Add configuration for denylisted algorithms.

config/authsources.php

@@ -96,6 +96,13 @@
     $config[$saml2auth->spname]['AuthnContextClassRef'] = $saml2auth->config->authncontext;
 }
 
+if (!empty($saml2auth->config->denylistedalgorithms)) {
+    $config[$saml2auth->spname]['encryption.blacklisted-algorithms'] = explode(',', $saml2auth->config->denylistedalgorithms);
+} else {
+    // Support allowing all algorithms, if not set RSA 1.5 is denylisted by default
+    $config[$saml2auth->spname]['encryption.blacklisted-algorithms'] = [];
+}
+
 /*
  * If we're configured to expose the nameid as an attribute, set this authproc filter up
  * the nameid value appears under the attribute "nameid"

lang/en/auth_saml2.php

@@ -42,6 +42,8 @@
 $string['availableidps'] = 'Select available IdPs';
 $string['availableidps_help'] = 'If an IdP metadata xml contains multiple IdP entities, you will need to select which entities are availiable
 for users to login with.';
+$string['denylistedalgorithms'] = 'Denylisted Encryption Algorithms';
+$string['denylistedalgorithms_help'] = 'Allows blocking use of specific encryption algorithms in the SAML communication or allowing RSA 1.5 which is blocked by default because it is insecure.';
 $string['blockredirectheading'] = 'Account blocking actions';
 $string['attrsimple'] = 'Simplify attributes';
 $string['attrsimple_help'] = 'Various IdP\'s such as ADFS use long attribute keys such as urns or namespaced xml schema names. If set to Yes this will simplify these, eg map http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname to such \'givenname\'.';

settings.php

@@ -223,6 +223,27 @@
         ssl_algorithms::get_default_saml_signature_algorithm(),
         ssl_algorithms::get_valid_saml_signature_algorithms()));
 
+    $encryptionalgorithms = [
+        'http://www.w3.org/2001/04/xmlenc#tripledes-cbc' => '3DES CBC',
+        'http://www.w3.org/2001/04/xmlenc#aes128-cbc' => 'AES-128 CBC',
+        'http://www.w3.org/2001/04/xmlenc#aes192-cbc' => 'AES-192 CBC',
+        'http://www.w3.org/2001/04/xmlenc#aes256-cbc' => 'AES-256 CBC',
+        'http://www.w3.org/2009/xmlenc11#aes128-gcm' => 'AES-128 GCM',
+        'http://www.w3.org/2009/xmlenc11#aes192-gcm' => 'AES-192 GCM',
+        'http://www.w3.org/2009/xmlenc11#aes256-gcm' => 'AES-256 GCM',
+        'http://www.w3.org/2001/04/xmlenc#rsa-1_5' => 'RSA 1.5',
+        'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' => 'RSA OAEP MGF1P',
+        'http://www.w3.org/2009/xmlenc11#rsa-oaep' => 'RSA OAEP',
+    ];
+    $denylistedalgorithmssetting = new admin_setting_configmultiselect(
+        'auth_saml2/denylistedalgorithms',
+        get_string('denylistedalgorithms', 'auth_saml2'),
+        get_string('denylistedalgorithms_help', 'auth_saml2'),
+        ['http://www.w3.org/2001/04/xmlenc#rsa-1_5'],
+        $encryptionalgorithms
+    );
+    $settings->add($denylistedalgorithmssetting);
+
     // Dual Login.
     $dualloginoptions = [
         saml2_settings::OPTION_DUAL_LOGIN_NO      => get_string('no'),