SAML authentication requests not accepted by Keycloak as signed with SHA1 instead of SHA256
search cancel

SAML authentication requests not accepted by Keycloak as signed with SHA1 instead of SHA256

book

Article ID: 427096

calendar_today

Updated On:

Products

CA Automic Workload Automation - Automation Engine

Issue/Introduction

We are trying to integrate Automic 24.4.3 with SAML to use with an internal tool called GWard that is based on Keycloak (IdP).
The issue is that the integration does not work as the request to Keycloak "POST AuthnRequest" returns 400.
After further troubleshooting by the SAML team, it was found that Automic's signature algorithm is RSA-SHA1 which is not accepted by the SAML provider:

<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />

This value should be on RSA-SHA256 to be able to work.

Environment

Automic Automation 24.x

Context: SAML integration with Keycloak (IdP) that requires RSA-SHA256 for the SignatureMethod algorithm.

Cause

DE179379: The SAML integration supports now SHA256 signing algorithm.

Resolution

Update to a fix version listed below or a newer version if available.

Fix version:
Component(s): Automation Engine

Automation.Engine 24.4.4 - Planned release March 2026

Additional Information

After upgrading to a fix version or superior, you will have to edit in UC_SAML_CONFIG the key *CONFIG  and add this line in case you want to use RSA-SHA256 for the SignatureMethod algorithm:

<useSha256ForSignature>true</useSha256ForSignature>

Powered by Wolken Software