How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I change the algorithm used to sign SAML requests in the Fedlet in AM (All versions)?

Last updated Apr 13, 2021

The purpose of this article is to provide information on changing the signature algorithm used to sign SAML requests in the Java® Fedlet in AM.


1 reader recommends this article

Overview

SAML v2.0 Guide › Implementing SAML v2.0 Service Providers by Using Fedlets provides information on configuring signing in the Fedlet.

The list of supported signature algorithms is shown in the documentation: Reference › Algorithms. You must use the full URL value in the FederationConfig.properties file. For example, for rsa-sha512, you would specify the following value:

http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
Note

ForgeRock strongly recommends using *SHA-256 variants (rsa-sha256 or ecdsa-sha256).

Changing the signing algorithm

You can change the signing algorithm in the Fedlet as follows:

  1. Update the FederationConfig.properties file (located in the $HOME/fedlet directory) and set the following property to the required algorithm value (per the table in the Overview section): org.forgerock.openam.saml2.query.signature.alg.rsa=For example, to use the rsa-sha256 algorithm, you would set this property as follows: org.forgerock.openam.saml2.query.signature.alg.rsa=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
  2. Restart the web application container in which the Fedlet runs to apply these changes.

See Also

How do I rotate AM (All versions) Fedlet debug logs?

Signature algorithm is not supported error when verifying a signed SAML assertion in AM 5.x or 6.x

FAQ: SAML federation in AM

SAML Federation in AM

SAML v2.0 Guide › Implementing SAML v2.0 Service Providers by Using Fedlets

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.