IdP v4.0.1 issues with CBC relying-party overrides and SPs with cipher-suite metadata

Cantor, Scott cantor.2 at
Thu Nov 12 18:27:52 UTC 2020

On 11/12/20, 1:11 PM, "users on behalf of Alan Buxey via users" <users-bounces at on behalf of users at> wrote:

>    this is because IdP 4.x uses GCM by default whereas 3.x and earlier used CBC by default, yes?   So whilst
>    saying it can do GCM is metadata (probably the metadata generated from a previous Sib instance they ran)
>    is bad....there are those SPs out there that cant/(wont?) do GCM that will require a exception list defining :/

If you choose to maintain the defaut, then one way or the other, you need an exception list or metadata signaling. The same is true if you don't maintain the default but do want to allow GCM when it's supported.

-- Scott

More information about the users mailing list