When setting up Github Enterprise Cloud plan single sign on – SSO for Microsoft Azure active directory, you may encounter the ‘FAILED: digest mismatch‘ error when test/saving your SSO configuration.
SSO configuration on github:-
When you hit test SAML configuration before saving button on Github, it will test the SSO configuration to your Azure AD , the Idp provider. You need to input your Sign on URL, unique URL, Certificate (base64) given that you already completed the configuration on Azure AD. You can find the complete Azure AD SSO configuration guide for your specific Github product here from Microsoft, the values are different for Github Organization and Github Enterprises.
You will receive the SAML Signing certificate from Azure by default SHA256 signing algorithm, once saved you can download the Base64 format for input into Github SSO config.
Back to Github SSO config page, once you paste the SHA256 certificate in Base64, you will see the confirmation “Your SAML provider is using the RSA-SHA256 Signature Method and the SHA256 Digest Method”
From there if you try to test/save the configuration it will attempt to test the configuration and after a while returns the error ‘FAILED: digest mismatch‘
Googling around did not prove very useful however I did find this old github blog – SHA256 support for fingerprints. Debugging my SAML response I noticed the two lines below referencing ‘Digest’ Which tells me that my Digest Method algorithm is that of SHA256. I also read that Github uses OmniAuth
Further digging led me to compare my above SAML response digestMethod algorithm with the github omniauth-saml strategies library found here
This tells me my signing algorithm is SHA256 but Github expects SHA1.
Changing my certificate signing algorithm to SHA1, and providing the SHA1 fingerprint to Github SSO configuration solved the ‘Digest mismatch’ error and my SSO configuration was successful. However this was all in a test environment, but I would not recommend to generate SHA1 certificate in production for use, rather you can generate a SHA256 and then calculate the SHA1 fingerprint using openSSL and use that SHA1 fingerprint on Github SSO config.
This other blog from Gitlab.com SAML related issues says:-
Please note, we currently support SHA-2 as the certificate signature algorithm and we recommend for the certificate to be generated using SHA-2(256) or higher. It is only the certificate fingerprint that requires a SHA-1. The risk on using SHA-1 for the fingerprint is not as great as having the certificate generated using SHA-1.
A little understanding of certificate encryption vs certificate fingerprint:-
The algorithm of the fingerprint/thumbprint is unrelated to the encryption algorithm of the certificate. The fingerprint/thumbprint is a identifier used by some server platforms to locate the certificate in a certificate store.
In conclusion, use a tool such as openSSL, calculate the SHA1 fingerprint from your SHA256 certificate, and use that to complete your Github SSO config. Sample command will be:-
openssl x509 -noout -fingerprint -sha1 -inform pem -in "MyCertificate-domain.com.cer"
Github Enterprise SSO Configuration successful:-