Configuring Shibboleth IDP to use SHA-256
The Shibboleth IDP by default signs all SAML Assertions/Responses with SHA-1. The Federal Government has been pushing a move to the use of SHA-256 since 2010, and it's important for FICAM compliance that GFIPM implementations of the Shibboleth IDP use SHA-256.
This change cannot be accomplished by configuration changes alone; it requires the use of a Shibboleth extension. GTRI has made a library that changes the default from SHA1 to SHA-256 available for download here:
To load the contents of this library and thus switch to using SHA-256 signatures, the Shibboleth configuration must specify it's use within the internal.xml:
<bean id="shibboleth.idp.ext.OpensamlCustomCryptoConfig" class="edu.internet2.middleware.shibboleth.idp.ext.cryptoconfig.OpensamlCustomCryptoConfigBean" depends-on="shibboleth.OpensamlConfig" />
Additionally the library should be added to the idp.war file and to the ${IDP_HOME}\lib directory.
This capability is developed using the code at theGFIPM Data Connector