hashcertificateadfssha1sha2

Does your ADFS Server have to be deployed with only a SHA1 certificate to work with SHA1 relaying party trusts?


Does your ADFS Server have to be deployed with a SHA1 certificate to work with SHA1-only relaying party trusts?

Or can ADFS use a SHA2 certificte with a mix of SHA1 and SHA2 relaying party trusts as long as you change the particular trusts algorithm on ADFS trust entry to match the relaying partys SHA?

As I know you are only able to use one certificate at a time in ADFS for all trusts.

Thanks


Solution

  • The SHA1 / SHA256 refers to the hash used to sign the token.

    This is configurable per RP.

    There is only one signing certificate as you point out but it can be hashed in two different ways.