Does SP3 not sign authn requests by default?

Peter Schober peter.schober at
Sat Jul 21 05:58:52 EDT 2018

* Wessel, Keith <kwessel at> [2018-07-21 00:20]:
> FWIW, adding signing="true" to our ApplicationDefaults has fixed the
> issue. The docs say that this should behave the same as 2.6 did: our
> IdP metadata says nothing about wantRequestsSigned, and I read the
> docs as it'll be signed unless the metadata specifically says not to
> as long as the SP is able to sign it. Do I misunderstand the "soft
> false" discussed in the SP 3 signing and encryption docs?

That's not what the docs say to me.

  The default value [...] defaults to false (with a caveat) for SAML 2.0
  SSO initiation. The caveat with SAML 2.0 authentication is that
  omitting the setting defaults to a softer false that really means
  "don't sign unless the IdP's metadata includes the
  WantAuthnRequestsSigned flag and the SP can do so".

I wouldn't know to paraphrase the quoted last sentence to make this
more clear. "Don't sign unless the IDP metadata says otherwise"
combined with your IDP metadata not saying otherwise should and does
lead to "don't sign", no?

More information about the users mailing list