-
-
Notifications
You must be signed in to change notification settings - Fork 351
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to sign with SHA-256 #66
Comments
Having the same problem. What was the solution? |
To be investigated. |
Hi @tyleragnew. I will soon work to replicate it, but if you already have more info about, could you please share with us the details? |
Hi all - I ended up signing with SHA-1 on the IDP side - so this did fix the issue. Understood that this would not fix the issue if you don't control your IDP though... |
Hi. Same problem on my side. Any news on this? |
Hi Any updates on this issue. The IDP provider is reluctant to change to SHA1 |
SHA 256 should definitely be used. Security ;) I got it working. |
@garrit-schroeder Can you help please |
Sure i am preparing my conf. Hang on |
Saml Security Java File: `@Configuration
}` |
SAML Detail Service: ` @service
} ` |
Create SAML Keystore: under ./resources/saml/ for example: ` KS_FILE=samlKeystore.jks rm $KS_FILE |
In a @ControllerAdvice class i provide the following:
@controller |
Thats all. I am not setting up metadata or anything else |
Your host should now show your certs under http://example.com/saml/metadata |
Important is that you specify the correct server name and port. These should appear in your /saml/metadata |
I hope that helps you. I you have further questions. Don't hesitate to ask me. |
Sorry folks, I very appreciate your passion, but this is not the right way to manage an issue. As stated by @tyleragnew, the SHA mismatch depends on the IdP configuration. If you run this application against a SHA-256 enabled Identity Provider, everything works accordingly (see: https://docs.spring.io/autorepo/docs/spring-security-saml/1.0.x-SNAPSHOT/reference/htmlsingle/). Note: the issue is still open just because NO secure application must still rely on SHA-1, since it has been proved to be weak at collision attacks. |
Describe the bug
Unable to sign with SHA-256, even updating signingAlgorithm keeps it as SHA-1
To Reproduce
Where I'm updating signingAlgorithm
Error Response
The text was updated successfully, but these errors were encountered: