Does SP3 not sign authn requests by default?

[Cantor, Scott]

Offhand, my read of the code is that it wouldn't work in V3, and I'm surprised it worked in V2. I don't see how it would.

The old docs didn't have much that was precise about the <SSO> element, but it never suggested that option would work, and the V3 docs are most likely just wrong about it, by accident of reformatting and Rod guessing about it.

But they didn't try it because of the new docs, it somehow got done before by accident obviously.

So I would say it's not exactly a bug or a "change" in the sense that it was never a documented approach that was broken because of some change I made. It apparently was something somebody tried by accident and happened to work. Confluence of unfortunate circumstances, I think.

I'm puzzled enough to want to know why it worked before though because I can't see that being supported in the code.

Basically, putting it down "below" the ApplicationDefaults options is something you do if you had multiple SessionInitiator handlers defined and you wanted different custom options on each one. Since only the SAML2 handler signs anyway, this doesn't really matter in the case of the signing option so it's not something one would do that way, it belongs on the ApplicationDefaults element or in a RelyingParty element if it's a per-IdP setting.

So I wouldn't bother filing a bug on it, but I'll probably look at it a bit at some point so that I can accurately document it.

Weird though.

-- Scott