Open andreaceccanti opened 3 years ago
This is caused by the move to AES-GCM encryption (see here) which is backward incompatible.
Another workaround, as suggested in the above wiki page, is to revert shib idp configuration to AES-CBC, either globally or per endpoint.
I think the priority of this issue should be raised. I had the problem with a couple of IdPs already who moved to v4 and upgraded to the AES-GCM encryption (which is desirable I think from the security point of view). It would be good to avoid having IAM not able to interact with some IdPs because they don't accept to downgrade the encryption, a small but non-zero risk IMO. I don't have any clue about how complex a change it is but we need a solution at some point...
A (quite unacceptable) workaround is to request the use of unencrypted assertions on the IdP side.