> If understand correctly, from and IDP metadata standpoint it does not make > sense to define a signing & encryption KeyDescriptor's. Only 1 KeyDescriptor > <KeyDescriptor use="signing"> That's the most accurate metadata, yes. It will at least tell the SP that it can't encrypt and fail on that end in such a case. -- Scott