Discourage the use of fingerprint on production environments

Author: pitbulk

README.md

@@ -132,6 +132,8 @@ In production, the **strict** parameter MUST be set as **"true"**. Otherwise
 your environment is not secure and will be exposed to attacks.
 
 
+In production also we highly recommend to register on the settings the IdP certificate instead of using the fingerprint method. The fingerprint, is a hash, so at the end is open to a collision attack that can end on a signature validation bypass. Other SAML toolkits deprecated that mechanism, we maintain it for compatibility and also to be used on test environment.
+
 Getting started
 ---------------
 
@@ -326,7 +328,9 @@ This is the settings.json file:
         "x509cert": "<onelogin_connector_cert>"
         /*
          *  Instead of using the whole x509cert you can use a fingerprint in order to
-         *  validate a SAMLResponse, but you will need it to validate LogoutRequest and LogoutResponse using the HTTP-Redirect binding.
+         *  validate a SAMLResponse (but you still need the x509cert to validate LogoutRequest and LogoutResponse using the HTTP-Redirect binding).
+         *  But take in mind that the fingerprint, is a hash, so at the end is open to a collision attack that can end on a signature validation bypass,
+         *  that why we don't recommend it use for production environments.
          *
          *  (openssl x509 -noout -fingerprint -in "idp.crt" to generate it,
          *  or add for example the -sha256 , -sha384 or -sha512 parameter)
@@ -337,6 +341,7 @@ This is the settings.json file:
          *
          *  Notice that if you want to validate any SAML Message sent by the HTTP-Redirect binding, you
          *  will need to provide the whole x509cert.
+	 *
          */
         // 'certFingerprint': '',
         // 'certFingerprintAlgorithm': 'sha1',