CentOS/RHEL packages for - Shibboleth Service Provider Security Advisory [27 February 2018]

Michael A Grady mgrady at unicon.net
Thu Mar 8 12:45:23 EST 2018

> On Mar 8, 2018, at 11:34 AM, Peter Schober <peter.schober at univie.ac.at> wrote:
> * Sam Jacob <skjacob at gmail.com> [2018-03-08 18:16]:
>> from Scott's post:
>> "I investigated, discreetly, a number of SPs that my university has
>> campus-wide integrations with and that did not support XML Encryption "
>> How do you determine an SP that doesn't support XML Encryption?
> Things to look for:
> An SP with no key in metadatam or with a key that has use="signing".
> A RelyingParty exception for SAML2.SSO with p:encryptAssertions="false".
> A property setting idp.encryption.optional to true (idp.properties or elsewhere).
> -peter
> --

Of course, that last one only impacts encryption if the first one you list (no cert in metadata, or the only cert has use="signing") is true. So another way of summarizing is, if you have:

- property setting idp.encryption.optional set to true (idp.properties or elsewhere), then the key thing to look at is the metadata you have for each SP, to see if there is a cert (key) than can be used for encryption or not. No cert (key), no encryption.

- either way, check for any and all RelyingParty exceptions for SAML2.SSO with p:encryptAssertions="false"

Michael A. Grady
IAM Architect, Unicon, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180308/d8bc988c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 874 bytes
Desc: Message signed with OpenPGP
URL: <http://shibboleth.net/pipermail/users/attachments/20180308/d8bc988c/attachment.sig>

More information about the users mailing list