Error creating SP metadata when adding X509 certificate for encryption

Brent Putman putmanb at
Thu Mar 1 22:03:34 EST 2018

On 2/26/18 8:48 PM, Cantor, Scott wrote:
> I don't recall exactly what it will do when there's an EncryptionMethod algorithm included that is barred. It may fall back to the OAEP padding method that's not broken or it may give up and assume the SP doesn't support anything else. I thought it did the latter, but you're not getting far enough to tell.

For the archives, if no EncryptionMethod present in metadata is
selected (e.g. due to blacklisting), then it falls back to the local
IdP configuration, whatever that is.  In other words, same as if there
had been no EncryptionMethod in metadata.  For key transport
encryption, the default in the IdP out of the box is going to be the
XML Encryption 1.0 OAEP one:

Same for EncryptionMethod elements in metadata for the data encryption
algorithm, except obviously different defaults.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list