IdP v4.0.1 issues with CBC relying-party overrides and SPs with cipher-suite metadata

Robert Bradley robert.bradley at
Thu Nov 12 14:46:41 UTC 2020

After our recent upgrade to IdP 4.0.1, we came across an unusual example 
of an SP that apparently does not support GCM-based ciphers, but 
nevertheless contains metadata that advertises support for them.  (For 
general interest, these are SPs that have Shibboleth-like 
published metadata, but are actually SimpleSAMLphp-based.)  Until we can 
get the published metadata fixed, I was hoping to use a 
relying-party.xml override like this one:

<bean parent="RelyingPartyByName" 
<property name="profileConfigurations">
<bean parent="SAML2.SSO"
  p:securityConfiguration-ref="shibboleth.SecurityConfiguration.CBC" />

to allow us to force the use of CBC ciphersuites instead of GCM. 
However, when SAML assertions are produced, the encrypted attribute 
block still claims to be GCM:

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
<!-- snip irrelevant data -->
   xmlns:xenc="" />
<!-- snip --->

This is after both a reload-service call and restarting the IdP 
container.  I've managed to override security configuration elsewhere 
for SPs limited to SHA-1, so I don't believe it's a syntax error, but 
none of those SPs had metadata to advertise cipher support.  Has anyone 
else seen any similar behaviour, and should I be filing this as a 
potential IdP bug?

Dr Robert Bradley
Identity and Access Management Team, IT Services, University of Oxford
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x9461A7CA76AFE3BE.asc
Type: application/pgp-keys
Size: 16768 bytes
Desc: not available
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the users mailing list