Loading
Feature Disruption - Service Cloud VoiceRead More
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Web App Settings: Signing Algorithm for SAML Messages - Select SHA256 Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Web App Settings: Signing Algorithm for SAML Messages - Select SHA256 Control

            This security setting specifies the use of the Secure Hash Algorithm 256-bit variant to generate digital signatures for SAML assertions.

            Control Name

            Connected Apps: Web App Settings: Signing Algorithm for SAML Messages - Select SHA256

            Recommended Configuration

            Signing Algorithm for SAML Messages - Select SHA256.

            Control Overview

            This security setting specifies the use of the Secure Hash Algorithm 256-bit variant to generate digital signatures for SAML assertions, ensuring the integrity and authenticity of the identity exchange.

            Security Risk If Not Configured

            The absence or use of weak signing algorithms for SAML messages lead to a vulnerability to certificate forgery and the bypass of established identity trust between the provider and the application.

            Threat Scenarios

            An attacker exploits known collision vulnerabilities in legacy algorithms like SHA-1 to forge a valid-looking digital signature, allowing them to inject unauthorized administrative claims into the authentication flow.

            Estimated CVSS Score Range

            High (7.0–8.9).

            Risk Impact Considerations

            Failure to use modern hashing standards facilitates successful assertion manipulation and identity spoofing, which can result in a total compromise of the federated access management system.

            Higher Risk When

            When the service provider does not enforce signature expiration or when the private key used for signing is stored in a software-based repository without hardware-backed protection.

            Low Risk When

            If the org already mandates the use of short-lived SAML assertions and enforces multi-factor authentication for every federated login attempt.

            Business and Integration Considerations

            Transitioning to SHA-256 ensures compliance with modern industry security standards, though it requires confirming that the receiving service provider can process 256-bit cryptographic hashes.

            Recommended Remediation

            Go to the Web App Settings for the Connected App and update the Signing Algorithm field to select SHA256 before saving the configuration.

            Security Health Review Guidance

            Security Health Review identifies the enforcement of SHA-256 signing as a strongly recommended standard to prevent cryptographic attacks and make sure that all identity assertions remain resistant to unauthorized modification.

            See Also

             
            Loading
            Salesforce Help | Article