Signing but force no encrypt, even in IDP metadata

Jehan Procaccia jehan.procaccia at
Fri Jun 12 21:28:58 UTC 2020


I see that I can invalidate encryption for specific SP /entityID :

/<bean parent="SAML2.SSO" p:encryptAssertions="false" />/

I know it's dirty , but the Vendor I am trying to do SSO with, not only 
ask for no encryption (only signing) , but wants the metadataFile of our 
IDP to contain only the signing certificat no occurence of :

/<KeyDescriptor use="encryption">/

because it fails their integration tool to have 2 certificates in metadata

Is there a way in the configuration of the IDP  to completely invalidate 
encryption at the point to make it desappear from Metadata ?

I tried to comment in credentials.xml /

/<util:list id="shibboleth.DefaultEncryptionCredentials">//
//        <bean 
//            p:privateKeyResource="%{idp.encryption.key}"//
//            p:certificateResource="%{idp.encryption.cert}"/

but still /<KeyDescriptor use="encryption">/ appears in metadata at

Or should I edit myself idp-metadata.xml and "blindly" remove all the 

/       <KeyDescriptor use="encryption">//
//            <ds:KeyInfo>//
//                    <ds:X509Data>//
//                        <ds:X509Certificate>//

Thanks .

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list