from the WIKI (https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSigningEncryption) ? "It's also possible in more unusual cases to set them in the <SSO>, <Logout>, and <NameIDMgmt> elements, allowing for per-protocol behavior."........ alan