SAML Token Secure Hash

Document ID : KB000096743
Last Modified Date : 21/05/2018
Show Technical Document Details
Question:
I'm using the "Create Signed Bearer-Token SAML Token" assertion and I don't want to use SHA-1 for signing, since it's insecure. How can I use SHA-256 or something secure?
Answer:
Although it is not supported on the assertion itself, you can sign the token using the "(Non-SOAP) Sign XML Element Assertion" instead. You can view more information about this assertion on the link below:

https://docops.ca.com/ca-api-gateway/9-3/en/policy-assertions/assertion-palette/xml-security-assertions/non-soap-sign-xml-element-assertion

Attached to this article is also a sample policy that signs the SAML token with SHA-256.
File Attachments:
SAML_SHA256.xml