...
This is a breaking change because curl does not have the same feature set when used with NSS, and one of the features it loses is required by the SP for basic operation in mostsome deployments, though not all, deploymentsthis is growing more rare. Specifically, if your SP requires the use of back-channel SOAP communication with IdP (this describes most scenarios involving legacy SAML 1.1 IdPs and attribute queries, or use of the artifact profile/binding), it won't function without the workaround noted below or other alterations such as enabling message signing.
The Service Provider package set includes a curl-openssl package that installs to /opt/shibboleth and does not overwrite or interfere with the OS-supplied version. It is also based on a more recent version of libcurl and will be kept updated if relevant curl security updates are released.
...