Changing SAML signing algorithm to SHA-1

KhouM 1 Reputation point
2021-09-23T12:03:33.577+00:00

I am configuring an application to support SAML SSO with Azure AD. The application support SHA-1. I changed the SAML Certificate signing algorithm from SHA-256 however the Application federation metadata still shows SHA-256. any idea?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,158 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Siva-kumar-selvaraj 15,686 Reputation points
    2021-09-24T12:32:50.717+00:00

    Hello @KhouM ,

    Thanks for reaching out.

    I believe this is an expected behavior, because this SHA-1 algorithm is older, and it's treated as less secure than SHA-256. If an application supports only this signing algorithm, you can select this option in the Signing Algorithm drop-down list. Azure AD then signs the SAML response with the SHA-1 algorithm.

    135010-image.png

    Certificate signing algorithms: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/certificate-signing-options#certificate-signing-algorithms .

    Hope this helps.

    ----------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments No comments

  2. Babin Veaceslav 1 Reputation point
    2021-11-18T06:56:30.71+00:00

    I'm having the same issue. I've changed the Signing Algorithm to SHA-1, but in the saml logout response SigAlgparameter is still rsa-sha256

    ...&RelayState=%2f&Signature=Xb77fNxT5wkJ2bpNqu40Yxfvp57fdNDpaSofukzvdnpE08Ckjk7BKJoUeT1PyrvJnj%2f%2fZj7eDEB6yPBoCwg0iErI4AWPCX2o%2boTbrO3spedWIqc9YizPsDVA63ekPpf7IeSkz9Lc6H8ghbaZmCJabP3uB%2fafbMNZfb59uKEoWAtCR%2fyGK8oQGKQTFJi6RJP04j%2b9kecW9l3A%2bVoPm4bxKEBwPI%2bTET%2bCqGv8QUzE95VOyZj4KsJ4mvJ37kXIRuDepOkY370Fek0xArjh1WZhn8ZPUpWYRBneTLI3V0Tch%2fHNi4G7ReQmT6b27KBy2l7n15uzaj209dNXBgM3LwaytQ%3d%3d&SigAlg=http%3a%2f%2fwww.w3.org%2f2001%2f04%2fxmldsig-more%23rsa-sha256#

    I believe this is why I'm getting an Invalid Signature on Logout Response error when I log out from SP.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.