AES256-CBC for encryption?

Cantor, Scott cantor.2 at
Fri May 10 18:24:45 EDT 2019

On 5/10/19, 6:12 PM, "users on behalf of Wessel, Keith" <users-bounces at on behalf of kwessel at> wrote:

> Thanks, Scott. That explains why my encrypted assertion is still going as AES128. Yes, we do control the metadata. Is it as
> simple as just adding this to their metadata?


> I don't have to make mention of any signing algorithms or anything else as long as they're good with our defaults,
> correct?

Yes, the algorithm extension overrides individual types of behavior by intersecting the IdP supported methods with the metadata, and no metadata just implies no preference and leaves the default behavior.

-- Scott

More information about the users mailing list