更改 Office 365 信赖方信任的签名哈希算法Change signature hash algorithm for Office 365 relying party trust

概述Overview

Active Directory 联合身份验证服务 (AD FS) 将在 Azure Active Directory 中完成令牌签名,确保这些令牌不会遭到篡改。Active Directory Federation Services (AD FS) signs its tokens to Azure Active Directory to ensure that they cannot be tampered with. 这种签名可以基于 SHA1 或 SHA256。This signature can be based on SHA1 or SHA256. Azure Active Directory 现在支持使用 SHA256 算法签名的令牌,我们建议将令牌签名算法设置为 SHA256 以获得最高安全级别。Azure Active Directory now supports tokens signed with an SHA256 algorithm, and we recommend setting the token-signing algorithm to SHA256 for the highest level of security. 本指南介绍将令牌签名算法设置为更安全的 SHA256 级别所要执行的步骤。This article describes the steps needed to set the token-signing algorithm to the more secure SHA256 level.

Note

Microsoft 建议使用 SHA256 作为令牌签名算法,因为它比 SHA1 更安全,但 SHA1 仍受支持。Microsoft recommends usage of SHA256 as the algorithm for signing tokens as it is more secure than SHA1 but SHA1 still remains a supported option.

更改令牌签名算法Change the token-signing algorithm

使用下面两个过程之一设置签名算法后,AD FS 使用 SHA256 为 Office 365 信赖方信任令牌签名。After you have set the signature algorithm with one of the two processes below, AD FS signs the tokens for Office 365 relying party trust with SHA256. 无需进行任何额外的配置更改,并且这种更改不影响你访问 Office 365 或其他 Azure AD 应用程序的能力。You don't need to make any extra configuration changes, and this change has no impact on your ability to access Office 365 or other Azure AD applications.

AD FS 管理控制台AD FS management console

  1. 在 AD FS 主服务器上打开 AD FS 管理控制台。Open the AD FS management console on the primary AD FS server.
  2. 展开 AD FS 节点,然后单击“信赖方信任” 。Expand the AD FS node and click Relying Party Trusts.
  3. 右键单击 Office 365/Azure 信赖方信任并选择“属性” 。Right-click your Office 365/Azure relying party trust and select Properties.
  4. 选择“高级” 选项卡,然后选择安全哈希算法 SHA256。Select the Advanced tab and select the secure hash algorithm SHA256.
  5. 单击 “确定”Click OK.

SHA256 签名算法--MMC

AD FS PowerShell cmdletAD FS PowerShell cmdlets

  1. 在任何 AD FS 服务器上,以管理员权限打开 PowerShell。On any AD FS server, open PowerShell under administrator privileges.

  2. 使用 Set-AdfsRelyingPartyTrust cmdlet 设置安全哈希算法。Set the secure hash algorithm by using the Set-AdfsRelyingPartyTrust cmdlet.

    Set-AdfsRelyingPartyTrust -TargetName 'Microsoft Office 365 Identity Platform' -SignatureAlgorithm 'https://www.w3.org/2001/04/xmldsig-more#rsa-sha256'

另请参阅Also read