IdP v4.0.1 issues with CBC relying-party overrides and SPs with cipher-suite metadata

[Jon Agland]

Hi Robert,

Further to Scott's message... 

On Thu, 2020-11-12 at 14:57 +0000, Cantor, Scott wrote:
> Unless this is a federation supplying the metadata for the SP (in
> which case I'd contact the federation), a much simpler fix is to
> follow best practice and never trust remote metadata in the first
> place, so it can be fixed as required.

If there is a federation involved, then it's probably us in the UK
federation.   I've not seen any recent calls from the service provider
in our system.  If it is an SP registered in the federation, then if
you let me know the entityID, then we can contact them and ask them to
please supply us some updated metadata.

We've seen a few changes already for some of their SPs, where they are
moving from Shibboleth to simpleSAMLphp, not a direction I'd agree with
because typically means falling back to CBC and removing alogrithm
agility elements in the metadata.

Kind regards,

Jon

Jon Agland
Technical Services Manager - Trust and Identity
T 02038198207
M 07443984222
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG

https://www.jisc.ac.uk/trust-and-identity
https://www.ukfederation.org.uk
 
Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under company number.
05747339, VAT number GB 197 0632 86.  Jisc’s registered office is: 4
Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company
limited by guarantee which is registered in England under company
number 02881024, VAT number GB 197 0632 86. The registered office is: 4
Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800.
 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5791 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20201112/4f0b6dfa/attachment.p7s>