For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

THi_89722's avatar
THi_89722
Icon for Nimbostratus rankNimbostratus
Jun 13, 2016

SAML request signing and digests with SHA256?

In 11.5.0 APM (Jan 2014) APM started to support SHA256 for SAML assertions.

 

424572APM SAML can now operate with other systems using either or both of these groups of algorithms: RSA-SHA256/RSA-SHA512 XML signature algorithms SHA256/SHA512 digest algorithms. It continues to sign its own SAML messages (AuthnRequests and Assertions) using RSA-SHA1.

 

Does APM still (in June 2016) use only SHA1 for SAML request signing and digests? In the F5 SAML AuthRequests we have http://www.w3.org/2000/09/xmldsigsha1" />

 

We have a major IdP no longer supporting SHA1, they want SHA256: http://www.w3.org/2001/04/xmlencsha256" />).

 

Are there plans for the SAML SHA256 signing and digests?

 

application delivery
BIG-IP Access Policy Manager (APM)
saml

8 Replies

  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Jun 13, 2016

    Hi,

     

    Looks like SAML Authnrequest signed using SHA2 is now supported in 12.1.0.

     

    I'm currently testing on my lab.

     

    • THi's avatar
      THi
      Icon for Nimbostratus rankNimbostratus
      Jun 13, 2016
      Thanks Yann. If you can check the outgoing SAML request with SAML Tracer for example. If signing and digests are using SHA256, the AuthnRequest xml should have elements something similar to: ) instead of the old SHA1: This will tell the IdP the used signature / digest methods
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Icon for Nacreous rankNacreous
    Jun 13, 2016

    Hi,

     

    Looks like SAML Authnrequest signed using SHA2 is now supported in 12.1.0.

     

    I'm currently testing on my lab.

     

    • THi's avatar
      THi
      Icon for Nimbostratus rankNimbostratus
      Jun 13, 2016
      Thanks Yann. If you can check the outgoing SAML request with SAML Tracer for example. If signing and digests are using SHA256, the AuthnRequest xml should have elements something similar to: ) instead of the old SHA1: This will tell the IdP the used signature / digest methods
  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Jun 13, 2016

    Just an extract of my testing on 12.1.0 : 

    
    https://sptest.e-xpertsolutions.com
    
        
            
            
            
                
                    
                    
                        
                    
                
                
                arAENl5+aZIMW6tf8BSxGwhWP0u0rzsXYwdiQUKMvlU=

    For me, it's now supported.

    • THi's avatar
      THi
      Icon for Nimbostratus rankNimbostratus
      Jun 13, 2016
      Thanks Yann, obviously it is not supported in 11.5.3 branch, which my customer is using..
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Icon for Nacreous rankNacreous
    Jun 13, 2016

    Just an extract of my testing on 12.1.0 : 

    
    https://sptest.e-xpertsolutions.com
    
        
            
            
            
                
                    
                    
                        
                    
                
                
                arAENl5+aZIMW6tf8BSxGwhWP0u0rzsXYwdiQUKMvlU=

    For me, it's now supported.

    • THi's avatar
      THi
      Icon for Nimbostratus rankNimbostratus
      Jun 13, 2016
      Thanks Yann, obviously it is not supported in 11.5.3 branch, which my customer is using..