Okta SHA256 Application Migration FAQ Skip to main content
https://support.okta.com/help/oktaarticledetailpage?childcateg=&id=ka02a000000xa9tsac&source=documentation&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fdocumentation%2fknowledge_article%2fokta-sha256-application-migration-faq
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Okta SHA256 Application Migration FAQ
Published: Nov 21, 2016   -   Updated: Jun 22, 2018

Okta SAML Library Update FAQ

Updated:  November 14, 2016
 
Okta’s service provides our customers with a secure environment that adheres to leading practices from the Security Industry. Okta has identified several Okta (OAN) SAML applications which leverage SHA1 Digital Signatures and Digest Algorithms as part of the SAML assertion.  Okta will be converting these SAML applications to SHA256-based algorithms over the course of the next few months.   The following provides answers to the most frequently asked questions about this upcoming change.
 
Note:  This article will be updated with additional questions and answers as they are raised.
 
Q1. Is the upcoming Okta SAML library update the same as or related to the Application SHA256 update Okta recently announced?
A1. No, these are two different changes which are unrelated. 
 
SHA256 Update:  The SHA256 change is an effort to update Okta Application Network (OAN) applications which currently leverage the soon to be deprecated SHA1 Digital Signature and Digest Algorithm to the SHA256 standard.  Refer to the SHA Application Update Schedule for more details about this change, and the weekly schedule for updating OAN applications.
 
Okta SAML Library Update:  The Okta SAML library is being upgraded to improve SAML performance and to ensure a high security standard for Okta customer environments.  Okta has tested the most popular and highly adopted OAN applications for proper functionality.  However, we are unable to test applications that customers have created themselves. Therefore, the applications that warrant scrutiny and customer verification are those applications that have the following characteristics:
  • Custom applications created by Okta customers using a template app or the App Integration Wizard, where a developer wrote custom parsing code, etc.
  • Any custom app created for Inbound SAML.
  • Custom applications that are in a JIT provisioning flow.  

Q2. What if my application is not on the list?
A2. If you have an (OAN) SAML application which is not on SHA Application Update Schedule list, it will not be updated as part of this effort.

Q3. Does this change impact applications I've created myself using Template SAML applications or using the Application Wizard?
A3. No, This change only affects a subset of (OAN) SAML applications.  Both Template SAML applications and Application Wizard created SAML apps are out of scope of this change.

Q4. How can I tell what SHA Digital Signature & Digest Algorithm my (OAN) application is using?
A4. You can use tools like SAML Tracer or Fiddler to examine the SAML assertion.  Within the SignedInfo tag you should see SignatureMethod and Digest Method tags.  These will specify the SHA level of the SAML assertion as seen below.
 
       <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
       .....       
       <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

 
Q5. If an application is on list, what exactly do I need to do?
A5. Continue to monitor the SHA Application Update Schedule to be aware when your application is going to change.  The application update should be transparent to your end-users.  If however, the SAML Service Provider has any issues supporting SHA256 Signing or Digest algorithms, all SAML assertions for that application would fail.  Should this occur, please contact Okta Support immediately and we can revert your application change.

Q6. If an application is not part of the list, is it safe to assume that it is already using SHA256?
A6. If an application is not part of the list, it has already been upgraded, or has been reported to not support SHA256, and was subsequently removed from the SHA Application Update Schedule,

Q7. If I would like the change to be pushed our or moved in, can I request a change to the release schedule?
A7. If you have any questions regarding the SHA Application Update Schedule, please contact Okta Support to discuss.  We may be able to exclude your Okta tenant from the application change