signed responses from an IdP

Mark K. Miller max at
Mon Aug 17 15:51:50 EDT 2015

The default replying party on my Shibboleth IdP has the SAML2SSOProfile 
configured with signResponses="never"

Yesterday, one of the vendors I work with upgraded their SP software from 
some old Ping Identity implementation to some newer Ping Identity 
implementation and things stoped working.

They told me that I need to sign assertions; so, I told them I am.

Through experimentation I have learned if I create a custom relying party 
for them and change signResponses to "always" things start to work again.

Why is the default on my Shibboleth Idp "never"?  And, would anyone know 
what to change on the Ping Identity side to make this work the way it used 



More information about the users mailing list