Why is this changing:

SHA-1 is a legacy algorithm considered cryptographically insecure due to known collision vulnerabilities. Leading security standards bodies, including NIST, recommend transitioning to SHA-2 family algorithms such as SHA-256 to mitigate potential risks.

What do you need to do:

If your organization uses SAML-based Single Sign-On (SSO) to access MuleSoft services, do the following:

1. Review your third-party Identity Provider (IdP) configuration.
   1. Configure your IdP to use RSA-SHA256 or stronger signature algorithms.
   2. Update any metadata if necessary to reflect the stronger algorithm.
2. Test your updated configuration.
   1. We recommend testing changes in a non-production environment.
3. Complete the update before March 15, 2026. After this date, connections using SHA-1 will be removed.

Please note that these specific actions are required by you since MuleSoft does not have prior knowledge about your specific Identity provider or relevant configurations. 

What happens if you don’t make the change:

Effective March 15, 2026, Identity Providers (IdPs) configured to use SHA-1 will no longer be accepted, resulting in failed logins for affected users. You may need to work with vendors or third-parties, if required, to comply with this request. 

We appreciate your attention to this important update and your partnership in keeping our ecosystem secure. For questions, contact your MuleSoft account team.