Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

package.json version of xml-encryption doesn't support Shibboleth 4.x default encryption method #210

Closed
ahwitz opened this issue Sep 24, 2020 · 1 comment
Closed

package.json version of xml-encryption doesn't support Shibboleth 4.x default encryption method #210

ahwitz opened this issue Sep 24, 2020 · 1 comment

Comments

@ahwitz
Copy link

ahwitz commented Sep 24, 2020

xml-encryption@0.11.0, the current included version, doesn't support http://www.w3.org/2009/xmlenc11#aes128-gcm, which, per an announcement from DFN-AAI, the German identity federation:

The new major version Shibboleth IdP 4.x uses the secure encryption algorithm AES-GCM for SAML assertions per default. The old IdP version 3.x still relies on AES-CBC which is no longer considered secure.

The most up-to-date version includes this algorithm.

#198 gets a step closer, but xml-encryption@1.0.0 does not include that algorithm.
@mcab
Copy link
Member

mcab commented Oct 23, 2020

auth0/node-xml-encryption#67

xml-encryption@1.1.0 adds this functionality. As of version 2.0.6, we now enforce xml-encryption with any minor or patch version greater than 1.2.1.

@mcab mcab closed this as completed Oct 23, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ahwitz @mcab