Ang.: RE: Ang.: Re: Unsoclicited SSO questions

Cantor, Scott cantor.2 at
Fri May 29 16:16:33 EDT 2015

On 5/29/15, 3:52 PM, "users on behalf of Andrew Morgan" <users-bounces at on behalf of morgan at> wrote:

>Remove AuthnRequestsSigned="true".  Put WantAssertionsSigned="true" back 
>in the metadata.  I'm pretty sure that's what Rod meant to say.

Yes. If the SP requires signed assertions, WantAssertionsSigned will ensure the IdP does so, even if it is not doing so (which it doesn't by default since that's unnecessary).

The SP also has a bug, because I can bet you a large sum of money they have no reason to be requiring signed assertions.

>You can also override the metadata settings (at least, I think it 
>overrides what is in metadata) on a per-entity basis by changing 

You can explicitly enable assertion signing, certainly, whether the metadata flag is on or not.

>>Thank you for the input. I have tried path 3 to change the WantAssertionsSigned but
>> now the sp isn't able to validate my assertion.
>> Path 1 and 2 isn't an option and the service provider will not change their metadata
>> as I have already asked about that.

Unless the SP is signing their metadata with a trusted key and you're loading it other than by hand from a local file, it makes no difference what their metadata is, it's under your control, not theirs.

-- Scott

More information about the users mailing list