Shibboleth Service Provider Security Advisory [27 February 2018]
nklingenstein at calstate.edu
Tue Feb 27 19:29:03 EST 2018
> Apologies for the dumb question, but is there a way to determine, from the IdP end of things, whether any of the SPs we integrate with may be vulnerable because they do not support XML encryption?
Check for SP's that have encryption explicitly disabled:
<bean parent="SAML2.SSO" p:encryptAssertions="false">
And look for SP's that don't have certificates in their metadata if you have idp.encryption.optional=true.
More information about the users