How do I change the algorithm used to sign SAML2 requests in IG (All versions)?
The purpose of this article is to provide information on changing the signature algorithm used to sign SAML requests in IG.
1 reader recommends this article
Overview
IG signing and encryption with SAML works in the same way as the Fedlet, which is detailed in Enabling Signing and Encryption in a Fedlet.
If you have not already done so, you should configure signing and encryption in IG per How do I set up signing and encryption for IG 6.x and 7 when it is acting as the SAML 2.0 SP?
The list of supported signature algorithms is shown in the documentation: AM Algorithms. You must use the full URL value in the FederationConfig.properties file. For example, for rsa-sha512, you would specify the following value:
http://www.w3.org/2001/04/xmldsig-more#rsa-sha512Note
ForgeRock strongly recommends using at least *SHA-256 variants (rsa-sha256 or ecdsa-sha256).
Changing the signing algorithm
You can change the signing algorithm in IG as follows:
- Update the FederationConfig.properties file (located in the $HOME/.openig/SAML directory) and set the following property to the required algorithm value: org.forgerock.openam.saml2.query.signature.alg.rsa=For example, to use the rsa-sha256 algorithm, you would set this property as follows: org.forgerock.openam.saml2.query.signature.alg.rsa=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
- Restart IG to apply these changes.
See Also
How do I set up signing and encryption for IG 6.x and 7 when it is acting as the SAML 2.0 SP?
FAQ: SAML 2.0 federation in IG
How do I generate more detailed debug logs to diagnose an issue in IG (All versions)?
Acting As a SAML 2.0 Service Provider
Related Training
N/A
Related Issue Tracker IDs
N/A