I am currently are using .NET Framework 2.0 and have customers that are signing their SAML2 request with SHA-1. The certificate itself is SHA-256 but the signing has to be done with SHA-1 until I upgrade to .NET Framework 4.0. They are saying that as of January 1, 2017 their SSO will stop to work (https://www.symantec.com/theme/sha2-transition). From what I can tell this deprecation will not affect the SAML request itself, but the actual websites. All websites need to go to SHA-256 certificates. I wanted to verify that what I am reading is correct. Thank you for your input regarding this.
Your understanding is correct.
X.509 certificates are signed by their issuer. Support for SHA-1 signed certificates is being phased out by Microsoft, Google and other parties. This will affect certificates configured for HTTPS web site support.
Certificate authorities have been issuing SHA-2 signed certificates for some time in anticipation of this.
Whether a certificate is signed using SHA-1 or SHA-2 does not affect it’s use for generating and verifying signatures.
For example, a SHA-1 signed certificate may be used to generate a SHA-256 XML signature.
A SHA-256 signed certificate may be used to generate a SHA-1 XML signature.
SAML SSO will continue to work with SHA-1 signatures.
However, the recommendation is to move to SHA-256 signatures as soon as possible.