From 45e927649fcf80a0aa66e0b079226f6eca883244 Mon Sep 17 00:00:00 2001
From: Thijs Kinkhorst <thijs@kinkhorst.com>
Date: Tue, 29 May 2018 08:12:10 +0000
Subject: [PATCH] Document how to re-enable sha1 for a specific remote entity.

---
 docs/simplesamlphp-upgrade-notes-1.16.md |  3 ++-
 metadata-templates/saml20-sp-remote.php  | 14 ++++++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/docs/simplesamlphp-upgrade-notes-1.16.md b/docs/simplesamlphp-upgrade-notes-1.16.md
index caab84c45..a95505379 100644
--- a/docs/simplesamlphp-upgrade-notes-1.16.md
+++ b/docs/simplesamlphp-upgrade-notes-1.16.md
@@ -3,7 +3,8 @@ Upgrade notes for SimpleSAMLphp 1.16
 
 The default signature algoritm is now SHA-256 (SHA-1 has been considered
 obsolete since 2014). For entities that need it, you can switch back to
-SHA-1 by setting the `signature.algorithm` option in the entity metadata.
+SHA-1 by setting the `signature.algorithm` option in the remote entity
+metadata.
 
 The class `SimpleSAML_Error_BadUserInnput` has been renamed to
 `SimpleSAML_Error_BadUserInput`.
diff --git a/metadata-templates/saml20-sp-remote.php b/metadata-templates/saml20-sp-remote.php
index 46262cee1..b74e90492 100644
--- a/metadata-templates/saml20-sp-remote.php
+++ b/metadata-templates/saml20-sp-remote.php
@@ -25,3 +25,17 @@ $metadata['google.com'] = array(
 	'simplesaml.nameidattribute' => 'uid',
 	'simplesaml.attributes' => FALSE,
 );
+
+$metadata['https://legacy.example.edu'] = array(
+	'AssertionConsumerService' => 'https://legacy.example.edu/saml/acs',
+        /*
+         * Currently, SimpleSAMLphp defaults to the SHA-256 hashing algorithm.
+	 * Uncomment the following option to use SHA-1 for signatures directed
+	 * at this specific service provider if it does not support SHA-256 yet.
+         *
+         * WARNING: SHA-1 is disallowed starting January the 1st, 2014.
+         * Please refer to the following document for more information:
+         * http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
+         */
+        //'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha1',
+);
-- 
GitLab