SAML1 for particular Relying Party within a federation

Peter Schober peter.schober at
Mon May 11 08:12:33 EDT 2015

* Keith Carr <kecarr at> [2015-05-11 13:49]:
> With the  recent vulnerabilities exposed within the TLS/SSL
> protocols (POODLE) we tightened up server configs, including setting
> Tomcat to work with TLS 1.0 as a minimum requirement. However we
> have found doing so “breaks” SAML1.x assertion exchange with one of
> the SP’s (Ovid). It seems like they are some time away from
> addressing the security vulnerability themselves and moving to
> SAML2.x.

I don't see a bug problem keeping the Attribute Authority port of your
IDP more lax wrt TLS/SSL ciphers and protocol versions. 
Is most cases with SAML1-only SPs (read: publishers) the only data
they're gonna get is either eduPerson(Scoped)Affiliation or
eduPersonEntitlement with the common-lib-terms value. Nothing worth
encrypting, really.
And at least the data is not going over the browser, and there's still
mutual authentication with trust fabric certificates (unless there are
other exploits that also allow subverting this)?

More information about the users mailing list