Shibboleth Service Provider Security Advisory [27 February 2018]

Cantor, Scott cantor.2 at
Tue Feb 27 19:36:21 EST 2018

> Check for SP's that have encryption explicitly disabled:
> <bean parent="SAML2.SSO" p:encryptAssertions="false">
> And look for SP's that don't have certificates in their metadata if you
> have idp.encryption.optional=true.

Another way of saying this is that if you run in a default way, then you have to have chosen to do it and the question is sort of academic.

Flipping the optional bit is a different matter. I don't regret doing it (*) but it's worth it to add an audit field that exposes this, which is something I was already planning to add, since I've been aware of this for a few weeks.

-- Scott

(*) That may sound odd, but consider that for a cloud vendor, if encryption's off I'm well aware of it, the integrations are too manual for that to be overlooked or hidden from me, so I know the risk and what to do now to go investigate it. For an SP that's protecting its own data, the risk with this bug is not mine, it's theirs. So if they don't care enough to bother, I don't happen to believe it's my job to do it for them.

More information about the users mailing list