Shibboleth SP 3 causes issues with the Crystal Reports Runtime Engine

[Cantor, Scott]

On 1/21/21, 5:06 AM, "users on behalf of Damian Crawford (JCAD)" <users-bounces at shibboleth.net on behalf of damian at jcad.co.uk> wrote:

>    So essentially does that mean that any referenced component within an application that uses the same dll as Shibboleth
> e.g. xerces-c_3_2.dll will fail?

Very little else uses Xerces or this would come up more than maybe once a decade.

Xerces is essentially EOL code that should never be used by anybody but Shibboleth at this point, given that nobody else is maintaining it. I would be very concerned about security vulnerabilities in Crystal Reports that they are probably ignoring by using it. I know what to do to prevent some of that risk, but they likely don't.

>  Our current solution therefore is to either reference a different version of the Crystal Reports runtime which uses an
> earlier version of that dll, which isn't really viable, or to use Shibboleth 2.6.1.4 and ISAPI.

The latter is not viable, that isn't supported code, not for several years. You'll have to find another SAML option if you require that product, probably just whatever Microsoft provides in .NET, or perhaps some other option like OIDC if it's not a federated application.

-- Scott