How to configure your Identity Provider to use SHA-256 instead of the default SHA-1 algorithm

Release or Environment

All releases


  • Enable the SAML 2.0 Keystore_Key2048_SHA256 SHA-256 keystore under x509 Certificate within the Multi-Provider SSO menu. 

  • Set the system property glide.authenticate.sso.saml2.keystore to the sys_id of that SHA-256 keystore, to set it as the default keystore for signing identity provider SAML requests. 

  •  On the Identity Provider record- 
    - Set the Identity Provider's SingleLogoutRequest field. For ex) if you are using ADFS- https://<adfs.url.com>/adfs/ls where <adfs.url.com> 
    - Set the credentials for the Signing/Encryption Key Alias and Signing/Encryption Key Alias on the identity provider record in ServiceNow. Default value for each is: saml2sp 
    - Set the Signing Signature Algorithm to be the SHA-256 specification which is http://www.w3.org/2001/04/xmldsig-more#rsa-sha256. Please double check that SHA-256 is also set on the Relaying Party Trust on the IdP side 
    - Tick the Sign AuthnRequest 
    - Once all this is set, use the Generate Metadata button in ServiceNow for the identity provider, to generate the XML for importing into the IdP

Article Information

Last Updated:2020-09-01 02:02:49