add note for invalid attribute for SAML metadata (github#26827)

Anthonysidesapp · Apr 15, 2022 · 9dcf112 · 9dcf112
1 parent 0087aaf
commit 9dcf112
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/data/release-notes/enterprise-server/3-4/0.yml b/data/release-notes/enterprise-server/3-4/0.yml
@@ -244,6 +244,12 @@ sections:
     - The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
     - Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
     - Actions services needs to be restarted after restoring appliance from backup taken on a different host.
+    - |
+      When using SAML encrypted assertions with {% data variables.product.prodname_ghe_server %} 3.4.0 and 3.4.1, a new XML attribute `WantAssertionsEncrypted` in the `SPSSODescriptor` contains an invalid attribute for SAML metadata. IdP's that consume this SAML metadata endpoint may encounter errors when validating the SAML metadata XML schema. A fix will be available in the next patch. [Updated: 2022-04-11]
+      
+      To workaround this problem, you can either:
+      - Reconfigure the IdP by uploading a static copy of the SAML metadata without the `WantAssertionsEncrypted` attribute.
+      - Copy the SAML metadata, remove `WantAssertionsEncrypted` attribute, host it on web server, and reconfigure the IdP to point to that URL.
 
   deprecations:
     - heading: Deprecation of GitHub Enterprise Server 3.0

diff --git a/data/release-notes/enterprise-server/3-4/1.yml b/data/release-notes/enterprise-server/3-4/1.yml
@@ -47,6 +47,12 @@ sections:
     - The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
     - Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
     - Actions services need to be restarted after restoring appliance from backup taken on a different host.
+    - |
+      When using SAML encrypted assertions with {% data variables.product.prodname_ghe_server %} 3.4.0 and 3.4.1, a new XML attribute `WantAssertionsEncrypted` in the `SPSSODescriptor` contains an invalid attribute for SAML metadata. IdP's that consume this SAML metadata endpoint may encounter errors when validating the SAML metadata XML schema. A fix will be available in the next patch. [Updated: 2022-04-11]
+      
+      To workaround this problem, you can either:
+      - Reconfigure the IdP by uploading a static copy of the SAML metadata without the `WantAssertionsEncrypted` attribute.
+      - Copy the SAML metadata, remove `WantAssertionsEncrypted` attribute, host it on web server, and reconfigure the IdP to point to that URL.
 
   deprecations:
     - heading: Deprecation of GitHub Enterprise Server 3.0