Skip to Main Content
Feature Request FR-2550
Product Area Security
Status CLOSED

2 Voters

Support SHA-256 signature algo for SAML authentication scheme

ccelaicc Public · Jun 2 2022

Idea Summary
Currently, for SAML authentication, the generated authn request message is signed using SHA-512 with no option to change it. It will help remove roadblock in integrating with different SAML based IDP that may support different signature algorithm (e.g. SHA-256, SHA-1).

Use Case
What are the use cases in which this idea useful?

Support for integration with generic SAML IDP that may support various types of algorithm.

Preferred Solution (Optional)
How would you implement this idea? If you are not sure, leave blank.

Allow workspace administrator to indicate preferred algorithm used for signing SAML request payload in authentication configuration scheme.

This idea has been closed due to the lack of community activity during the period since it was submitted.

Comments

Comments

  • christian.neumueller APEX Team OP 3.3 years ago

    PLease provide a concrete example of an IDP where this is posing problems.

  • lightonb OP 2.5 years ago

    MS Azure

    https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/certificate-signing-options

    Azure AD supports two signing algorithms, or secure hash algorithms (SHAs), to sign the SAML response:

    SHA-256. Azure AD uses this default algorithm to sign the SAML response. It's the newest algorithm and is more secure than SHA-1. Most of the applications support the SHA-256 algorithm. If an application supports only SHA-1 as the signing algorithm, you can change it. Otherwise, we recommend that you use the SHA-256 algorithm for signing the SAML response.

    SHA-1. This algorithm is older, and it's treated as less secure than SHA-256. If an application supports only this signing algorithm, you can select this option in the Signing Algorithm drop-down list. Azure AD then signs the SAML response with the SHA-1 algorithm.

  • pedro.mc.pereira OP 1.9 years ago

    Is this in any case related with the setup needed to activate SAML authentication on APEX? Does IdP certificate be rejected if it uses SHA-1?

  • ccelaicc OP 1.9 years ago

    @pedro.mc.pereira Hi Pedro, no. This is about the algorithm used to sign the SAML request and response message body during authentication. 

    By the way, I manage to integrate with our internal ADFS. The problem was that APEX expects SAML response to be signed for both entire message and assertion but our IDP only signs assertion.