APEX

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

How to integrate with MS ADFS that supports only SHA-256?

Lai CCMay 15 2023

Hi,

IDP supports only SHA-256 message signing

We have a legacy IDP setup which is still using Microsoft ADFS 2.0 that supports only message signing algorithm SHA-1 or SHA-256. By default it is set to SHA-256. Ms documentation indicates that SHA-256 is the highest supported algo, meaning message signing algo SHA-512 is not supported.

APEX supports only SHA-512 message signing

While trying to setup Oracle APEX (22.2.5) to integrate with this ADFS idp, I encounter the algo not supported problem.
APEX by default sends SHA-512 signed SAML message and expected SAML respond messages to be SHA-512 signed.
Following is an example of a decoded SAML request from APEX:

<samlp:AuthnRequest
 xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
 xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
 AssertionConsumerServiceIndex="0"
 ID="XyWDiRzkY1yoRBU0Md2YwBUX9zKApVw_8nSA0Lzxg0_4in9aN6VO_lotsIp5Z5pGyG_ecH-5WhcNoEkqsRsLyVg.4086707679389624"
 IssueInstant="2023-05-15T15:22:08Z"
 Destination="https://MYIDPHOST/adfs/ls/"
 Version="2.0">
 <saml:Issuer>SS_OApex</saml:Issuer>
 <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
 <ds:SignedInfo>
     <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
     <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"></ds:SignatureMethod>
     <ds:Reference URI="fsdajkifdsoajio.4324326543">
       <ds:Transforms>
         <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
         <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
       </ds:Transforms>
       <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"></ds:DigestMethod>
       <ds:DigestValue>fafreafrevfsvertrthb==</ds:DigestValue>
     </ds:Reference>
   </ds:SignedInfo>
 <ds:SignatureValue>SIGNATUREVALUE==</ds:SignatureValue>
 <ds:KeyInfo>
   <ds:X509Data>
     <ds:X509Certificate>
*** SIGNING CERTIFICATE HERE ***
*** SIGNING CERTIFICATE HERE ***
</ds:X509Certificate>
   </ds:X509Data>
 </ds:KeyInfo>
</ds:Signature>
</samlp:AuthnRequest>

As shown in the line “**<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512">**”, the request is signed with SHA512.

Upon receiving the above SAML request from APEX, our idp throws error and event log shows the actual problem.
SHA512 not supported.

There idp setup cannot be changed to support SHA512. Integrating idp at web server (JBoss) level is not an option as our environment requires each application to handle the ADFS SSO individually.

Any suggestion to ‘coax’ APEX to integrate with our idp is welcomed.

Added on May 15 2023

1 comment

1,167 views