ComplyEQ Signing Algorithm

ComplyEQ signs its SAML messages using the ComplyEQ SAML certificate and the signing algorithm configured in your identity provider (IdP).

In mid‑2021, Foundry added support for signing SAML messages—such as authentication and logout requests and responses—using the SHA‑256 algorithm. SHA‑256 is more secure and modern than SHA‑1, which was previously the only supported option.

If you are setting up single sign‑on (SSO) for the first time, ComplyEQ recommends using SHA‑256.

If your Foundry SSO configuration currently uses SHA‑1 and you want to upgrade to SHA‑256, follow the steps below.

---

Confirm upgrade eligibility

Check the current signing algorithm

1. Log in to Foundry as a customer administrator
2. Go to Settings > Single sign‑on
3. Edit your identity provider configuration
4. Review the ComplyEQ Signing Algorithm setting

The value will show either SHA‑1 (legacy) or SHA‑256.

---

Verify IdP support for SHA‑256

Confirm that your identity provider supports the SHA‑256 standard. Most modern identity management systems do.

---

Check IdP configuration options

Determine whether your identity provider:

• Requires you to manually configure the service provider’s signing algorithm, or
• Automatically detects the signing algorithm from the SAML message

If manual configuration is required, locate the setting you’ll need to update when switching from SHA‑1 to SHA‑256. See Identity Provider Support for SP Signatures below for general guidance.

---

Update your identity provider configuration

Once prerequisites are confirmed, follow these steps to upgrade from SHA‑1 to SHA‑256:

1. Log in to the Foundry customer admin portal
2. Go to Settings > Single sign‑on and open your identity provider configuration
3. Edit the identity provider settings
4. Change the ComplyEQ Signing Algorithm to SHA‑256 and select Save
5. If your identity provider has a corresponding service provider signing algorithm setting, update it to SHA‑256 as well

Note: If your organization uses multiple identity provider configurations in Foundry (for example, different learner groups tied to different IdPs), each configuration must be updated individually.

---

Verify the upgrade

After updating the signing algorithm, verify the configuration by testing the following flows:

Service provider–initiated SSO

Sign in to Foundry from the Foundry customer login page. This sends a signed authentication request from Foundry to your identity provider.

---

Single logout from Foundry

If single logout (SLO) is enabled, log out from Foundry. This sends a signed logout request from Foundry to your identity provider.

---

Identity provider–initiated SSO and SLO

Sign in to Foundry from your identity provider, then log out from the IdP. For IdPs that support IdP‑initiated SLO, Foundry sends a signed logout response after receiving the logout request.

---

Identity provider support for SP signatures

ComplyEQ can’t provide configuration instructions for every identity provider, but the guidelines below describe common behaviors.

Identity providers that do not verify SP signatures

For these IdPs, the service provider’s signing algorithm does not affect validation.
Examples (as of May 2021) include Microsoft Azure and Okta.

---

Identity providers that optionally verify SP signatures

Some IdPs allow you to enable or disable service provider signature verification. Enabling verification is recommended for improved security.

---

Identity providers that verify SP signatures

IdPs that verify signatures handle configuration in one of two ways:

• Manual configuration
  Some IdPs, such as Microsoft ADFS, allow you to manually set the service provider’s signing algorithm. After updating Foundry, edit the relying party trust, go to the Advanced tab, and set the secure hash algorithm to SHA‑256.

• Automatic detection
  Other IdPs determine the signing algorithm by reading the SAML message itself. In these cases, no manual algorithm configuration is required.