CentOS/RHEL packages for - Shibboleth Service Provider Security Advisory [27 February 2018]

Tom Scavo trscavo at gmail.com
Thu Mar 8 14:17:38 EST 2018

On Thu, Mar 8, 2018 at 12:16 PM, Sam Jacob <skjacob at gmail.com> wrote:
> from Scott's post:
> "I investigated, discreetly, a number of SPs that my university has
> campus-wide integrations with and that did not support XML Encryption "
> How do you determine an SP that doesn't support XML Encryption?

Others have already answered your question but it's important (I
think) to note that the only way to know if an SP supports XML
encryption is for an IdP to encrypt an assertion (using the encryption
key in SP metadata) and see if the SP can decrypt it. Everything else
is merely a hint.

Actually it's worse than that. An SP that supports XML encryption but
does not support the seamless rollover of encryption keys is
potentially worse than an SP that does not support encryption at all.
You can ask the SP owner if they *fully* support XML encryption
(including rollover) but many SP owners don't seem to understand what
it takes to migrate an encryption key (until it's too late). In the
end, you may as well ask what SP software they're using since the
number of implementations known to be configurable with two decryption
keys is quite small. AFAIK, only Shibboleth, simpleSAMLphp, and a
certain Ruby gem whose official name I do not know can do that.


More information about the users mailing list