Forum Discussion
AltostratusSSO signature algorithm
I am in the midst of configuring SSO on APM (11.6) with F5 as IdP. In my exported metadata I see http://www.w3.org/2000/09/xmldsigrsa-sha1" /> This caused some heartache for the SP. When exporting metadata, my choice is to sign or not. There is no choice of signing algorithm. Is this setting baked into the APM?
I've seen one other message here that mentions this issue (no answer to the question). Does anyone know if the signature algorithm is configurable at all?
- JB
4 Replies
Sergei_MiadzvezAltocumulus
Signing algorithm is not configurable for exported signed metadata. According to metadata specification, rsa-sha1 should be supported by all implementations:
3.1.1 Signing Formats and Algorithms SAML metadata MUST use enveloped signatures when signing the elements defined in this specification. SAML processors SHOULD support the use of RSA signing and verification for public key operations in accordance with the algorithm identified by http://www.w3.org/2000/09/xmldsigrsa-sha1.
SalishSeaSecuritySergei,
Thank you for the info. Unfortunate though it is. I hope there is a hotfix in the future.
JB
- Sergei_Miadzvez
IMHO, it is an issue of Service Provider, since recommended by specification RSA/SHA1 algorithms are not implemented. Just curious if you could share which SP is it?
- Kevin_Stewart
Employee
This may help. From the 11.5.0 release notes:
ID 424572
APM SAML can now operate with other systems using either or both of these groups of algorithms: RSA-SHA256/RSA-SHA512 XML signature algorithms SHA256/SHA512 digest algorithms. It continues to sign its own SAML messages (AuthnRequests and Assertions) using RSA-SHA1.
