Migrating from SHA-1 to SHA-256 for Security Assertion Markup Language (SAML) Web Single Sign-On (SSO)

Edit online

Beggining with version 11.1, the default digest algorithm for SAML is SHA-256. If you are upgrading from version 10.15 or 10.11, you must migrate to SHA-256, because SHA-1 is no longer supported and is not secure.

Action Required: If you use SAML Web SSO with IBM webMethods products, you must update the digest algorithm to SHA-256 in the Identity Provider (IdP) server.

To update the digest algorithm, in the Service Provider (SP) metadata for the IdP server switch to SHA-256 for all applications that use SAML atuhentication. The Service Provider is the application or service that uses SAML for authentication. The SP metadata is a configuration file or entry in your IdP. The SP metadata defines how the SAML authentication process interacts with your SP.

Important: If you do not update the digest algorithm to SHA-256, the SAML Web Single SSO authentication attempts might fail.

To update the SAML algorithm:

  1. Access the IdP Management Console.
  2. Navigate to the section with the configured SPs. The label of the section depends on your IdP (for example "Service Providers," "Relying Parties," or "SAML Applications,").
  3. In the SP metadata settings, find the field or option that specifies the digest algorithm for SAML requests and responses.
  4. Change the Digest Algorithm from SHA-1 to SHA-256. This update ensures that all SAML messages are signed with the more secure SHA-256 algorithm.
  5. Save and apply the changes to ensure that the new configuration takes effect.
  6. Perform a test authentication to verify that the SAML SSO process works correctly with the updated SHA-256 algorithm.

Note that your IdP servers store and manage the metadata. IBM webMethods products cannot modify or affect the configuration in your IdP. You must ensure that your IdP server configurations use SHA-256 for SAML authentication to prevent disruptions in the service.

Backward Compatibility:

Important: The following workaround is not secure. SHA-1 is outdated and vulnerable to security risks. IBM strongly advises against using this workaround unless it is absolutely required. For better security and compliance, IBM highly recommends to update the default digest algorithm for SAML requests and responses to SHA-256.

If you are unable to update the digest algorithm in your IdP server`s SP metadata to SHA-256, you can configure your environment by setting a specific environment variable or system property to continue using SHA-1.