Shibboleth SP 2 and ADFS sha1 to sha256

Question

With shibboleth SP 2, I need to configure ADFS (as IdP) in advance tab SHA-1 algorithm to work fine.

If I configure in ADFS SHA-256 hash algorithm, I get an error in ADFS event log, that SP reponses with SHA-1 algorithm.

My stack OpenSSH, Shibboleth, Debian (Stretch) is very new so it can use SHA-256 algorithm. I install all with debian's repositories with out of the box configuration.

I consulted this document and Microsoft's docs.

What is the question? Are you asking if ADFS can use SHA2?. No, it's either SHA1 or SHA256. — rbrayb, Jul 25 '18 at 19:04
@nzpcmad I want to use SHA-256 between ADFS and Shibboleth SP. It works only with SHA-1. I think the problem is in shibboleth side. — Mr_Thorynque, Jul 26 '18 at 08:28
Most SAML integrations are SHA1. You'll have to look at the Shibboleth config. to see if you can change to SHA256. — rbrayb, Jul 26 '18 at 20:00

score 2 · Accepted Answer · answered Aug 01 '18 at 06:49

I find in the shibboleth documentation those two attributes :

signingAlg (URI) (defaults to the specifier for RSA-SHA1) An XML Signature signature algorithm specifier for signatures produced by the SP.
digestAlg (URI) (defaults to the specifier for SHA1)

So I add in my shibboleth2.xml configuration file in the ApplicationDefaults node :

digestAlg="http://www.w3.org/2001/04/xmlenc#sha256" 
signingAlg="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"

And after that it works with both configuration of ADFS : SHA1 and SHA256.

So I'm surprised that it works with SHA1 and SHA256 ADFS configuration. — Mr_Thorynque, Aug 01 '18 at 10:06

Shibboleth SP 2 and ADFS sha1 to sha256

1 Answers1