Verification of signed AuthnRequests

Max Spicer max.spicer at
Mon Nov 22 11:04:33 UTC 2021

Does the IDP (4.0.1) always verify the signature on signed AuthnRequests
unless ignoreRequestSignatures
has been set to true?

We have an SP that is sending us signed AuthnRequests. We see occasional
signature verification issues for this SP and in investigating this I
discovered that that SP's advertised metadata did not match the metadata
for them that we have in our IdP. The new metadata contains only one key
with use="signing" and this key is different to the key in our metadata. We
have a relying party override for this SP to set signAssertions="true",

The SP have confirmed that they are using the key in their advertised
metadata. We only get signed AuthnRequests from this SP, and so I cannot
understand how SSO is currently working if this is the case.


Max Spicer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list