TestShib.org signature algorithm changed?

Kevin Foote kpfoote at uoregon.edu
Wed Apr 2 13:45:29 EDT 2014

On 4/2/14, 10:27 AM, "Adam Conley" <aconley at ratex.com> wrote:

>Up until a few days ago (maybe a week or 2), the TestShib.org
>IdP was signing assertions with SHA1.
>That seems to have changed, as the signature is now using SHA256:
><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256">
>The current SP implementation I am using (OpenAM .Net
>Fedlet) doesn¹t currently support SHA256.
>Was the switch to SHA256 intentional, or is there any chance it will
>switch back to SHA1 to support older implementations, like ours?
>Thanks for any info you can provide!

Yes sorry need to put up a blurb somewhere. Scott is right though, while
we allow and welcome testing from all SAML software the main goal of
testshib.org is to provide an up-to-date testing ground for the Shibboleth
software stack. This means using current practices having to do with

There was a request to do this and a thread [1] on list.
To note I believe that this stems from the following (bullets taken from
i2 spaces wiki[2])

* NIST deprecated the use of SHA-1 in conjunction with digital signatures
on January 1, 2011.
* NIST disallows the use of SHA-1 in conjunction with digital signatures
after January 1, 2014.
* See: NIST SP 800-57 Part 1, Revision 3 (July 2012), Tables 3 and 4

[1] http://thread.gmane.org/gmane.comp.web.shibboleth.user/33206
[2] https://spaces.internet2.edu/x/yoCkAg


More information about the users mailing list