<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
0D54z000076xXzqCAEOkta Classic EngineAPI Access ManagementAnswered2021-08-17T16:00:46.000Z2021-08-13T09:54:48.000Z2021-08-17T16:00:46.000Z

anas.35520 (Customer) asked a question.

The security strength of SHA-1 digest algorithm is not sufficient for this key size

I am facing this problem while following a tutorial https://www.baeldung.com/spring-security-saml to get going with Spring Security SAML with Okta as an identity provider (IdP).

I have setup the application on Okta and copied the certificate generated there to my sso.xml. The structure of my application is exactly the same as the one under https://github.com/eugenp/tutorials/tree/master/spring-security-modules/spring-security-saml. I have a different certificate, Identity Provider Issuer and Identity Provider Single Sign-On URL.

When I access my login webapp on http://localhost:8080/ I get the following error:

org.apache.xml.security.signature.XMLSignatureException: The security strength of SHA-1 digest algorithm is not sufficient for this key size

at org.apache.xml.security.algorithms.implementations.SignatureDSA.engineInitSign(SignatureDSA.java:196) ~[xmlsec-1.5.8.jar:1.5.8]

at org.apache.xml.security.algorithms.implementations.SignatureDSA.engineInitSign(SignatureDSA.java:205) ~[xmlsec-1.5.8.jar:1.5.8]

at org.apache.xml.security.algorithms.SignatureAlgorithm.initSign(SignatureAlgorithm.java:239) ~[xmlsec-1.5.8.jar:1.5.8]

at org.apache.xml.security.signature.XMLSignature.sign(XMLSignature.java:606) ~[xmlsec-1.5.8.jar:1.5.8]

at org.opensaml.xml.signature.Signer.signObject(Signer.java:77) ~[xmltooling-1.4.6.jar:na]

at org.opensaml.saml2.binding.encoding.BaseSAML2MessageEncoder.signMessage(BaseSAML2MessageEncoder.java:193) [opensaml-2.6.6.jar:na]

at org.opensaml.saml2.binding.encoding.HTTPPostEncoder.doEncode(HTTPPostEncoder.java:109) [opensaml-2.6.6.jar:na]

at org.opensaml.ws.message.encoder.BaseMessageEncoder.encode(BaseMessageEncoder.java:52) [openws-1.5.6.jar:na]

at org.springframework.security.saml.processor.SAMLProcessorImpl.sendMessage(SAMLProcessorImpl.java:224) [spring-security-saml2-core-1.0.10.RELEASE.jar:1.0.10.RELEASE]

at org.springframework.security.saml.processor.SAMLProcessorImpl.sendMessage(SAMLProcessorImpl.java:192) [spring-security-saml2-core-1.0.10.RELEASE.jar:1.0.10.RELEASE]

at org.springframework.security.saml.websso.AbstractProfileBase.sendMessage(AbstractProfileBase.java:148) [spring-security-saml2-core-1.0.10.RELEASE.jar:1.0.10.RELEASE]

at org.springframework.security.saml.websso.WebSSOProfileImpl.sendAuthenticationRequest(WebSSOProfileImpl.java:107) [spring-security-saml2-core-1.0.10.RELEASE.jar:1.0.10.RELEASE]

at org.springframework.security.saml.SAMLEntryPoint.initializeSSO(SAMLEntryPoint.java:225) [spring-security-saml2-core-1.0.10.RELEASE.jar:1.0.10.RELEASE]

at org.springframework.security.saml.SAMLEntryPoint.commence(SAMLEntryPoint.java:152) [spring-security-saml2-core-1.0.10.RELEASE.jar:1.0.10.RELEASE]

at org.springframework.security.web.access.ExceptionTranslationFilter.sendStartAuthentication(ExceptionTranslationFilter.java:213) [spring-security-web-5.5.1.jar:5.5.1]

at org.springframework.security.web.access.ExceptionTranslationFilter.handleAccessDeniedException(ExceptionTranslationFilter.java:192) [spring-security-web-5.5.1.jar:5.5.1]

at org.springframework.security.web.access.ExceptionTranslationFilter.handleSpringSecurityException(ExceptionTranslationFilter.java:173) [spring-security-web-5.5.1.jar:5.5.1]

at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:142) [spring-security-web-5.5.1.jar:5.5.1]

at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:115) [spring-security-web-5.5.1.jar:5.5.1]

at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.5.1.jar:5.5.1]

at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:126) [spring-security-web-5.5.1.jar:5.5.1]

at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:81) [spring-security-web-5.5.1.jar:5.5.1]

at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.5.1.jar:5.5.1]

at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:105) [spring-security-web-5.5.1.jar:5.5.1]

at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.5.1.jar:5.5.1]

java spring saml okta okta-api

Share

Edit

Close 2

Delete

Flag       

 


  • User1616193434422641593 (Vendor Management)

    Hello Ana,

     

    Hope you have a nice day, based on the guide when you see the show advance settings on the general settings of the application, you should be able to see the certificate and it can be configured for SHA-1 and 256, please make sure about this setting, in case the setting is fine and it is already in 256 I would like to recommend you to open a case with Okta Support in order to check further on this

     

    Thank you,

    Fabian Ledezma

    Expand Post
This question is closed.
Loading
The security strength of SHA-1 digest algorithm is not sufficient for this key size