Is your SP ready for SHA-256?

If you provide a service receiving logins from WAYF, you will have to make sure that your service is capable of validating SAML signatures based on the SHA-256 hashing algorithm, from July 1. From that day on, WAYF will no longer issue signatures based on SHA-1.

If you use SimpleSAMLphp for connecting to WAYF, be aware that older versions don't suppport SHA-256.

WAYF operates a facility with which you can check your service's SHA-256 capability: In a fresh browser go to WAYFs Testing Service, check the boxes SP SigAlg = sha256 and IdP SigAlg = sha256, then press the Login button. Following that, in the same browser window go to the website of your service, and log in through WAYF. Use your WAYF Orphanage account — request one here if you don't have one already. If the login succeeds, and your service displays no error message, that indicates that your service is capable of validating SHA-256 based signatures.