The default value of the signature algorithm for SAML responses should be changed to SHA-256.
In the current implementation, the default value of the signature algorithm for SAML responses is SHA-1.
SHA-1 is at risk due to the existence of a vulnerability that allows spoofing attacks to be performed.
Description
The default value of the signature algorithm for SAML responses should be changed to SHA-256. In the current implementation, the default value of the signature algorithm for SAML responses is SHA-1. SHA-1 is at risk due to the existence of a vulnerability that allows spoofing attacks to be performed.
Trouble spots:
CONFIGURE-GLOBAL SERVICE-Common Federation ConfigurationSolution
Correct as follows:
openam-server-only\src\main\resources\services\famFederationCommon.xmlDefaultValuesinSignatureAlgorithmtohttp://www.w3.org/2001/04/xmldsig-more#rsa-sha256.DefaultValuesinDigestAlgorithmtohttp://www.w3.org/2001/04/xmlenc#sha256.