3614707 - Login issue after updating SSO certificate in Entra

• A login issue is experienced after manually generating and updating the new SSO certificate in Entra.
• The following error message is received: "AADSTS76028: Signature algorithm used to sign data is not supported."

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental. 

SAP SuccessFactors HCM Core

1. Manually generate and update the new SSO certificate in Entra.
2. Attempt to log in.
3. Observe the error message: "AADSTS76028: Signature algorithm used to sign data is not supported.".

The issue is caused by the "Allow requests signed with RSA-SHA-1" option not being enabled in Entra.

To resolve the issue, please follow the steps below:

• Ensure the correct certificate is applied.

• In Admin Center > Manage SAML SSO Settings, enable the "SSO certificate renewed" checkbox.

• In Microsoft Entra, verify that the "Allow requests signed with RSA-SHA-1" option is enabled.

IMPORTANT: The above steps are provided as guidance only. Since this involves configuration on the Microsoft side, it falls outside of our ownership. For further assistance, please contact Microsoft Support directly. 

• Enforce signed SAML authentication requests - Microsoft Entra ID | Microsoft Learn
• KBA 0003523900 - Deprecation of SAP SuccessFactors Single Sign-On Certificate
• New feature to Register Renewal of SSO Certificate in Manage SAML SSO Settings Screen | SAP Help Portal

login issue, sso certificate, entra, rsa-sha-1, sap successfactors, certificate renewal, manage saml sso settings, error message, signature algorithm , KBA , LOD-SF-PLT-SAM , SAML SSO First Time Setup , Problem