How to find out if a Shib SP would be able to decrypt using AES128-GCM?

Thomas Lenggenhager lenggenhager at
Wed Jan 13 16:37:13 UTC 2021

The GCMEncryption wiki page [1] claims in the section 'Deployer Impact' that

> most Shibboleth SPs (usually recognizeable via entityID and by the /Shibboleth.sso paths in their endpoints) support GCM and most other SPs do not.

However, I haven't found any hint how I as SP administrator could easily
find out whether my SP would be able to decrypt AES128-GCM encrypted
assertions, if its metadata would publish support for this algorithm.

I guess it depends on the SP version as well as the OpenSSL version in
use. Any other dependencies?

We would like to start publishing AES128-GCM support for SPs registered
in SWITCHaai without causing too much overhead for the SP admins.

Has someone hands on experience with AES128-GCM on Shib SPs?

Any hints appreciated, thank you in advance,


Thomas Lenggenhager, Trust & Identity
Werdstrasse 2, P.O. Box, 8021 Zurich, SWITZERLAND
phone +41 44 268 1515, direct +41 44 268 1541

More information about the users mailing list