Configuring Shibboleth IDP to use SHA-256

From GFIPM Implementation Wiki
Revision as of 20:09, 22 May 2013 by Jeff.Krug (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

About

The Shibboleth IDP by default signs all SAML Assertions/Responses with SHA-1. The Federal Government has been pushing a move to the use of SHA-256 since 2010, and it's important for FICAM compliance that GFIPM implementations of the Shibboleth IDP use SHA-256.

This change cannot be accomplished with a library from GTRI available for download here:

GFIPM Data Connector

Then to enable the use of SHA-256 the Shibboleth configuration must be updated to use the code within this library by editing the internal.xml file and adding this line: 

 <bean id="shibboleth.idp.ext.OpensamlCustomCryptoConfig" class="edu.internet2.middleware.shibboleth.idp.ext.cryptoconfig.OpensamlCustomCryptoConfigBean" depends-on="shibboleth.OpensamlConfig" />
Retrieved from "https://impl.gfipm.net/mwiki/index.php?title=Configuring_Shibboleth_IDP_to_use_SHA-256&oldid=1104"