diff --git a/securing_apps/topics/saml/java/general-config/idp_element.adoc b/securing_apps/topics/saml/java/general-config/idp_element.adoc
index 212e814f68..b264dcbaba 100644
--- a/securing_apps/topics/saml/java/general-config/idp_element.adoc
+++ b/securing_apps/topics/saml/java/general-config/idp_element.adoc
@@ -27,7 +27,9 @@ signatureAlgorithm::
   This is the signature algorithm that the IDP expects signed documents to use.
   Allowed values are: `RSA_SHA1`, `RSA_SHA256`, `RSA_SHA512`, and `DSA_SHA1`.
   This setting is _OPTIONAL_
-  and defaults to `RSA_SHA256`.
+  and defaults to `RSA_SHA256`. Note that `SHA1` based algorithms are deprecated and can be removed in the future.
+ We recommend the use of some more secure algorithm instead of `*_SHA1`. Also, with `*_SHA1` algorithms, verifying signatures
+  do not work if the SAML server (usually {project_name}) runs on Java 17 or higher.
 signatureCanonicalizationMethod::
   This is the signature canonicalization method that the IDP expects signed documents to use.  This setting is  _OPTIONAL_.
   The default value is `\http://www.w3.org/2001/10/xml-exc-c14n#` and should be good for most IDPs.
diff --git a/server_admin/topics/clients/saml/proc-creating-saml-client.adoc b/server_admin/topics/clients/saml/proc-creating-saml-client.adoc
index f1d1ad4e44..b3c36f77a1 100644
--- a/server_admin/topics/clients/saml/proc-creating-saml-client.adoc
+++ b/server_admin/topics/clients/saml/proc-creating-saml-client.adoc
@@ -84,7 +84,9 @@ This option is used when {project_name} server and adapter provide the IDP and S
 
 *Sign Assertions*:: The assertion is signed and embedded in the SAML XML Auth response.
 
-*Signature Algorithm*:: The algorithm used in signing SAML documents.
+*Signature Algorithm*:: The algorithm used in signing SAML documents. Note that `SHA1` based algorithms are deprecated and may be removed in a future release.
+We recommend the use of some more secure algorithm instead of `*_SHA1`. Also, with `*_SHA1` algorithms, verifying signatures
+do not work if the SAML client runs on Java 17 or higher.
 
 *SAML Signature Key Name*:: Signed SAML documents sent using POST binding contain the identification of the signing key in the *KeyName* element. This action can be controlled by the *SAML Signature Key Name* option. This option controls the contents of the *Keyname*.
 +
diff --git a/server_admin/topics/identity-broker/saml.adoc b/server_admin/topics/identity-broker/saml.adoc
index bb21f97090..d200180e51 100644
--- a/server_admin/topics/identity-broker/saml.adoc
+++ b/server_admin/topics/identity-broker/saml.adoc
@@ -50,7 +50,9 @@ image:images/saml-add-identity-provider.png[Add Identity Provider]
 |When *ON*, {project_name} uses the realm's keypair to sign requests sent to the external SAML IDP.
 
 |Signature Algorithm
-|If *Want AuthnRequests Signed* is *ON*, the signature algorithm to use.
+|If *Want AuthnRequests Signed* is *ON*, the signature algorithm to use. Note that `SHA1` based algorithms are deprecated and may be removed in a future release.
+We recommend to use some more secure algorithm instead of `*_SHA1`. Also, with `*_SHA1` algorithms, verifying signatures
+do not work if the SAML identity provider (for example another instance of {project_name}) runs on Java 17 or higher.
 
 |SAML Signature Key Name
 |Signed SAML documents sent using POST binding contain the identification of signing key in `KeyName` element, which, by default, contains the {project_name} key ID. External SAML IDPs can expect a different key name. This switch controls whether `KeyName` contains:
diff --git a/upgrading/topics/keycloak/changes-21_0_0.adoc b/upgrading/topics/keycloak/changes-21_0_0.adoc
index 1e922537c5..52f499b953 100644
--- a/upgrading/topics/keycloak/changes-21_0_0.adoc
+++ b/upgrading/topics/keycloak/changes-21_0_0.adoc
@@ -25,3 +25,12 @@ Before upgrading it is recommended to review all metrics returned from the endpo
 |`agroal_*`
 
 |===
+
+= Deprecated RSA_SHA1 and DSA_SHA1 algorithms for SAML
+
+Algorithms `RSA_SHA1` and `DSA_SHA1`, which can be configured as `Signature algorithms` on SAML adapters, clients and identity providers are deprecated. We recommend to use safer
+alternatives based on `SHA256` or `SHA512`. Also, verifying signatures on signed SAML documents or assertions with these
+algorithms do not work on Java 17 or higher. If you use this algorithm and the other party consuming your SAML documents is running on Java 17 or higher, verifying signatures will not work.
+
+The possible workaround is to remove algorithms such as `http://www.w3.org/2000/09/xmldsig#rsa-sha1` or `http://www.w3.org/2000/09/xmldsig#dsa-sha1` from the list
+of "disallowed algorithms" configured on property `jdk.xml.dsig.secureValidationPolicy` in the file `$JAVA_HOME/conf/security/java.security`.