After upgrading to Cloud Access Manager 8.1.2 existing federated applications & authenticators will continue to use the SHA-1 algorithm for request signing (4273129)

After upgrading to Cloud Access Manager 8.1.2 existing federated applications & authenticators will continue to use the SHA-1 algorithm for request signing

Federated Applications and Authenticators created prior to upgrade continue to use the less secure SHA-1 algorithm to sign federated requests.

For the enhancement to support signing of federated requests with the SHA-2 algorithm it was necessary to update the provider type of the private key in Cloud Access Manager, however, existing certificates generated with the old private key will still not be able to support the SHA-2 algorithm.
This means that post-upgrade it is necessary to refresh the federation certificate in any federated Service Providers (applications) or Identity Providers (Front-end Authenticators) to use the SHA-2 algorithm. We recommend that you do this at your earliest opportunity to improve the security of your system.

RESOLUTION:

For each federated application or authenticator on your system:

1. Go to the Federation\Trust Settings page in the configuration wizard and select the ‘Edit’ option above the certificate.
2.  In the dialog that appears select “Generate New Certificate”, save the application or authenticator.
3. Return to the Federation\Trust Settings page in the configuration wizard and download the certificate
4. Go to the Token Settings page and change the Signature Algorithm or samltoken.signature_algorithm value to ‘SHA256’ and save the application or authenticator.  Note that this value will be disabled until a valid certificate has been generated.

Next either:

1. Manually upload the new certificate to your provider’s configuration
2. Or if supported by your provider, refresh the configuration using the Cloud Access Manager federation metadata URL for the application or authenticator.

NOTE:  Between generating the new certificate and uploading it to the service provider any requests sent to the service provider will fail. Therefore, we recommend that you complete this task in a maintenance window for each affected application.