Shib IDP v3 integration with Cylance

Phil Pishioneri pgp at pSu.edu
Mon Mar 19 18:37:44 EDT 2018


On 3/19/18 8:13 AM, Losen, Stephen C. (scl) wrote:
> Has anyone integrated Shib IDP v3 with Cylance's SAML implementation?

Yes.

> Looks like I need to hand craft a minimal SP metadata file (no certs, one SAML2 ACS endpoint).

That's what we did.

> I presume Cylance wants the username returned in the NameID, since their SAML doc and says nothing about attributes.

We put emailAddress in our NameID. Also released displayName and mail
(yes, also as an attribute). Their "External Identity Provider Login"
login form asks for an email address.

On 3/19/18 9:21 AM, Cantor, Scott wrote:
> Unless known to be using an unaffected or patched library, you should operate on the assumption that any one-off SP without encryption support is at least 50% likely to be impacted by the recent XML vulnerabilities or older ones people haven't been testing for. It's no longer really a viable practice to omit encryption unless you're going to personally test them all.

We told our local Cylance admin about the advisory and asked to pass it
along to Cylance.

-Phil


More information about the users mailing list