how to force idp v3 to sign saml assertion

Peter Schober peter.schober at
Fri May 5 07:41:29 EDT 2017

* Jehan Procaccia <Jehan.Procaccia at> [2017-05-05 10:32]:
> >
> >
> I had already set in conf/ :
> /idp.encryption.optional = false/
> did I miss understood that boolean , I must be set to "true" to force saml
> assertion to be signed ?

You seem to have failed to read what is written exactly at the URL
Brent sent (and still is quoted above). In the example (e.g. the first
one called "Per-Profile Signing or Encryption Options") there are
custom relying party settings for your relying-party.xml, where you
can enable p:signAssertions="true".

Nowhere is there a mention of changing for that.

And no, the property "idp.encryption.optional" has nothing to with
whether the IDP signs the SAML Response or the SAML Assertion.
It is about not encrypting (hence the name) data to an SP that does
not have a key suitable for encryption. (I.e., it's when you prefer to
end data not XML-encrypted to the SP rather than having the IDP fail
the transaction.)


More information about the users mailing list