Questions about Cognito SAML Authentication process

Does cognito SAML request Signing Certificate?

Cognito requires that you upload a metadata document or specify a metadata URL. I believe the signing certificate is included in this metadata, whether the document is uploaded manually or specified through the URL. If your Idp requires a signed logout request, you can also download the signing certificate from your user pool and upload it to your identity provider, so the single logout requests can be verified.

Does cognito support Token Encryption Certificate?

Cognito service does not support the use of Token Encryption Certificates. This is due to the fact that the Cognito service can only be used in a service provider flow, not an identity provider flow and as such cannot send any tokens to other applications.

Which Secure Hash Algorithm does cognito use: SHA 1 or SHA 256 for SAML authentication?

Could you clarify on where you expect this hashing to be used? I cannot find any reference to hashing in the SAML flow for your user pool. https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-saml-idp-authentication.html If there is hashing involved, it will be on the IdP side, not done by the Cognito user pool, with relation to SAML