
anas.35520 (Customer) asked a question.
I am facing this problem while following a tutorial https://www.baeldung.com/spring-security-saml to get going with Spring Security SAML with Okta as an identity provider (IdP).
I have setup the application on Okta and copied the certificate generated there to my sso.xml. The structure of my application is exactly the same as the one under https://github.com/eugenp/tutorials/tree/master/spring-security-modules/spring-security-saml. I have a different certificate, Identity Provider Issuer and Identity Provider Single Sign-On URL.
When I access my login webapp on http://localhost:8080/ I get the following error:
org.apache.xml.security.signature.XMLSignatureException: The security strength of SHA-1 digest algorithm is not sufficient for this key size
at org.apache.xml.security.algorithms.implementations.SignatureDSA.engineInitSign(SignatureDSA.java:196) ~[xmlsec-1.5.8.jar:1.5.8]
at org.apache.xml.security.algorithms.implementations.SignatureDSA.engineInitSign(SignatureDSA.java:205) ~[xmlsec-1.5.8.jar:1.5.8]
at org.apache.xml.security.algorithms.SignatureAlgorithm.initSign(SignatureAlgorithm.java:239) ~[xmlsec-1.5.8.jar:1.5.8]
at org.apache.xml.security.signature.XMLSignature.sign(XMLSignature.java:606) ~[xmlsec-1.5.8.jar:1.5.8]
at org.opensaml.xml.signature.Signer.signObject(Signer.java:77) ~[xmltooling-1.4.6.jar:na]
at org.opensaml.saml2.binding.encoding.BaseSAML2MessageEncoder.signMessage(BaseSAML2MessageEncoder.java:193) [opensaml-2.6.6.jar:na]
at org.opensaml.saml2.binding.encoding.HTTPPostEncoder.doEncode(HTTPPostEncoder.java:109) [opensaml-2.6.6.jar:na]
at org.opensaml.ws.message.encoder.BaseMessageEncoder.encode(BaseMessageEncoder.java:52) [openws-1.5.6.jar:na]
at org.springframework.security.saml.processor.SAMLProcessorImpl.sendMessage(SAMLProcessorImpl.java:224) [spring-security-saml2-core-1.0.10.RELEASE.jar:1.0.10.RELEASE]
at org.springframework.security.saml.processor.SAMLProcessorImpl.sendMessage(SAMLProcessorImpl.java:192) [spring-security-saml2-core-1.0.10.RELEASE.jar:1.0.10.RELEASE]
at org.springframework.security.saml.websso.AbstractProfileBase.sendMessage(AbstractProfileBase.java:148) [spring-security-saml2-core-1.0.10.RELEASE.jar:1.0.10.RELEASE]
at org.springframework.security.saml.websso.WebSSOProfileImpl.sendAuthenticationRequest(WebSSOProfileImpl.java:107) [spring-security-saml2-core-1.0.10.RELEASE.jar:1.0.10.RELEASE]
at org.springframework.security.saml.SAMLEntryPoint.initializeSSO(SAMLEntryPoint.java:225) [spring-security-saml2-core-1.0.10.RELEASE.jar:1.0.10.RELEASE]
at org.springframework.security.saml.SAMLEntryPoint.commence(SAMLEntryPoint.java:152) [spring-security-saml2-core-1.0.10.RELEASE.jar:1.0.10.RELEASE]
at org.springframework.security.web.access.ExceptionTranslationFilter.sendStartAuthentication(ExceptionTranslationFilter.java:213) [spring-security-web-5.5.1.jar:5.5.1]
at org.springframework.security.web.access.ExceptionTranslationFilter.handleAccessDeniedException(ExceptionTranslationFilter.java:192) [spring-security-web-5.5.1.jar:5.5.1]
at org.springframework.security.web.access.ExceptionTranslationFilter.handleSpringSecurityException(ExceptionTranslationFilter.java:173) [spring-security-web-5.5.1.jar:5.5.1]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:142) [spring-security-web-5.5.1.jar:5.5.1]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:115) [spring-security-web-5.5.1.jar:5.5.1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.5.1.jar:5.5.1]
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:126) [spring-security-web-5.5.1.jar:5.5.1]
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:81) [spring-security-web-5.5.1.jar:5.5.1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.5.1.jar:5.5.1]
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:105) [spring-security-web-5.5.1.jar:5.5.1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.5.1.jar:5.5.1]
java spring saml okta okta-api
Share
Edit
Close 2
Delete
Flag

Hello Ana,
Hope you have a nice day, based on the guide when you see the show advance settings on the general settings of the application, you should be able to see the certificate and it can be configured for SHA-1 and 256, please make sure about this setting, in case the setting is fine and it is already in 256 I would like to recommend you to open a case with Okta Support in order to check further on this
Thank you,
Fabian Ledezma