Singing algorithm is coming as SHA1 in Metadata export even though we select SHA256 in Entity/Partnership

book

Article ID: 4732

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

We could see that Singing algorithm is coming as SHA1 in Metadata even though we select SHA256 in Entity/Partnership. 

 

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="SM278b11a41bf75c62634a3aa72fb940bc66a60c4186" entityID="sharuIDP" validUntil="2016-05-09T14:04:49.430+00:00"> 

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 

<ds:SignedInfo> 

<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 

<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> 

<ds:Reference URI="#SM278b11a41bf75c62634a3aa72fb940bc66a60c4186"> 

<ds:Transforms> 

<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> 

<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 

</ds:Transforms> 

<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 

<ds:DigestValue>yKqfh81rers6dXKGekJ0JrYr8qc=</ds:DigestValue> 

</ds:Reference> 

</ds:SignedInfo>

Cause

We were not passing selected signing algorithm while exporting meta data. So it is taking default signing algorithm as SHA1 while exporting meta data. This is a defect Identified in R12.51 CR04

Environment

R12.51 and R12.52 SP1

Resolution

This Defect is fixed in r12.52 SP1 CR05 and r12.51 CR10

Kindly upgrade your policy server and adminui to the above mentioned versions to get the fix.

Additional Information

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/release-notes/cumulative-releases/defects-fixed-in-12-52-sp1-cr05