How do I change the algorithm used to sign SAML requests in the Fedlet in AM (All versions)?
The purpose of this article is to provide information on changing the signature algorithm used to sign SAML requests in the Java® Fedlet in AM.
1 reader recommends this article
Overview
SAML v2.0 Guide › Implementing SAML v2.0 Service Providers by Using Fedlets provides information on configuring signing in the Fedlet.
The list of supported signature algorithms is shown in the documentation: Reference › Algorithms. You must use the full URL value in the FederationConfig.properties file. For example, for rsa-sha512, you would specify the following value:
http://www.w3.org/2001/04/xmldsig-more#rsa-sha512Note
ForgeRock strongly recommends using *SHA-256 variants (rsa-sha256 or ecdsa-sha256).
Changing the signing algorithm
You can change the signing algorithm in the Fedlet as follows:
- Update the FederationConfig.properties file (located in the $HOME/fedlet directory) and set the following property to the required algorithm value (per the table in the Overview section): org.forgerock.openam.saml2.query.signature.alg.rsa=For example, to use the rsa-sha256 algorithm, you would set this property as follows: org.forgerock.openam.saml2.query.signature.alg.rsa=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
- Restart the web application container in which the Fedlet runs to apply these changes.
See Also
How do I rotate AM (All versions) Fedlet debug logs?
Signature algorithm is not supported error when verifying a signed SAML assertion in AM 5.x or 6.x
SAML v2.0 Guide › Implementing SAML v2.0 Service Providers by Using Fedlets
Related Training
N/A
Related Issue Tracker IDs
N/A