On 10 October 2018 SURFconext will migrate the hashing algorithm used for SAML 2.0 assertions sent to the Service Provider from SHA-1 to the modern SHA-256 algorithm.
SHA-1 has been considered deprecated for many years now, so it's necessary to migrate away from it. Identity Providers connected to SURFconext have already migrated to the SHA-256 hashing algorithm. We will now perform the process for Service Providers.
Whom does it concern
This concerns Service Providers connected to SURFconext via the SAML 2.0 protocol.
It does not apply to Service Providers (Relying Parties) connected via OpenID connect. Also, the SURFsecureID gateway already issues SHA-256 signed assertions, so SPs connected to the SURFsecureID gateway are necessarily already compliant.
Interested parties can already request to enable SHA-256 signing for their SP if they are ready.
The "test" environment of SURFconext has been switched to SHA-256 so Service Providers can verify their software there. It has also been enabled for Service Providers connecting to the "staging" environment. (Note that the legacy "connect.surfconext.nl" environment will not be changed, it will be phased out instead.)
On 10 October 2018, the hashing algorithm will be switched from SHA-1 to SHA-256 for all remaining service providers in the production environment.
- 6 June 2018: new SPs will use SHA-256 as default, existing SPs can request to be switched.
- 22 June 2018: all test environments have been switched to SHA-256.
- 10 October 2018, 10:10h CEST: end of SHA-1 support on production platform, all remaining SPs will be switched over.
What a Service Provider needs to do
Service Providers using a reasonably recent version of their SAML 2.0 software should have no problem dealing with SHA-256 signed assertions.
- SimpleSAMLphp supports it since version 1.9, released 2012.
- Shibboleth supports it when the underlying OpenSSL library does. Support for SHA-256 has been introduced in OpenSSL 0.9.8 from 2005.
- For other implementations we recommend to check the software's documentation.
Testing and verification can be done right now on the "test" and "staging" environments of SURFconext.
When using a too old version Service Providers need to upgrade before the switchover takes place on production. Logging in via SURFconext will break on 10 October 2018 for service providers still using software that does not support SHA-256 hashed assertions at that time.
Questions or help needed
Our regular channels for support are available to you as documented on Contact information.