Consider changing the default signAssertions setting for the SAML2AttributeQueryProfile

I developed a compromise that I think addresses the request to broaden use of message security, but also satisfies my objection to adding overhead to systems that are happy with TLS.

The use case here is for using port 443 for these profiles instead of an extra port, so I've modulated the MessageChannelSecurity determination so that by default port 443 is treated as "insecure", which turns on signing and encryption by default for the backchannel profiles.

Traffic to any other TLS port is handled as before, so nobody else is affected. And the idp.security.defaultPortInsecure property can be set to false to disable this change and go back to treating any TLS port as secure.

This seems like a nice middle ground to me, and if you deploy IdPs using port 443 for SOAP, it will just work the way you're asking for, and everybody else will get the same behavior they're used to.

We should discuss and decide for the release, so assigning version.

Yes, it's about changing the default (— to support configurations relying on message-level security out of the box, as I wrote in the original description).

If you mean us changing the default we ship, yes. If you were describing for somebody else what to do, I wouldn't do it that way, it's better to just declare it in the user file.

Among the reasons the native syntax is better is that you could do a stand-alone bean in the file that inherits from SAML2.SSO, call it SAML2.SSO.MyDefaults. Then you could inherit or reference that in your relying party definitions, so you don't have to duplicate settings.

Understood that for user customization, I can use something like <bean parent="SAML2.AttributeQuery" p:signAssertions="true" /> in conf/relying-party.xml. This entry here is about changing the default, though... which would have to go into system/conf/relying-party-system.xml, I think.