Encryption key failing for vendor

Mathew, Sunil smathew at hbs.edu
Thu Apr 7 21:12:36 UTC 2022 

Hi,

I am configuring an existing vendor that is on-prem IdP (3.1.3) to aws IdP (4.1.4) and SSO is failing with the new setup.

The only difference I saw between the two saml responses in saml tracer is the following:
Old (working, on-prem):
            <xenc:EncryptionMethod xmlns:xenc="http://www.w3.org/2001/04/xmlenc#<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmlenc%23&data=04%7C01%7Csmathew%40hbs.edu%7C17405d68c0ef4f26cdfb08da18da6dba%7C09fd564ebf4243218f2db8e482f8635c%7C0%7C0%7C637849623704046035%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=sTK%2Fg4Xz3LDCoipfz%2FauVhhDEQTH7G7DBg7zsyDqewI%3D&reserved=0>"
                                   Algorithm=http://www.w3.org/2001/04/xmlenc#aes128-cbc<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmlenc%23aes128-cbc&data=04%7C01%7Csmathew%40hbs.edu%7C17405d68c0ef4f26cdfb08da18da6dba%7C09fd564ebf4243218f2db8e482f8635c%7C0%7C0%7C637849623704046035%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=W5HXeOouBtTdyb%2FbHX3gZB63i2QXBdhTnPQF0dH6cSo%3D&reserved=0>

New (not-working, aws):
            <xenc:EncryptionMethod xmlns:xenc="http://www.w3.org/2001/04/xmlenc#<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmlenc%23&data=04%7C01%7Csmathew%40hbs.edu%7C17405d68c0ef4f26cdfb08da18da6dba%7C09fd564ebf4243218f2db8e482f8635c%7C0%7C0%7C637849623704046035%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=sTK%2Fg4Xz3LDCoipfz%2FauVhhDEQTH7G7DBg7zsyDqewI%3D&reserved=0>"
                                   Algorithm=http://www.w3.org/2009/xmlenc11#aes128-gcm<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2009%2Fxmlenc11%23aes128-gcm&data=04%7C01%7Csmathew%40hbs.edu%7C17405d68c0ef4f26cdfb08da18da6dba%7C09fd564ebf4243218f2db8e482f8635c%7C0%7C0%7C637849623704046035%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=9JyBVvtxU%2F%2F20GVGJox40RG1cUmlz9C3BXQ%2F2dpy0L0%3D&reserved=0>

Please let me know if this makes any difference. If so, how can I change it back to AES-CBC?

Thanks,
Sunil



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220407/f14f70ab/attachment.htm>

More information about the users mailing list