Shibboleth.DEPRECATION : MetadataGenerator handler

Cantor, Scott cantor.2 at
Mon Dec 6 14:20:11 UTC 2021

On 12/6/21, 9:06 AM, "users on behalf of Peter Schober" <users-bounces at on behalf of peter.schober at> wrote:

>    (Others will likely report the sharing the supported crypto algorithms
>    as a security "vulnerability". ;))

That's the problem, yes, but I don't see much point in including anything we can't default on.

It also may be kind of moot, since Java generally supports everything we could possibly support (we even support ECDH encryption now).

>    [1] Which is of course impossible to predict. Maybe the continued
>    pressure to Containerize All The Things will make a Java-based shibd
>    less of an issue, with deployers "just" loading an image with that
>    part of the SP and a matching JVM. It would of course help if
>    Java-shibd then sufficiently scaled to connect via TCP sockets,
>    possibly protected with [m]TLS?

It should scale better than it does now, but TLS is TBD. That means key management and a lot of extra work and technical debt that we're hoping to avoid. I would expect something like stunnel would be more likely.

The issue isn't so much the deployment, but the configuration. The Java part is going to have to be configured largely the way the IdP is. I don't expect that to appeal to most people. But this is what we can do, and the alternative is "do nothing and sunset it" unless somebody shows up willing to commit to a decade of maintenance and to rewrite Xerces.

-- Scott

More information about the users mailing list