Shibboleth Identity Provider Security Advisory [4 October 2017]

Cantor, Scott cantor.2 at
Wed Oct 4 11:51:59 EDT 2017

On 10/4/17, 11:44 AM, "users on behalf of Doan, Tommy" <users-bounces at on behalf of tdoan at> wrote:

> Does the vulnerability not apply to LDAP authN configuration but only to the attribute resolver? 

That is correct though I would say without any equivocation that using the JVM's trust store is always the wrong decision and should never be done anywhere for any reason. And that will be the official position of the project to the extent that we will stop supporting it in 4.0 to whatever extent possible.

-- Scott

More information about the users mailing list