Does SP3 not sign authn requests by default?

Wessel, Keith kwessel at
Sat Jul 21 09:21:30 EDT 2018

Thanks, Mike and Peter. Peter, your paraphrasing of the docs help.

So, now the question is why did this ever work in 2.6? The SP admins don't recall ever setting signing="true" before yesterday afternoon, yet their multiple hostnames don't all have published endpoints in metadata and were being permitted by our IdP. So, I think it's safe to assume that endpoint validation was being skipped, and thus there had to be some signing going on. I'm also assuming that nothing in shibboleth2.xml would have been automatically updated upon installation of the SP 3.0 RPM that might have somehow removed a setting for signing that the SP admins forgot they had made for 2.6.

It seems that adding signing="true" is a good fix, and not just a band aid, in 3.0. But it'd make me feel better if I could explain why this worked in 2.6 without that.


-----Original Message-----
From: users <users-bounces at> On Behalf Of Peter Schober
Sent: Saturday, July 21, 2018 4:59 AM
To: users at
Subject: Re: Does SP3 not sign authn requests by default?

* Wessel, Keith <kwessel at> [2018-07-21 00:20]:
> FWIW, adding signing="true" to our ApplicationDefaults has fixed the
> issue. The docs say that this should behave the same as 2.6 did: our
> IdP metadata says nothing about wantRequestsSigned, and I read the
> docs as it'll be signed unless the metadata specifically says not to
> as long as the SP is able to sign it. Do I misunderstand the "soft
> false" discussed in the SP 3 signing and encryption docs?

That's not what the docs say to me.

  The default value [...] defaults to false (with a caveat) for SAML 2.0
  SSO initiation. The caveat with SAML 2.0 authentication is that
  omitting the setting defaults to a softer false that really means
  "don't sign unless the IdP's metadata includes the
  WantAuthnRequestsSigned flag and the SP can do so".

I wouldn't know to paraphrase the quoted last sentence to make this
more clear. "Don't sign unless the IDP metadata says otherwise"
combined with your IDP metadata not saying otherwise should and does
lead to "don't sign", no?
For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list