SAMLP Connection is using a SHA-1 Certificate to Sign?

kevin1 · July 10, 2017, 10:42pm

I noticed the signing certificate that Auth0 issues for SAML assertion signing is SHA-1 (see attached image). Is there any way to make this SHA-256? I’m using the certificate at: https://DOMAIN.auth0.com/pem ![alt text][1]

To clarify, I’m trying to use my Auth0 client as an SP for an ADFS with SAML. I was under the impression that the best way to do this is to use a SAMLP Identity Provider (under Enterprise connections).

Regardless of whether this is configurable, I’m surprised Auth0 would default to SHA-1, when it’s no longer considered a secure, and major vendors are set to stop accepting SHA-1 certificates altogether by 2017.

Thanks!

prashantT · July 11, 2017, 6:35am

You can enforce SHA-256 from the SAML Addon settings:

Dashboard > Clients > Your Client > Addons > SAML2 WebAPP > Settings

You can use the following to set it to SHA-256:

...
 "signatureAlgorithm":   "rsa-sha256",
...

kevin1 · July 11, 2017, 7:26pm

Thanks for your response prashant. Isn’t the SAML2 WebApp section used to configure an Auth0 application as an identity provider? I’m trying to do single sign on using an external SAML identity provider, with my Auth0 app as the SP. I’ve been using the SAMLP Identity Provider (under Enterprise connections) to set this up. Or do I have these two switched?