I'm currently looking at the security of a KeyCloak implementation, which again uses SAML 2.0 identity provider.
I'm not too familiar with SAML, but during the authentication, the sent SAMLRequest
states SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1
.
Reading through the SAML documentation, I understood that this is used for the SimpleSign
signature.
Therefore I'd consider this a security threat, with SHA1 being considered as broken.
Is my assumption correct, when I say SHA1 for the SimpleSign
algorithm poses a security threat and should be replaces by SHA256?