-
Title
Updating federation certificates after upgrading to CAM 8.1.2. SHA-2 signing SAML requests. -
Description
Updating federation certificates after upgrading to CAM 8.1.2
SHA-2 signing SAML requests.
-
Cause
Enhancement Request 467017Use SHA-256 for signing of SAML requestsAfter upgrading to 8.1.2 existing federated applications and authenticators will continue to use SHA-1 for certificate signing until you manually update their certificates. See Getting started with One Identity Cloud Access Manager 8.1.2 in the 8.1.2 Release notes. -
Resolution
After upgrading to 8.1.2 existing federated applications and authenticators will continue to use SHA-1 for certificate signing until you manually update their certificates.
Updating federation certificates:
After upgrading to Cloud Access Manager 8.1.2 existing federated applications will continue to use the SHA-1 algorithm for certificate signing until you complete the following steps for each application.For the enhancement to support signing of federated requests with the SHA-2 algorithm (see New Feature #467017) it was necessary to update the provider type of the private key in Cloud Access Manager, however, existing certificates generated with the old private key will still not be able to support the SHA-2 algorithm. This means that post-upgrade it is necessary to refresh the federation certificate in any federated Service Providers (applications) or Identity Providers (Front-end Authenticators) that you have configured to upgrade to use the SHA-2 algorithm. We recommend that you do this at your earliest opportunity to improve the security of your system.
For each federated application or authenticator on your system:
Go to the Federation Settings page in the configuration wizard and select the ‘Edit’ option above the certificate. In the dialog that appears select “Generate New Certificate”, then download the certificate and save the application or authenticator.Next either:i. manually upload the new certificate to your provider’s configurationii. or if supported by your provider, refresh the configuration using the Cloud Access Manager federation metadata URL for the application or authenticator.Please note that between generating the new certificate and uploading it to the service provider any requests to the service provider will fail. Therefore, we recommend that you complete this task in a maintenance window for each affected application.
-
Change Request
467017