...
The IdP also supports a standardized SAML metadata extension that influences the algorithms it will use, based on the capabilities of the SP. For metadata under your control, using the extension to specify that SHA-1 is required is generally a better strategy than specifying it in a RelyingParty override, but often this isn't possible, so a filter is also provided for supplementing remote sources. We encourage deployers to ask their metadata sources (i.e., federations) about this capability, as it is critically important for dealing with future algorithm weaknesses that may emerge over time.
...