...
TheĀ signResponses
default varies by profile. In many 2.x releases, we defaulted to signing assertions and not responses. For an explanation of why that turned out to be wrong, see this threadsee the notes on the individual profile pages.
If you need to enable theĀ signAssertions
option, and you control the SP's metadata, you should generally add the WantAssertionsSigned
flag to it in place of using this option.