Forum Discussion

SalishSeaSecurity's avatar
SalishSeaSecurity
Icon for Altostratus rankAltostratus
Oct 13, 2015

SSO signature algorithm

I am in the midst of configuring SSO on APM (11.6) with F5 as IdP. In my exported metadata I see http://www.w3.org/2000/09/xmldsigrsa-sha1" /> This caused some heartache for the SP. When exporting metadata, my choice is to sign or not. There is no choice of signing algorithm. Is this setting baked into the APM?

 

I've seen one other message here that mentions this issue (no answer to the question). Does anyone know if the signature algorithm is configurable at all?

 

  • JB
BIG-IP Access Policy Manager (APM)
design
security
SSO

4 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 14, 2015

    This may help. From the 11.5.0 release notes:

     

    ID 424572

     

    APM SAML can now operate with other systems using either or both of these groups of algorithms: RSA-SHA256/RSA-SHA512 XML signature algorithms SHA256/SHA512 digest algorithms. It continues to sign its own SAML messages (AuthnRequests and Assertions) using RSA-SHA1.

     

  • Sergei_Miadzvez's avatar
    Sergei_Miadzvez
    Icon for Altocumulus rankAltocumulus
    Oct 13, 2015

    Signing algorithm is not configurable for exported signed metadata. According to metadata specification, rsa-sha1 should be supported by all implementations:

     

    3.1.1 Signing Formats and Algorithms SAML metadata MUST use enveloped signatures when signing the elements defined in this specification. SAML processors SHOULD support the use of RSA signing and verification for public key operations in accordance with the algorithm identified by http://www.w3.org/2000/09/xmldsigrsa-sha1.

     

  • SalishSeaSecurity's avatar
    SalishSeaSecurity
    Icon for Altostratus rankAltostratus
    Oct 13, 2015

    Sergei,

     

    Thank you for the info. Unfortunate though it is. I hope there is a hotfix in the future.

     

    JB

     

  • Sergei_Miadzvez's avatar
    Sergei_Miadzvez
    Icon for Altocumulus rankAltocumulus
    Oct 13, 2015

    IMHO, it is an issue of Service Provider, since recommended by specification RSA/SHA1 algorithms are not implemented. Just curious if you could share which SP is it?