How to configure your Identity Provider to use SHA-256 instead of the default SHA-1 algorithm
Release or Environment
- Enable the SAML 2.0 Keystore_Key2048_SHA256 SHA-256 keystore under x509 Certificate within the Multi-Provider SSO menu.
- Set the system property glide.authenticate.sso.saml2.keystore to the sys_id of that SHA-256 keystore, to set it as the default keystore for signing identity provider SAML requests.
- On the Identity Provider record-
- Set the Identity Provider's SingleLogoutRequest field. For ex) if you are using ADFS- https://<adfs.url.com>/adfs/ls where <adfs.url.com>
- Set the credentials for the Signing/Encryption Key Alias and Signing/Encryption Key Alias on the identity provider record in ServiceNow. Default value for each is: saml2sp
- Set the Signing Signature Algorithm to be the SHA-256 specification which is http://www.w3.org/2001/04/xmldsig-more#rsa-sha256. Please double check that SHA-256 is also set on the Relaying Party Trust on the IdP side
- Tick the Sign AuthnRequest
- Once all this is set, use the Generate Metadata button in ServiceNow for the identity provider, to generate the XML for importing into the IdP