IAM fails in decrypting assertions issued by Shibboleth IDP v. 4

[andreaceccanti]

2021-03-02 19:31:37.543  INFO 89038 --- [nio-8080-exec-2] i.a.ExternalAuthenticationFailureHandler : External authentication failure: Response doesn't have any valid assertion which would pass subject validation

org.springframework.security.authentication.AuthenticationServiceException: Error validating SAML message

A (quite unacceptable) workaround is to request the use of unencrypted assertions on the IdP side.

[andreaceccanti]

This is caused by the move to AES-GCM encryption (see here) which is backward incompatible.

Another workaround, as suggested in the above wiki page, is to revert shib idp configuration to AES-CBC, either globally or per endpoint.

[jouvin]

I think the priority of this issue should be raised. I had the problem with a couple of IdPs already who moved to v4 and upgraded to the AES-GCM encryption (which is desirable I think from the security point of view). It would be good to avoid having IAM not able to interact with some IdPs because they don't accept to downgrade the encryption, a small but non-zero risk IMO. I don't have any clue about how complex a change it is but we need a solution at some point...