Does SP3 not sign authn requests by default?

[Cantor, Scott]

> Schema declares that conf:SessionInitiatorGroup attributes can also be
> applied to a <SSO> element, so I thought all such settings are delivered to
> /Shibboleth.sso/Login .

It isn't that simple but yes, for the most part.

> If not, we have to warn all deployers to check their <SSO> before applying
> "yum update".

There are a very small number of settings affected.
 
-- Scott