How to find out if a Shib SP would be able to decrypt using AES128-GCM?

Cantor, Scott cantor.2 at
Wed Jan 13 17:00:47 UTC 2021

On 1/13/21, 11:37 AM, "users on behalf of Thomas Lenggenhager" <users-bounces at on behalf of lenggenhager at> wrote:

>    However, I haven't found any hint how I as SP administrator could easily
>    find out whether my SP would be able to decrypt AES128-GCM encrypted
>    assertions, if its metadata would publish support for this algorithm.

With few exceptions (I don't know of any, but it's theoretically possible), just hit /Shibboleth.sso/Metadata and if the supported algorithm extensions include it, it's going to work.

>    I guess it depends on the SP version as well as the OpenSSL version in
>    use. Any other dependencies?

The xml-security-c version also matters but normally is updated along with the SP anyway.

>    Has someone hands on experience with AES128-GCM on Shib SPs?

I've tagged most of my campus SPs and most of the InCommon SPs we use that support it. I ran into a few so rotted that they don't, which of course means they also have gaping security bugs anyway.

-- Scott

More information about the users mailing list