IdP v4.0.1 issues with CBC relying-party overrides and SPs with cipher-suite metadata
cantor.2 at osu.edu
Thu Nov 12 14:57:38 UTC 2020
The security configuration you're talking about doesn't disallow GCM, it simply sets the default to CBC when there is no guidance. The metadata says GCM is favored, so the IdP uses it. Actually disallowing GCM would require building security configuration beans to explicitly enumerate only CBC algorithms or disallow GCM in that particular configuration.
Unless this is a federation supplying the metadata for the SP (in which case I'd contact the federation), a much simpler fix is to follow best practice and never trust remote metadata in the first place, so it can be fixed as required.
More information about the users