Discourage the use of fingerprint on production environments

pitbulk · pitbulk · commit 64ae0556b632 · 2018-08-05T21:28:06.000+02:00
diff --git a/README.md b/README.md
@@ -65,6 +65,8 @@ Key features:
 
 In production, the **onelogin.saml2.strict** setting parameter MUST be set as **"true"**. Otherwise your environment is not secure and will be exposed to attacks.
 
+In production also we highly recommend to register on the settings the IdP certificate instead of using the fingerprint method. The fingerprint, is a hash, so at the end is open to a collision attack that can end on a signature validation bypass. Other SAML toolkits deprecated that mechanism, we maintain it for compatibility and also to be used on test environment.
+
 ## Installation
 ### Hosting
 #### Github
@@ -261,7 +263,10 @@ onelogin.saml2.idp.single_logout_service.binding = urn:oasis:names:tc:SAML:2.0:b
 # Public x509 certificate of the IdP
 onelogin.saml2.idp.x509cert =
 
-# Instead of use the whole x509cert you can use a fingerprint
+# Instead of using the whole x509cert you can use a fingerprint in order to
+# validate a SAMLResponse (but you still need the x509cert to validate LogoutRequest and LogoutResponse using the HTTP-Redirect binding).
+# But take in mind that the fingerprint, is a hash, so at the end is open to a collision attack that can end on a signature validation bypass,
+# that why we don't recommend it use for production environments.
 # (openssl x509 -noout -fingerprint -in "idp.crt" to generate it,
 # or add for example the -sha256 , -sha384 or -sha512 parameter)
 #
diff --git a/samples/java-saml-tookit-jspsample/src/main/resources/onelogin.saml.properties b/samples/java-saml-tookit-jspsample/src/main/resources/onelogin.saml.properties
@@ -78,7 +78,10 @@ onelogin.saml2.idp.single_logout_service.binding = urn:oasis:names:tc:SAML:2.0:b
 # Public x509 certificate of the IdP
 onelogin.saml2.idp.x509cert =
 
-# Instead of use the whole x509cert you can use a fingerprint
+# Instead of using the whole x509cert you can use a fingerprint in order to
+# validate a SAMLResponse (but you still need the x509cert to validate LogoutRequest and LogoutResponse using the HTTP-Redirect binding).
+# But take in mind that the fingerprint, is a hash, so at the end is open to a collision attack that can end on a signature validation bypass,
+# that why we don't recommend it use for production environments.
 # (openssl x509 -noout -fingerprint -in "idp.crt" to generate it,
 # or add for example the -sha256 , -sha384 or -sha512 parameter)
 #
