InCommon Baseline TLS 1.2

IAM David Bantz dabantz at
Wed Jun 30 22:56:38 UTC 2021

 Our UA IdP v 4 on tomcat 8 instances directly support TLS 1.2 connections
(SSLLabs “A”). However nearly all clients connect via a load balancer
supporting TLS 1.2 and 1.3 (SSLLabs “A+”).  Our Shibboleth IdP is also our
institutional CAS server used for logins to ERP, and CAS services including
back-channel ticket validation requests also worked without a hitch. I am
aware of zero support calls or complaints related to turning off older TLS
versions about a year ago.

We previously ran IdP v3 on jetty 9; in that environment I edited
but follow Scott Cantor’s Jetty SSL settings advice.


On 30Jun, 2021 at 13:41:33, Brent Goebel <Brent.Goebel at> wrote:

> ...
> So have you updated your IdP to use TLS 1.2 and above? Did you see any
> issue with doing so for your IdP for your applications using your IdP for
> SSO?
> Which webserver are you running? I’m running Jetty so if you have any
> insight on how you modified it that would be helpful as well. I started
> looking around and some say to modify jetty-ssl.xml to ‘ExcludeProtocols’
> for 1.0 and 1.1 while another site said to update  jetty-https.xml.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list