notes.

BeryJu · 2025-12-30T19:06:37Z

authentik/providers/saml/tests/test_api.py


+    def test_create_validate_unsupported_key_type(self):
+        """Test validation rejects unsupported key types (Ed25519)"""
+        from authentik.crypto.models import CertificateKeyPair


should be top of file

BeryJu · 2025-12-30T19:07:15Z

authentik/providers/saml/tests/test_api.py

+        # Create an Ed25519 certificate
+        ed25519_cert = CertificateKeyPair.objects.create(
+            name=generate_id(),
+            certificate_data=load_fixture("fixtures/ed25519-cert.pem"),


should be able to generate, with create_test_cert

I had to make some updates to the certificate generator to support this. I had to change the default format we generate in, so let me know if that's problematic

BeryJu · 2025-12-30T19:07:38Z

authentik/providers/saml/tests/test_api.py

+        self.assertIn("signing_kp", loads(response.content))
+        self.assertIn(
+            "Only RSA, EC, and DSA key types are supported",
+            loads(response.content)["signing_kp"][0],
+        )


self.assertJSON

BeryJu · 2025-12-30T19:08:02Z

web/src/admin/providers/saml/SAMLProviderFormForm.ts

                        .certificate=${provider.signingKp}
                        @input=${setHasSigningKp}
                        singleton
+                        .allowedKeyTypes=${[KeyTypeEnum.Rsa, KeyTypeEnum.Ec, KeyTypeEnum.Dsa]}


maybe put the allowed key types as a constant?

I added it to the options, good call

PeshekDotDev · 2026-01-15T21:47:15Z

Because we want to be able to test the functionality of incorrect certs, we need the cert builder to support ed25519. So we need PR #19465 to merge, then update this PR and merge it

* main: (26 commits) providers/saml: auto pull signature algorithm options (#17614) core, web: bump @isaacs/brace-expansion from 5.0.0 to 5.0.1 in /packages/prettier-config (#19990) web: bump @isaacs/brace-expansion from 5.0.0 to 5.0.1 in /web (#19989) stages/authenticator_webauthn: fix double JSON encoding of webauthn options (#19952) core: bump django from 5.2.10 to 5.2.11 (#19988) ci: allow setting assignee to fail (#19985) root: revert enterprise loading behaviour (#19485) web/flows: update flow background (#19974) providers/oauth2: use compare_digest for client_secret comparison (#19979) recovery: consume token in transaction (#19967) core: ask for token duration on recovery link/email by admin (#19875) core: bump aws-cdk-lib from 2.236.0 to 2.237.0 (#19958) web: bump the storybook group across 1 directory with 5 updates (#19960) core: bump library/nginx from `c881927` to `7fe5dda` in /website (#19961) core: bump gunicorn from 25.0.0 to 25.0.1 (#19959) core: bump goauthentik.io/api/v3 to 3.2026.2.0-rc1-1770129730 (#19973) lifecycle: bump shm size (#19369) crypto: Add ED25519 and ED448 support to the certificate builder (#19465) web/admin: Register stage elements. Fix linter warnings (#19948) web: bump knip from 5.82.1 to 5.83.0 in /web (#19962) ...

BeryJu added this to authentik Core Oct 27, 2025

github-project-automation bot moved this to Todo in authentik Core Oct 27, 2025

BeryJu added this to the Release 2025.12 milestone Oct 27, 2025

BeryJu assigned PeshekDotDev Oct 27, 2025

PeshekDotDev force-pushed the saml-signature-cleanup branch from dd6674f to 11c97df Compare October 27, 2025 21:29

PeshekDotDev marked this pull request as ready for review October 27, 2025 21:30

PeshekDotDev requested a review from a team as a code owner October 27, 2025 21:30

PeshekDotDev changed the title ~~providers/saml: change digest and signature algorithm options into dropdowns~~ providers/saml: auto pull signature algorithm options Oct 27, 2025

PeshekDotDev requested a review from a team as a code owner October 28, 2025 01:09

PeshekDotDev force-pushed the saml-signature-cleanup branch 2 times, most recently from a7a90e7 to fa3e520 Compare October 28, 2025 21:03

PeshekDotDev marked this pull request as draft November 3, 2025 18:53

PeshekDotDev force-pushed the saml-signature-cleanup branch 3 times, most recently from 1762fe6 to 44670e2 Compare November 7, 2025 21:56

PeshekDotDev force-pushed the saml-signature-cleanup branch from 44670e2 to 24dc523 Compare December 15, 2025 21:30

PeshekDotDev marked this pull request as ready for review December 15, 2025 21:31

PeshekDotDev added the backport/version-2025.12 Add this label to PRs to backport changes to version-2025.12 label Dec 16, 2025

PeshekDotDev moved this from Todo to Needs review in authentik Core Dec 19, 2025

BeryJu reviewed Dec 30, 2025

View reviewed changes

PeshekDotDev mentioned this pull request Jan 6, 2026

Mismatch of "Signature algorithm" and selected certificate causes generic server error #19139

Closed

PeshekDotDev moved this from Needs review to In review in authentik Core Jan 6, 2026

rissson removed the backport/version-2025.12 Add this label to PRs to backport changes to version-2025.12 label Jan 14, 2026

rissson modified the milestones: Release 2025.12, Release 2026.2 Jan 14, 2026

BeryJu approved these changes Feb 3, 2026

View reviewed changes

github-project-automation bot moved this from In review to In Progress in authentik Core Feb 3, 2026

BeryJu modified the milestones: Release 2026.2.0: Nice to have, Release 2026.2.0: Required Feb 3, 2026

update saml pr after cert gen

09a8ff0

PeshekDotDev force-pushed the saml-signature-cleanup branch from db1c875 to 09a8ff0 Compare February 3, 2026 20:19

PeshekDotDev merged commit 838c985 into main Feb 3, 2026
102 checks passed

PeshekDotDev deleted the saml-signature-cleanup branch February 3, 2026 21:52

github-project-automation bot moved this from In Progress to Done in authentik Core Feb 3, 2026

Uh oh!

Conversation

PeshekDotDev commented Oct 21, 2025 • edited by dewi-tik Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Details

Checklist

Uh oh!

netlify bot commented Oct 21, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

✅ Deploy Preview for authentik-docs canceled.

Uh oh!

netlify bot commented Oct 21, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

✅ Deploy Preview for authentik-storybook ready!

Uh oh!

netlify bot commented Oct 21, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

✅ Deploy Preview for authentik-integrations ready!

Uh oh!

codecov bot commented Oct 21, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

github-actions bot commented Oct 21, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

PeshekDotDev commented Jan 15, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

PeshekDotDev commented Oct 21, 2025 •

edited by dewi-tik

Loading

netlify bot commented Oct 21, 2025 •

edited

Loading

netlify bot commented Oct 21, 2025 •

edited

Loading

netlify bot commented Oct 21, 2025 •

edited

Loading

codecov bot commented Oct 21, 2025 •

edited

Loading

github-actions bot commented Oct 21, 2025 •

edited

Loading