{"id":20044,"date":"2017-02-06T09:00:39","date_gmt":"2017-02-06T08:00:39","guid":{"rendered":"http:\/\/nolabnoparty.com\/?p=20044\/"},"modified":"2017-02-03T11:03:59","modified_gmt":"2017-02-03T10:03:59","slug":"office-365-supports-sha-256-algorithm-token-signing","status":"publish","type":"post","link":"https:\/\/nolabnoparty.com\/en\/office-365-supports-sha-256-algorithm-token-signing\/","title":{"rendered":"Office 365 supports the SHA-256 algorithm for token-signing"},"content":{"rendered":"<p><img decoding=\"async\" class=\"aligncenter wp-image-20045 size-full\" title=\"office365securefederation01\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2017\/02\/office365securefederation01.jpg\" alt=\"office365securefederation01\" width=\"602\" height=\"202\" \/><\/p>\n<p>In Office 365 environment, AD FS signs its tokens to\u00a0Microsoft Azure Active Directory to\u00a0protect the tokens\u00a0from being <strong>tampered with<\/strong>.<\/p>\n<p>This signature can be based on SHA-1 or SHA-256 and since\u00a0Azure Active Directory <strong>now supports<\/strong>\u00a0tokens signed with SHA-256 algorithm, the change to the new algorithm it is strongly recommended to ensure the <strong>highest level of security<\/strong>.<\/p>\n<p>If your configuration is still using the SHA-1 algorithm, in\u00a0the\u00a0<strong>Office 365 Admin center<\/strong> under\u00a0<strong>Message center<\/strong>\u00a0you can find a warning to secure the token-signing <strong>algorithm to SHA-256<\/strong>.<!--more--><\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-20046 size-large\" title=\"office365securefederation02\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2017\/02\/office365securefederation02-600x215.jpg\" alt=\"office365securefederation02\" width=\"600\" height=\"215\" \/><\/p>\n<p>There are two ways to change the algorithm type in AD FS:<\/p>\n<ul>\n<li>via AD FS console<\/li>\n<li>using PowerShell<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2>Change the algorithm via AD FS console<\/h2>\n<p>Access the AD FS management console on the <strong>primary AD FS server<\/strong> and after expanding the AD FS node click <strong>Relying Party Trusts<\/strong>. Right click <strong>Microsoft Office 365 Identity Platform<\/strong> and select <strong>Properties<\/strong> option.<\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-20047 size-large\" title=\"office365securefederation03\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2017\/02\/office365securefederation03-600x238.jpg\" alt=\"office365securefederation03\" width=\"600\" height=\"238\" \/><\/p>\n<p>Select <strong>Advanced<\/strong> tab and set <strong>Secure hash algorithm<\/strong> field with <strong>SHA-256<\/strong> value.<\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-20048 size-full\" title=\"office365securefederation04\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2017\/02\/office365securefederation04.jpg\" alt=\"office365securefederation04\" width=\"411\" height=\"477\" \/><\/p>\n<p>Click <strong>OK<\/strong> to confirm the change.<\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-20049 size-full\" title=\"office365securefederation05\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2017\/02\/office365securefederation05.jpg\" alt=\"office365securefederation05\" width=\"411\" height=\"477\" \/><\/p>\n<p>&nbsp;<\/p>\n<h2>Change the algorithm using AD FS PowerShell cmdlets<\/h2>\n<p>Same change can be done via <strong>PowerShell<\/strong> using the following command:<\/p>\n<pre class=\"line-height:25 height-mode:1 height:25 width:100 width-unit:1 lang:default decode:true \">Set-AdfsRelyingPartyTrust -TargetName 'Microsoft Office 365 Identity Platform' -SignatureAlgorithm 'http:\/\/www.w3.org\/2001\/04\/xmldsig-more#rsa-sha256'<\/pre>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-20050 size-large\" title=\"office365securefederation06\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2017\/02\/office365securefederation06-600x304.jpg\" alt=\"office365securefederation06\" width=\"600\" height=\"304\" \/><\/p>\n<p>No extra configuration is required and this change doesn't impact Office 365 or other Azure AD applications <strong>accessibility<\/strong>.<\/p>\n<p><img decoding=\"async\" title=\"signature\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/images\/firma.jpg\" alt=\"signature\" \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In Office 365 environment, AD FS signs its tokens to\u00a0Microsoft Azure Active Directory to\u00a0protect the tokens\u00a0from being tampered with. This signature can be based on SHA-1 or SHA-256 and since\u00a0Azure Active Directory now supports\u00a0tokens signed with SHA-256 algorithm, the change to the new algorithm it is strongly recommended to ensure the highest level of security. If your configuration is still using the SHA-1 algorithm, in\u00a0the\u00a0Office 365 Admin center under\u00a0Message center\u00a0you can find a warning to secure the token-signing algorithm to SHA-256.<\/p>\n","protected":false},"author":3,"featured_media":20045,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rop_custom_images_group":[],"rop_custom_messages_group":[],"rop_publish_now":"initial","rop_publish_now_accounts":{"linkedin_93tdZWzMZc_93tdZWzMZc":"","facebook_2879994398731222_17841400390232720":"","twitter_113568041_113568041":"","mastodon_115463926174894442_115463926174894442":""},"rop_publish_now_history":[],"rop_publish_now_status":"pending","footnotes":""},"categories":[1065,1721],"tags":[1760,1566,1571,1759],"class_list":["post-20044","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-en","category-office365-en","tag-algorithm","tag-office-365","tag-office-365-en","tag-token","has_thumb"],"_links":{"self":[{"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/posts\/20044","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/comments?post=20044"}],"version-history":[{"count":0,"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/posts\/20044\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/media\/20045"}],"wp:attachment":[{"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/media?parent=20044"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/categories?post=20044"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/tags?post=20044"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}