Question about relying-party-system.xml

Wessel, Keith kwessel at
Wed Jun 30 19:01:10 UTC 2021

We'll name ours, too: Ezri, maker of ArcGIS. I was impressed that they could consume a federation's metadata and use IdP discovery, and even validate the signature on the federation's aggregate. But when they got IdP metadata with multiple encryption certs, they didn't' try each cert to decrypt. To their credit, we reported the issue, and they have a developer actively working to fix it. Now if we could just convince some of these vendors that there are better options than creating your own SAML implementation...


-----Original Message-----
From: users <users-bounces at> On Behalf Of Cantor, Scott
Sent: Wednesday, June 30, 2021 1:57 PM
To: Shib Users <users at>
Subject: Re: Question about relying-party-system.xml

On 6/30/21, 2:48 PM, "users on behalf of Ullfig, Roberto Alfredo" <users-bounces at on behalf of rullfig at> wrote:

>    Yes, understand all that. Service owners have long been notified - 
> some applications have been tested with the new certificate, etc. 
> We've even encountered an SP that broke when we added the second certificate to federated metadata.

I have also. I'll name them: Cornerstone. 

> I think we've prepared as much as we could. Major applications should 
> be fine - there might be a few that break though.

I have over 200 systems that are essentially either manually dealt with by me or manually by the vendor, so there's really no amount of preparing that would have done any good, I had to limit the change to the rest and deal with the others one by one over 9 months of time.

The only difference if I hadn't been changing the actual key is that if I had chosen to pull the plug all at once, there's a chance some number of the 200 would have worked, but I wouldn't even hazard a guess as to how many. I doubt it would have been more than half at best.

-- Scott

For Consortium Member technical support, see;!!DZ3fjg!oViL6zBPYKbkS01a1ePMOSO1aoubv9j_X8Beg5Lbk26-_n2TKRuViWRh1M8NLQBYiA$
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list