back to website

Werk #15671: SAML: use RSA-SHA256 to sign authentication requests

Component Setup, site management
Title SAML: use RSA-SHA256 to sign authentication requests
Date Apr 24, 2023
Level Trivial Change
Class New Feature
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.3.0b1 Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0b7 Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)

Checkmk would sign its authentication requests with RSA-SHA512. However, some identity providers (e.g. some versions of Microsoft ADFS) do not support any signature algorithms beyond SHA256. As a result, the authentication requests would be rejected with an error message similar to

"Error details: MSIS7093: The message is not signed with expected signature algorithm. Message is signed with signature algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha512. Expected signature algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256."

For this reason, Checkmk now uses RSA-SHA256 to sign its authentication requests.

To the list of all Werks

The Checkmk logo (formerly known as Check_MK) is a trademark of Checkmk GmbH. ©2025 Checkmk GmbH. All rights reserved.

Join our hybrid Monitoring Community event from May 20-22 in Munich and learn more about the latest Checkmk features and our roadmap at the Checkmk Conference #11

Register now