Shibboleth Service Provider Security Advisory [27 February 2018]

Klingenstein, Nate nklingenstein at
Tue Feb 27 19:29:03 EST 2018


> Apologies for the dumb question, but is there a way to determine, from the IdP end of things, whether any of the SPs we integrate with may be vulnerable because they do not support XML encryption?

Check for SP's that have encryption explicitly disabled:

<bean parent="SAML2.SSO" p:encryptAssertions="false">

And look for SP's that don't have certificates in their metadata if you have idp.encryption.optional=true.

Take care,

More information about the users mailing list