CONNECT provides a basic feature to more easily select SHA versions to use for initiating and accepting requests. Available SHA versions are based on the versions supported by CXF and OpenSAML.
Latest CONNECT release (5.2) leverages CXF 3.1.9 and OpenSAML 3.1.1 |
SHA versions supported by OpenSAML and CXF can be specified in the following locations:
saml.digestAlgorithms - comma separated list of SignatureConstants/URIs, of the desired digest algorithms to support
saml.signatureAlgorithms - comma separated list of SignatureConstants/URIs, of the desired signature algorithms to support
saml.defaultSignatureAlgorithm - default signature algorithm to use if an override is not provided in the entity message. Defaults to RSA-SHA1 if not set.
saml.defaultDigestAlgorithm - default digest algorithm to use if an override is not provided in the entity message. Defaults to SHA1 if not set.
An example algorithm override follows:
<urn1:signatureAlgorithm>http://www.w3.org/2001/04/xmldsig-more#rsa-sha512</urn1:signatureAlgorithm>
<urn1:digestAlgorithm>http://www.w3.org/2001/04/xmlenc#sha512</urn1:digestAlgorithm>
All versions specfied in saml.xxx can be accepted by a responding CONNECT gateway