Signing but force no encrypt, even in IDP metadata

Ray Bon rbon at
Fri Jun 12 22:25:02 UTC 2020


What is preventing the vendor from editing their copy of your metadata?


On Fri, 2020-06-12 at 23:28 +0200, Jehan Procaccia wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.


from I see that I can invalidate encryption for specific SP /entityID :

<bean parent="SAML2.SSO" p:encryptAssertions="false" />

I know it's dirty , but the Vendor I am trying to do SSO with, not only ask for no encryption (only signing) , but wants the metadataFile of our IDP to contain only the signing certificat no occurence of :

<KeyDescriptor use="encryption">

because it fails their integration tool to have 2 certificates in metadata

Is there a way in the configuration of the IDP  to completely invalidate encryption at the point to make it desappear from Metadata ?

I tried to comment in credentials.xml

<util:list id="shibboleth.DefaultEncryptionCredentials">
        <bean class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean"

but still <KeyDescriptor use="encryption"> appears in metadata at

Or should I edit myself idp-metadata.xml and "blindly" remove all the section:

       <KeyDescriptor use="encryption">

Thanks .


Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rbon at<mailto:rbon at>

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list