how to force idp v3 to sign saml assertion

Brent Putman putmanb at
Sun May 7 13:54:18 EDT 2017

On 5/7/17 12:31 PM, Cantor, Scott wrote:
> You're looking at the non-errata'd spec, that language was clarified. No SP requiring signed assertions strictly for SSO is behaving appropriately, but if it needs the signature for some subsequent purpose, that's permissible. There's no way this one is.

Ah, right, I forgot to check that.  The errata is very clear, either
the Response or Assertion may be signed under POST.   Since the
lightSAML people actually "fixed" this recently per the GitHub issue
mentioned in the OP's first post, I'll just inform them they need to
read the errata and reverse.

> Also, the way to turn on assertion signing like this is really in the metadata anyway. Just add WantAssertionSigned="true" to the SP role. You don't need overrides for it.

I forgot we had even implemented that.  That's certainly the better way
if the IdP can modify the SP's metadata.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list