From 39e6223ff25048bbbb113b902050ef73b806236d Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Thu, 21 Aug 2025 11:27:50 +0100
Subject: [PATCH] POssible alternative to #17386 - adding SAML key size to env

Signed-off-by: snipe <snipe@snipe.net>
---
 .env.example                              |  8 +++++++-
 app/Http/Requests/SettingsSamlRequest.php |  2 +-
 config/app.php                            | 19 ++++++++++++++++++-
 3 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/.env.example b/.env.example
index 61ec3295d1..6e423d4fe2 100644
--- a/.env.example
+++ b/.env.example
@@ -193,11 +193,17 @@ LDAP_TIME_LIM=600
 IMPORT_TIME_LIMIT=600
 IMPORT_MEMORY_LIMIT=500M
 REPORT_TIME_LIMIT=12000
-REQUIRE_SAML=false
 API_THROTTLE_PER_MINUTE=120
 CSV_ESCAPE_FORMULAS=true
 LIVEWIRE_URL_PREFIX=null
 
+
+# --------------------------------------------
+# OPTIONAL: SAML SETTINGS
+# --------------------------------------------
+REQUIRE_SAML=false
+SAML_KEY_SIZE=2048
+
 # --------------------------------------------
 # OPTIONAL: HASHING
 # --------------------------------------------
diff --git a/app/Http/Requests/SettingsSamlRequest.php b/app/Http/Requests/SettingsSamlRequest.php
index f5483df9d2..53a3521018 100644
--- a/app/Http/Requests/SettingsSamlRequest.php
+++ b/app/Http/Requests/SettingsSamlRequest.php
@@ -109,7 +109,7 @@ class SettingsSamlRequest extends FormRequest
                 ];
 
                 $pkey = openssl_pkey_new([
-                    'private_key_bits' => 2048,
+                    'private_key_bits' => config('app.saml_key_size'),
                     'private_key_type' => OPENSSL_KEYTYPE_RSA,
                 ]);
 
diff --git a/config/app.php b/config/app.php
index 9de088089f..b494da5981 100755
--- a/config/app.php
+++ b/config/app.php
@@ -207,7 +207,7 @@ return [
 
     /*
     |--------------------------------------------------------------------------
-    | Require SAML Login
+    |  Require SAML Login
     |--------------------------------------------------------------------------
     |
     | Disable the ability to login via form login, and disables the 'nosaml'
@@ -220,6 +220,23 @@ return [
 
     'require_saml' => env('REQUIRE_SAML', false),
 
+    /*
+    |--------------------------------------------------------------------------
+    |  SAML KEYS
+    |--------------------------------------------------------------------------
+    |
+    | This is the size of the keys used by openssl_pkey_new for SAML authentication.
+    | The default is 2048 bits, but this can be changed to 3072 or 4096 bits
+    | for higher security. Note that this will increase the time it takes to
+    | generate the keys, so it is not recommended to set this to a very high value
+    | unless you have a specific need for it.
+    |
+    | The European Commission now requires at least 3072-bit keys for new SAML certificates
+    | @link https://github.com/grokability/snipe-it/issues/17386
+    */
+
+    'saml_key_size' => env('SAML_KEY_SIZE', 2048),
+
 
     /*
     |--------------------------------------------------------------------------