ADFS SAML request is not signed with expected signature algorithm

4
votes

ADFS has unexpected behavior that looks like a bug.

I have SP that is using SHA1 hash algorithm for digital signing. On ADFS for this SP I set on advanced tab to use SHA256.

For me it is normal that these are not in correlation each side choose how will sign.

When I did sign out from SP I did signing with SHA1. On ADFS I got exception :

SAML request is not signed with expected signature algorithm. SAML request is signed with signature algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 . Expected signature algorithm is http://www.w3.org/2000/09/xmldsig#rsa-sha1

I am using ADFS 3 , Windows R2

3
samlsaml-2.0adfsadfs3.0

3 Answers

1
votes

You need to change the signing algorithm in ADFS from SHA256 to SHA1. This will solve the exception.

0
votes

While I'm using SimpleSAMLphp as my SP, I was getting the exact same error on logout. Hopefully my solution will be able to help some people.

I added the following line to the config for my IDP in the authsources.php file, then re-imported the metadata on the IDP (not sure if that step was required):-

'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',

0
votes

For those using the Ruby SAML gem, if you are unable to change the signing algorithm within ADFS, you can set the SAML settings like this:

settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256

I hope that becomes useful to someone in the future!