Configuring Shibboleth IDP to use SHA-256

From GFIPM Implementation Wiki
Jump to: navigation, search

The Shibboleth IDP by default signs all SAML Assertions/Responses with SHA-1. The Federal Government has been pushing a move to the use of SHA-256 since 2010, and it's important for FICAM compliance that GFIPM implementations of the Shibboleth IDP use SHA-256.

This change cannot be accomplished by configuration changes alone; it requires the use of a Shibboleth extension. GTRI has made a library that changes the default from SHA1 to SHA-256 available for download here:

To load the contents of this library and thus switch to using SHA-256 signatures, the Shibboleth configuration must specify it's use within the internal.xml: 

 <bean id="shibboleth.idp.ext.OpensamlCustomCryptoConfig" class="edu.internet2.middleware.shibboleth.idp.ext.cryptoconfig.OpensamlCustomCryptoConfigBean" depends-on="shibboleth.OpensamlConfig" />

Additionally the library should be added to the idp.war file and to the ${IDP_HOME}\lib directory.


This capability is developed using the code at theGFIPM Data Connector

Retrieved from "https://impl.gfipm.net/mwiki/index.php?title=Configuring_Shibboleth_IDP_to_use_SHA-256&oldid=1115"