how to force idp v3 to sign saml assertion

Cantor, Scott cantor.2 at
Sun May 7 12:31:42 EDT 2017

On 5/6/17, 4:27 PM, "users on behalf of Brent Putman" <users-bounces at on behalf of putmanb at> wrote:

> Scott may have different take on it.  If we take the Profiles language in its literal interpretation, then that's potentially a problem
> for our IdP.  But I don't think that's the case.

You're looking at the non-errata'd spec, that language was clarified. No SP requiring signed assertions strictly for SSO is behaving appropriately, but if it needs the signature for some subsequent purpose, that's permissible. There's no way this one is.

Also, the way to turn on assertion signing like this is really in the metadata anyway. Just add WantAssertionSigned="true" to the SP role. You don't need overrides for it.

-- Scott

More information about the users mailing list