SHA-256 signing algorithm

[veewee]

Hello,

I am really enjoying this bundle! There is just one thing that doesn't seem to work. When the ADFS is configured to use SHA-256 as signing algorithm and the SP SSL certificate is signed as SHA-256, there is still an error:

Unsuccessful SAML response: urn:oasis:names:tc:SAML:2.0:status:Responder

SAML request is not signed with expected signature algorithm. SAML request is signed with signature algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 . Expected signature algorithm is http://www.w3.org/2000/09/xmldsig#rsa-sha1

This seems to be hardcoded to SHA-1 at most locations in the code. Can't find a way around this one. Can you give me some more information about this issue?

Thanks!

[tmilos]

@veewee Thanks, glad to hear.

The error message you provided says the request was signed with SHA-256 while SHA-128 is expected. So it seems you did made a signature with SHA-256. Did you provided a wrong message?

BTW have you checked out the new lightsaml version from http://www.lightsaml.com/?

[veewee]

Hi @tmilos,

We fixed the bug by explicitly setting the expectec encoding to SHA-1 on the federation server. The SHA-2 never worked for us. At the moment I can't reproduce the issue due to a lack of a testing environment. It was however, an issue during assertion consuming on the SP side. There is no configurable option that detemines which encoding should be used. Maybe I've overlooked something?

I did check out the new lightsaml project, but this project has a complete changed structure, I didn't found the time to upgrade. What are the plans on supporting this package in the future? Is it recommended to upgrade to the new lightsaml as fast as possible or can we still be using this one for some time?