4 Replies Latest reply on Feb 21, 2015 9:45 AM by pcraveiro

How to change signature method from rsa-sha1 to rsa-sha256 ?

wester Jun 16, 2014 2:46 AM

Hi all,

In our picketlink IDP instance , the SAML authentication request or response xml is configured to use sha1 algorithm for signature.

The signature info in SAML xml content looks like below :

<dsig:SignedInfo>

<dsig:Reference URI="#ID_dd83fe41-adb6-46c8-84b4-ddd1f6d41087">

<dsig:Transforms>

</dsig:Transforms>

<dsig:DigestValue>DSqFGv0LDt27bCrPiwEBICJkDK0=</dsig:DigestValue>

</dsig:Reference>

</dsig:SignedInfo>

For some security reason, I would like to change this algorithm to adopt sha256 or other more secured algorithms.

How can I change this signature method from rsa-sha1 to rsa-sha256 ??

1. Re: How to change signature method from rsa-sha1 to rsa-sha256 ?

pcraveiro Jun 18, 2014 10:59 AM (in response to wester)

Hi Wester,

Opened the following JIRA to track this.

https://issues.jboss.org/browse/PLINK-497

Thanks.
Actions
2. Re: How to change signature method from rsa-sha1 to rsa-sha256 ?

pcraveiro Jun 18, 2014 1:07 PM (in response to wester)

Hi,

Can you test using a SNAPSHOT ? JIRA updated.

Regards.
Actions
3. Re: How to change signature method from rsa-sha1 to rsa-sha256 ?

dagbai Jan 27, 2015 5:25 PM (in response to pcraveiro)

Hi all,
Is it possible to set the Signature to a hashed Algorithm to SHA-256 on an SP server when its binding type is REDIRECT. I noticed this does not work, for some reason algorithm is set to SHA-1.
I've searched online to see if there is documentation regarding this issue using redirect binding for SAML or picketlink and I cannot find anything. Is this a bug, or is it impossible to set signature algorithm for redirect binding to SHA-256?

I am using picketlink 2.7.0 CR3 with wildfly JBOSS server.
Actions
4. Re: How to change signature method from rsa-sha1 to rsa-sha256 ?

pcraveiro Feb 21, 2015 9:45 AM (in response to dagbai)

There is a RFE for that in JIRA.

https://issues.jboss.org/browse/PLINK-621
Actions