signing IDP metadata

Herron, Joel D herronj at
Thu Apr 28 21:11:38 UTC 2022

The previous implementor of our IDP signed both of our idp-metadata.xml files (standard and 4096 certs) with a custom xml generator which I’m looking to retire. Is this a common practice? I’m not seeing anything in the documentation that suggests that’s a something to even consider doing. I can see the benefits in theory but that would require SPs to actually check the signing.

If I were to not sign it going forward I assume the risk would be if some SP actually implemented the signing check it would fail for them.

Any other side-effects of removing the signing or pluses to signing it?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list