Description
Hello,
I maintain the passport-saml library which has this library as a dependency.
We'd also like to move away from insecure algorithms. However, a SAML service provider may integrate with dozens of Identity providers. How can we know if insecure algorithms are in use? It seems simply disabling them may break some integrations.
It would be helpful if there was an option to allow insecure algorithms as before, but issue a warning if they are used. This change would be safe to deploy and would allow collecting log data to see if any integrations are using insecure algorithms. We could then notify our partners about the problem so that we could later disable the insecure algorithms without breaking anything.
Describe the ideal solution
One option is to always start issuing warning if insecure algorithms are used.
Another option is to add a boolean flag to opt-in (or out) of having the warnings be issued.
Thanks!