Does SP3 not sign authn requests by default?

Cantor, Scott cantor.2 at
Sun Jul 22 12:26:29 EDT 2018

On 7/20/18, 6:19 PM, "users on behalf of Wessel, Keith" <users-bounces at on behalf of kwessel at> wrote:

> FWIW, adding signing="true" to our ApplicationDefaults has fixed the issue. The docs say that this should behave the 
> same as 2.6 did: our IdP metadata says nothing about wantRequestsSigned, and I read the docs as it'll be signed unless 
> the metadata specifically says not to as long as the SP is able to sign it. Do I misunderstand the "soft false" discussed in 
> the SP 3 signing and encryption docs?

I missed this bit when I just responded, I assumed you were using metadata as a signal. Without that, there's no way this would have worked before. The SP, as Peter said, has never signed by default. It used to just be a true/false setting and defaulted to false.

In 2.6 it got more complicated, but it still generally did not sign AuthnRequests in particular unless set to true, or if it was left as "conditional", the SP looks at the metadata to decide the default.

I don't believe this has changed in 3.0, but in your scenario I think you have to determine what they really were doing before to know what's going on. I can debug it a little and verify how it runs, but I can't prove anything about a configuration that isn't really known.

-- Scott

More information about the users mailing list