Help with setting up Duo Admin Panel and Shibboleth

[Cantor, Scott]

Response signing is defaulted, adding p:signAssertions turns that on, as does adding WantAssertionsSigned to the metadata. I don't know that they require signed responses (which would be dumb, that's forcing people to sign twice for no reason) but I tend not to turn it off simply to avoid extra config work since I use the metadata flag to do this, not the relying party approach.

They handle encryption fine.

-- Scott