Notifications

162 views

Description

How to configure your Identity Provider to use SHA-256 instead of the default SHA-1 algorithm





Release or Environment

All releases

Instructions

  • Enable the SAML 2.0 Keystore_Key2048_SHA256 SHA-256 keystore under x509 Certificate within the Multi-Provider SSO menu. 
    https://<instance-name>.service-now.com/nav_to.do?uri=sys_certificate.do?sys_id=3685fc22930212003c5537ae867ffb9


  • Set the system property glide.authenticate.sso.saml2.keystore to the sys_id of that SHA-256 keystore, to set it as the default keystore for signing identity provider SAML requests. 
    https://<instance-name>.service-now.com/nav_to.do?uri=sys_properties.do?sys_id=b4c45688db8bff4044a6413b3a9619e2ther 


  •  On the Identity Provider record- 
    - Set the Identity Provider's SingleLogoutRequest field. For ex) if you are using ADFS- https://<adfs.url.com>/adfs/ls where <adfs.url.com> 
    - Set the credentials for the Signing/Encryption Key Alias and Signing/Encryption Key Alias on the identity provider record in ServiceNow. Default value for each is: saml2sp 
    - Set the Signing Signature Algorithm to be the SHA-256 specification which is http://www.w3.org/2001/04/xmldsig-more#rsa-sha256. Please double check that SHA-256 is also set on the Relaying Party Trust on the IdP side 
    - Tick the Sign AuthnRequest 
    - Once all this is set, use the Generate Metadata button in ServiceNow for the identity provider, to generate the XML for importing into the IdP

Article Information

Last Updated:2020-09-01 02:02:49
Published:2020-08-25