From 63338f4bcfb27ecbb93a2498a27dbc70b76a1ce4 Mon Sep 17 00:00:00 2001
From: Connor Peshek <connor@connorpeshek.me>
Date: Tue, 7 Apr 2026 08:28:02 -0500
Subject: [PATCH 1/2] Cherry-pick #20881 to version-2026.2 (with conflicts)

This cherry-pick has conflicts that need manual resolution.

Original PR: #20881
Original commit: db5a1542301a2f6fdd47237176ee18bb00f61080
---
 ...k-application-wizard-provider-for-wsfed.ts |  7 +-
 .../providers/saml/SAMLProviderFormForm.ts    |  4 +-
 .../providers/saml/SAMLProviderOptions.ts     |  2 +
 .../wsfed/WSFederationProviderForm.ts         |  7 +-
 .../wsfed/WSFederationProviderFormForm.ts     | 68 ++++++++++++++++---
 5 files changed, 74 insertions(+), 14 deletions(-)

diff --git a/web/src/admin/applications/wizard/steps/providers/ak-application-wizard-provider-for-wsfed.ts b/web/src/admin/applications/wizard/steps/providers/ak-application-wizard-provider-for-wsfed.ts
index 1161d5705a00..f6676824f38c 100644
--- a/web/src/admin/applications/wizard/steps/providers/ak-application-wizard-provider-for-wsfed.ts
+++ b/web/src/admin/applications/wizard/steps/providers/ak-application-wizard-provider-for-wsfed.ts
@@ -6,7 +6,7 @@ import { ApplicationWizardProviderForm } from "./ApplicationWizardProviderForm.j
 import { type AkCryptoCertificateSearch } from "#admin/common/ak-crypto-certificate-search";
 import { renderForm } from "#admin/providers/wsfed/WSFederationProviderFormForm";
 
-import { type WSFederationProvider } from "@goauthentik/api";
+import { KeyTypeEnum, type WSFederationProvider } from "@goauthentik/api";
 
 import { msg } from "@lit/localize";
 import { customElement, state } from "@lit/reactive-element/decorators.js";
@@ -19,11 +19,15 @@ export class ApplicationWizardProviderWSFedForm extends ApplicationWizardProvide
     @state()
     protected hasSigningKp = false;
 
+    @state()
+    protected signingKeyType: KeyTypeEnum | null = null;
+
     renderForm() {
         const setHasSigningKp = (ev: InputEvent) => {
             const target = ev.target as AkCryptoCertificateSearch;
             if (!target) return;
             this.hasSigningKp = !!target.selectedKeypair;
+            this.signingKeyType = target.selectedKeypair?.keyType ?? KeyTypeEnum.Rsa;
         };
 
         return html` <ak-wizard-title>${this.label}</ak-wizard-title>
@@ -33,6 +37,7 @@ export class ApplicationWizardProviderWSFedForm extends ApplicationWizardProvide
                     errors: this.wizard.errors?.provider,
                     setHasSigningKp,
                     hasSigningKp: this.hasSigningKp,
+                    signingKeyType: this.signingKeyType,
                 })}
             </form>`;
     }
diff --git a/web/src/admin/providers/saml/SAMLProviderFormForm.ts b/web/src/admin/providers/saml/SAMLProviderFormForm.ts
index 42cf75c71c4f..f63fbb8d794a 100644
--- a/web/src/admin/providers/saml/SAMLProviderFormForm.ts
+++ b/web/src/admin/providers/saml/SAMLProviderFormForm.ts
@@ -13,6 +13,7 @@ import "#elements/utils/TimeDeltaHelp";
 import { propertyMappingsProvider, propertyMappingsSelector } from "./SAMLProviderFormHelpers.js";
 import {
     availableHashes,
+    DEFAULT_HASH_ALGORITHM,
     digestAlgorithmOptions,
     retrieveSignatureAlgorithm,
     SAMLSupportedKeyTypes,
@@ -525,7 +526,8 @@ export function renderForm({
                                 <option
                                     value=${algorithmValue}
                                     ?selected=${provider?.signatureAlgorithm === algorithmValue ||
-                                    (!isCurrentAlgorithmAvailable && hash === "SHA256")}
+                                    (!isCurrentAlgorithmAvailable &&
+                                        hash === DEFAULT_HASH_ALGORITHM)}
                                 >
                                     ${hash}
                                 </option>
diff --git a/web/src/admin/providers/saml/SAMLProviderOptions.ts b/web/src/admin/providers/saml/SAMLProviderOptions.ts
index d5f461469772..afc3766a57bd 100644
--- a/web/src/admin/providers/saml/SAMLProviderOptions.ts
+++ b/web/src/admin/providers/saml/SAMLProviderOptions.ts
@@ -43,6 +43,8 @@ export const signatureAlgorithmOptions = toOptions([
 
 export type HashAlgorithm = "SHA1" | "SHA256" | "SHA384" | "SHA512";
 
+export const DEFAULT_HASH_ALGORITHM: HashAlgorithm = "SHA256";
+
 export const availableHashes: HashAlgorithm[] = ["SHA1", "SHA256", "SHA384", "SHA512"];
 
 export const SignatureFamilyByHashAlgorithm: Partial<
diff --git a/web/src/admin/providers/wsfed/WSFederationProviderForm.ts b/web/src/admin/providers/wsfed/WSFederationProviderForm.ts
index 9029ccfcc96e..9f76cb30865c 100644
--- a/web/src/admin/providers/wsfed/WSFederationProviderForm.ts
+++ b/web/src/admin/providers/wsfed/WSFederationProviderForm.ts
@@ -7,7 +7,7 @@ import { DEFAULT_CONFIG } from "#common/api/config";
 import AkCryptoCertificateSearch from "#admin/common/ak-crypto-certificate-search";
 import { BaseProviderForm } from "#admin/providers/BaseProviderForm";
 
-import { ProvidersApi, WSFederationProvider } from "@goauthentik/api";
+import { KeyTypeEnum, ProvidersApi, WSFederationProvider } from "@goauthentik/api";
 
 import { html, TemplateResult } from "lit";
 import { customElement, state } from "lit/decorators.js";
@@ -17,6 +17,9 @@ export class WSFederationProviderForm extends BaseProviderForm<WSFederationProvi
     @state()
     protected hasSigningKp = false;
 
+    @state()
+    protected signingKeyType: KeyTypeEnum | null = null;
+
     async loadInstance(pk: number): Promise<WSFederationProvider> {
         const provider = await new ProvidersApi(DEFAULT_CONFIG).providersWsfedRetrieve({
             id: pk,
@@ -42,12 +45,14 @@ export class WSFederationProviderForm extends BaseProviderForm<WSFederationProvi
             const target = ev.target as AkCryptoCertificateSearch;
             if (!target) return;
             this.hasSigningKp = !!target.selectedKeypair;
+            this.signingKeyType = target.selectedKeypair?.keyType ?? KeyTypeEnum.Rsa;
         };
 
         return html`${renderForm({
             provider: this.instance ?? {},
             setHasSigningKp,
             hasSigningKp: this.hasSigningKp,
+            signingKeyType: this.signingKeyType,
         })}`;
     }
 }
diff --git a/web/src/admin/providers/wsfed/WSFederationProviderFormForm.ts b/web/src/admin/providers/wsfed/WSFederationProviderFormForm.ts
index 8be9c5668bf2..bb7ac5ef65d9 100644
--- a/web/src/admin/providers/wsfed/WSFederationProviderFormForm.ts
+++ b/web/src/admin/providers/wsfed/WSFederationProviderFormForm.ts
@@ -19,12 +19,20 @@ import {
     propertyMappingsSelector,
 } from "#admin/providers/saml/SAMLProviderFormHelpers";
 import {
+    availableHashes,
+    DEFAULT_HASH_ALGORITHM,
     digestAlgorithmOptions,
-    signatureAlgorithmOptions,
+    retrieveSignatureAlgorithm,
+    SAMLSupportedKeyTypes,
 } from "#admin/providers/saml/SAMLProviderOptions";
 
 import {
+<<<<<<< HEAD
     FlowsInstancesListDesignationEnum,
+=======
+    FlowDesignationEnum,
+    KeyTypeEnum,
+>>>>>>> db5a15423 (web/admin: Improve WS-Fed algo selection logic (#20881))
     PropertymappingsApi,
     SAMLNameIDPolicyEnum,
     SAMLPropertyMapping,
@@ -52,6 +60,7 @@ export interface WSFederationProviderFormProps {
     errors?: ValidationError;
     setHasSigningKp: (ev: InputEvent) => void;
     hasSigningKp: boolean;
+    signingKeyType: KeyTypeEnum | null;
 }
 
 export function renderForm({
@@ -59,7 +68,9 @@ export function renderForm({
     errors = {},
     setHasSigningKp,
     hasSigningKp,
+    signingKeyType,
 }: WSFederationProviderFormProps) {
+    const keyType = signingKeyType ?? KeyTypeEnum.Rsa;
     const samlPropertyMappingSearch = async (query?: string) =>
         (
             await new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsProviderSamlList(
@@ -170,6 +181,7 @@ export function renderForm({
                         .certificate=${provider.signingKp}
                         @input=${setHasSigningKp}
                         singleton
+                        .allowedKeyTypes=${SAMLSupportedKeyTypes}
                     ></ak-crypto-certificate-search>
                     <p class="pf-c-form__helper-text">
                         ${msg(
@@ -202,6 +214,8 @@ export function renderForm({
                 >
                     <ak-crypto-certificate-search
                         .certificate=${provider.encryptionKp}
+                        nokey
+                        .allowedKeyTypes=${SAMLSupportedKeyTypes}
                     ></ak-crypto-certificate-search>
                     <p class="pf-c-form__helper-text">
                         ${msg("When selected, assertions will be encrypted using this keypair.")}
@@ -278,23 +292,55 @@ export function renderForm({
                     </p>
                 </ak-form-element-horizontal>
 
-                <ak-radio-input
-                    name="digestAlgorithm"
+                <ak-form-element-horizontal
                     label=${msg("Digest algorithm")}
-                    .options=${digestAlgorithmOptions}
-                    .value=${provider.digestAlgorithm}
                     required
+                    name="digestAlgorithm"
                 >
-                </ak-radio-input>
+                    <select class="pf-c-form-control">
+                        ${digestAlgorithmOptions.map(
+                            (opt) => html`
+                                <option
+                                    value=${opt.value}
+                                    ?selected=${provider?.digestAlgorithm === opt.value ||
+                                    (!provider?.digestAlgorithm && opt.default)}
+                                >
+                                    ${opt.label}
+                                </option>
+                            `,
+                        )}
+                    </select>
+                </ak-form-element-horizontal>
 
-                <ak-radio-input
-                    name="signatureAlgorithm"
+                <ak-form-element-horizontal
                     label=${msg("Signature algorithm")}
-                    .options=${signatureAlgorithmOptions}
-                    .value=${provider.signatureAlgorithm}
                     required
+                    name="signatureAlgorithm"
                 >
-                </ak-radio-input>
+                    <select class="pf-c-form-control">
+                        ${availableHashes.map((hash) => {
+                            const algorithmValue = retrieveSignatureAlgorithm(keyType, hash);
+                            if (!algorithmValue) return nothing;
+
+                            const isCurrentAlgorithmAvailable = availableHashes.some(
+                                (h) =>
+                                    retrieveSignatureAlgorithm(keyType, h) ===
+                                    provider?.signatureAlgorithm,
+                            );
+
+                            return html`
+                                <option
+                                    value=${algorithmValue}
+                                    ?selected=${provider?.signatureAlgorithm === algorithmValue ||
+                                    (!isCurrentAlgorithmAvailable &&
+                                        hash === DEFAULT_HASH_ALGORITHM)}
+                                >
+                                    ${hash}
+                                </option>
+                            `;
+                        })}
+                    </select>
+                </ak-form-element-horizontal>
             </div>
         </ak-form-group>`;
 }

From 1d18ee7999f839a5121e3c91f4b36095314b8bd1 Mon Sep 17 00:00:00 2001
From: Connor Peshek <connor@connorpeshek.me>
Date: Tue, 7 Apr 2026 08:47:05 -0500
Subject: [PATCH 2/2] fix

---
 web/src/admin/providers/wsfed/WSFederationProviderFormForm.ts | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/web/src/admin/providers/wsfed/WSFederationProviderFormForm.ts b/web/src/admin/providers/wsfed/WSFederationProviderFormForm.ts
index bb7ac5ef65d9..4df78689779e 100644
--- a/web/src/admin/providers/wsfed/WSFederationProviderFormForm.ts
+++ b/web/src/admin/providers/wsfed/WSFederationProviderFormForm.ts
@@ -27,12 +27,8 @@ import {
 } from "#admin/providers/saml/SAMLProviderOptions";
 
 import {
-<<<<<<< HEAD
     FlowsInstancesListDesignationEnum,
-=======
-    FlowDesignationEnum,
     KeyTypeEnum,
->>>>>>> db5a15423 (web/admin: Improve WS-Fed algo selection logic (#20881))
     PropertymappingsApi,
     SAMLNameIDPolicyEnum,
     SAMLPropertyMapping,