SAMLP Connection is using a SHA-1 Certificate to Sign?

kevin1 · July 10, 2017, 10:42pm

I noticed the signing certificate that Auth0 issues for SAML assertion signing is SHA-1 (see attached image). Is there any way to make this SHA-256? I’m using the certificate at: https://DOMAIN.auth0.com/pem ![alt text][1]

To clarify, I’m trying to use my Auth0 client as an SP for an ADFS with SAML. I was under the impression that the best way to do this is to use a SAMLP Identity Provider (under Enterprise connections).

Regardless of whether this is configurable, I’m surprised Auth0 would default to SHA-1, when it’s no longer considered a secure, and major vendors are set to stop accepting SHA-1 certificates altogether by 2017.

Thanks!

prashantT · July 11, 2017, 6:35am

You can enforce SHA-256 from the SAML Addon settings:

Dashboard > Clients > Your Client > Addons > SAML2 WebAPP > Settings

You can use the following to set it to SHA-256:

...
 "signatureAlgorithm":   "rsa-sha256",
...

kevin1 · July 11, 2017, 7:26pm

Thanks for your response prashant. Isn’t the SAML2 WebApp section used to configure an Auth0 application as an identity provider? I’m trying to do single sign on using an external SAML identity provider, with my Auth0 app as the SP. I’ve been using the SAMLP Identity Provider (under Enterprise connections) to set this up. Or do I have these two switched?

Topic		Replies	Views
How to get sha256 certificate for SAML SSO addon Help	1	3207	February 17, 2021
Auth0 as SAML 2.0 IdP with signing asserts Help signin , saml2 , idp	2	5294	June 14, 2019
Change SAML Signature Algorithm from SHA1 to SHA2 Knowledge Articles sha1 , sha2 , saml2 , encrypt	1	1158	February 10, 2024
How to configure shibboleth with SAML enterprise Help saml , auth0 , enterprise , shibboleth	3	4857	February 13, 2024
Overview of Signing and Encryption Features for a SAML Service Provider Knowledge Articles	1	678	February 1, 2024

SAMLP Connection is using a SHA-1 Certificate to Sign?

Related topics