Change Digest Algo and Signing Algo in Shib SP from default rsa-sha1 to rsa-sha256

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Change Digest Algo and Signing Algo in Shib SP from default rsa-sha1 to rsa-sha256

shahmehul82
Hello folks,
We have SSO integration between ADFS IDP and Shibboleth SP. The SSO is working perfectly fine as of today with sha1 signing algo and Digest algo.

Customer (IDP) is asking to upgrade everything to sha256 including SP certs. We have managed to replace the self-signed certs generated by shib v2.6.0 with our sha256 certs authorized by verisign.

What I still cant do it changing the Digest Algo and Signing Algo within the shib to sha256. No matter what we do SAML token is being sent in sha1.  This is what the IDP team is telling us.
-----------------------------------------------------------------------------
This is the problem
Relying Party:
https://xxxxxxxx.com/shibboleth 
 
Exception details:
Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSignatureAlgorithmMismatchException: MSIS7093: The message is not signed with expected signature algorithm. Message is signed with signature algorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1. Expected signature algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256.
 
SP has to set their side to “secure hash algorithm SHA-256” and it should work at that point

Any help or pointer on how or where to change those would be greatly appreciated.

Thanks,
Mehul