Sunset for Support of SHA-1 Signing Algorithm for SSO
Please note: This post is intended for the customers with enterprise licence who are using SSO with SHA-1 certificate. If you are using SHA-1, you may have received email communication to change the certificate to SHA-256 by June 30, 2023.
HubSpot mandates that customers sign the SSO SAML requests with SHA-256 for better security.
After March 31, 2023, HubSpot has stopped supporting SHA-1 for new SSO connection. It means that the customer SSO Admin cannot set up new SSO connection using SHA-1 signing algorithm, but any existing SSO setup that uses SHA-1 may still work. HubSpot will stop supporting SHA-1 for all SSO connections after June 30, 2023. If customers are using SHA-1, they will need to migrate to SHA-256 by June 30, 2023.
This rollout will improve the security posture for our customers as SHA-1 is having known vulnerabilities. SHA-1 is a widely used 1995 NIST cryptographic hash function standard that was officially deprecated by NIST in 2011 due to fundamental security weaknesses demonstrated in various analyses and theoretical attacks.
As an SSO admin you shouldn't use SHA-1 signing algorithm for SSO with the IdP. You should use SHA-256 signing algorithm itself. As an SSO admin you can get the SHA-256 certificate for HubSpot application from the IdP that you are using and update the X.509 certificate under: Account Defaults->Security->Edit Single Sign-on.
As an SSO admin you can simply copy the certificate from IdP and paste it in as "X.509 Certificate". Please note that inside the certificate there is metadata on how we should treat the certificate and it should say SHA-256 in it (but, it is not readable since it will be encoded).
Who gets it?
All enterprise accounts who are using SSO or plan to use SSO in the future.
HubSpot anticipates no downtime for SSO logins if the switch is made before or on June 30, 2023.