How To
ForgeRock Identity Platform
ForgeRock Identity Cloud

How do I change the algorithm used to sign SAML requests in IG (All versions)?

Last updated Jun 8, 2021

The purpose of this article is to provide information on changing the signature algorithm used to sign SAML requests in IG.


1 reader recommends this article

Overview

IG signing and encryption with SAML works in the same way as the Fedlet, which is detailed in Enabling Signing and Encryption in a Fedlet

If you have not already done so, you should configure signing and encryption in IG per How do I set up signing and encryption for IG 6.x and 7 when it is acting as the SAML 2.0 SP?

The list of supported signature algorithms is shown in the documentation: AM Algorithms. You must use the full URL value in the FederationConfig.properties file. For example, for rsa-sha512, you would specify the following value:

http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
Note

ForgeRock strongly recommends using at least *SHA-256 variants (rsa-sha256 or ecdsa-sha256).

Changing the signing algorithm

You can change the signing algorithm in IG as follows:

  1. Update the FederationConfig.properties file (located in the $HOME/.openig/SAML directory) and set the following property to the required algorithm value: org.forgerock.openam.saml2.query.signature.alg.rsa=For example, to use the rsa-sha256 algorithm, you would set this property as follows: org.forgerock.openam.saml2.query.signature.alg.rsa=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
  2. Restart IG to apply these changes.

See Also

How do I set up signing and encryption for IG 6.x and 7 when it is acting as the SAML 2.0 SP?

FAQ: SAML federation in IG

How do I generate more detailed debug logs to diagnose an issue in IG (All versions)?

Acting As a SAML 2.0 Service Provider

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.