feat(sso-app): add default signature method (#787)

dorsha · web-flow · commit e79b0b82a4de · 2026-03-16T22:43:10.000+02:00
* feat(sso-app): add default signature methid

* feat(sso-app): add default signature methid
diff --git a/descope/auth.py b/descope/auth.py
@@ -251,11 +251,11 @@ def exchange_access_key(
     ) -> dict:
         uri = EndpointsV1.exchange_auth_access_key_path
         body = {
-            "loginOptions": {
-                k: v for k, v in login_options.__dict__.items() if v is not None
-            }
-            if login_options
-            else {},
+            "loginOptions": (
+                {k: v for k, v in login_options.__dict__.items() if v is not None}
+                if login_options
+                else {}
+            ),
         }
         server_response = self._http.post(uri, body=body, pswd=access_key)
         json_body = server_response.json()
diff --git a/descope/management/sso_application.py b/descope/management/sso_application.py
@@ -79,6 +79,7 @@ def create_saml_application(
         default_relay_state: Optional[str] = None,
         force_authentication: Optional[bool] = False,
         logout_redirect_url: Optional[str] = None,
+        default_signature_algorithm: Optional[str] = None,
     ) -> dict:
         """
         Create a new SAML sso application with the given name. SSO application IDs are provisioned automatically, but can be provided
@@ -104,6 +105,7 @@ def create_saml_application(
         default_relay_state (str): Optional define the default relay state.
         force_authentication (bool): Optional determine if the IdP should force the user to re-authenticate.
         logout_redirect_url (str): Optional Target URL to which the user will be redirected upon logout completion.
+        default_signature_algorithm (str): Optional signature algorithm for SAML responses. Use "sha256" to opt in to SHA-256. Leave empty for the default (SHA-1). Only applies to IdP-initiated flows.
 
         Return value (dict):
         Return dict in the format
@@ -151,6 +153,7 @@ def create_saml_application(
                 default_relay_state,
                 force_authentication,
                 logout_redirect_url,
+                default_signature_algorithm,
             ),
         )
         return response.json()
@@ -217,6 +220,7 @@ def update_saml_application(
         default_relay_state: Optional[str] = None,
         force_authentication: Optional[bool] = False,
         logout_redirect_url: Optional[str] = None,
+        default_signature_algorithm: Optional[str] = None,
     ):
         """
         Update an existing SAML sso application with the given parameters. IMPORTANT: All parameters are used as overrides
@@ -242,6 +246,7 @@ def update_saml_application(
         default_relay_state (str): Optional define the default relay state.
         force_authentication (bool): Optional determine if the IdP should force the user to re-authenticate.
         logout_redirect_url (str): Optional Target URL to which the user will be redirected upon logout completion.
+        default_signature_algorithm (str): Optional signature algorithm for SAML responses. Use "sha256" to opt in to SHA-256. Leave empty for the default (SHA-1). Only applies to IdP-initiated flows.
 
         Raise:
         AuthException: raised if update operation fails
@@ -285,6 +290,7 @@ def update_saml_application(
                 default_relay_state,
                 force_authentication,
                 logout_redirect_url,
+                default_signature_algorithm,
             ),
         )
 
@@ -390,6 +396,7 @@ def _compose_create_update_saml_body(
         default_relay_state: Optional[str] = None,
         force_authentication: Optional[bool] = False,
         logout_redirect_url: Optional[str] = None,
+        default_signature_algorithm: Optional[str] = None,
     ) -> dict:
         body: dict[str, Any] = {
             "id": id,
@@ -413,6 +420,7 @@ def _compose_create_update_saml_body(
             "defaultRelayState": default_relay_state,
             "forceAuthentication": force_authentication,
             "logoutRedirectUrl": logout_redirect_url,
+            "defaultSignatureAlgorithm": default_signature_algorithm,
         }
 
         return body
diff --git a/tests/management/test_sso_application.py b/tests/management/test_sso_application.py
@@ -147,6 +147,7 @@ def test_create_saml_application(self):
                 default_relay_state="relayState",
                 force_authentication=True,
                 logout_redirect_url="http://dummy.com/logout",
+                default_signature_algorithm="sha256",
             )
             self.assertEqual(resp["id"], "app1")
             mock_post.assert_called_with(
@@ -187,6 +188,7 @@ def test_create_saml_application(self):
                     "defaultRelayState": "relayState",
                     "forceAuthentication": True,
                     "logoutRedirectUrl": "http://dummy.com/logout",
+                    "defaultSignatureAlgorithm": "sha256",
                 },
                 allow_redirects=False,
                 verify=True,
@@ -351,6 +353,7 @@ def test_update_saml_application(self):
                     "defaultRelayState": None,
                     "forceAuthentication": False,
                     "logoutRedirectUrl": None,
+                    "defaultSignatureAlgorithm": None,
                 },
                 allow_redirects=False,
                 verify=True,
