Help using Microsoft ADFS as an upstream SAML IdP and signing using SHA256
Original message was deleted
RHi @theo.muller you can ping me for queries.
I'll look into this.
Thanks for bumping it up
I'll look into this.
Thanks for bumping it up
RHey there, @theo.muller! While you can ping myself or Rajat directly for responses, you can also test out our new #ask-support-beta forum for immediate support as we look into your inquiry! 
RHey @theo.muller yes Someone from the team will write you today
MHi @theo.muller 
sorry about the late reply. You mentioned that error was "similar" to this one:
Can you please confirm the exact error, because if it is the above error, then the error says the opposite:
sorry about the late reply. You mentioned that error was "similar" to this one:ADFS SAML request is not signed with expected signature algorithm. SAML request is signed with signature algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 . Expected signature algorithm is http://www.w3.org/2000/09/xmldsig#rsa-sha1Based on that, your assumption was that
ADFS rejects the incoming AuthnRequest because it is signed with RSA-SHA1. Can you please confirm the exact error, because if it is the above error, then the error says the opposite:
- The SAML request is signed using RSA-SHA256 (http://www.w3.org/2001/04/xmldsig-more#rsa-sha256).
- However, ADFS expects it to be signed using RSA-SHA1 (http://www.w3.org/2000/09/xmldsig#rsa-sha1).
Older versions of ADFS by default expect RSA-SHA1 signatures. So, if that is indeed the error you received, you should update the ADFS relying party trust to allow SHA256 instead.
MAwesome, thanks for sharing those details! Let me take a look on our side and I will get back to you shortly with a response
MHi @theo.muller thanks for your patience while I looked into this. I received a reply from the Engineering team in charge of this feature. At the moment, it is unfortunately not possible to change the signing algorithm for SAML AuthnRequests.
That being said, they also mentioned that the library we use actually supports more algorithms, so it would be a matter of making this configurable in the provider configuration, like the binding. Could you please create a feature request in our Github repo so that our Product team can track and prioritize this request? https://github.com/zitadel/zitadel/issues
Thank you!
That being said, they also mentioned that the library we use actually supports more algorithms, so it would be a matter of making this configurable in the provider configuration, like the binding. Could you please create a feature request in our Github repo so that our Product team can track and prioritize this request? https://github.com/zitadel/zitadel/issues
Thank you!
MThank you! I see that it has been added to our product backlog for review. Once a PM has time to assess it, we will assign a priority, and they will let you know if more details are needed.
G
Looks like you just helped out another community member! Thanks for being so helpful @1354542547577344093! You're now one step closer to leveling up—keep up the amazing peer support! 