Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Relative to an IdP, there are fewer scenarios in which it typically becomes necessary to worry about these settings. Usually you can accept the defaults and things will work most of the time. The settings are provided for handling more unusual situations.

Table of Contents

Controlling Signing and Encryption

The signing and encryption settings are typically set in the <ApplicationDefaults><ApplicationOverride>, and <RelyingParty> elements and allow for per-application, per-IdP behavior.

It's also possible in more unusual cases to set them in the <SSO><Logout>, and <NameIDMgmt> elements, allowing for per-protocol behavior. They can also be set in advanced configurations that define individual <SessionInitiator><LogoutInitiator><md:AssertionConsumerService>, and <md:SingleLogoutService>endpoints. In these cases, they override any values set by application or IdP.

The five possible values are:

  • conditional

  • true

  • false

  • front

  • back

The default value is usually conditional but is somewhat context-dependent, and defaults to false false (with a caveat) for  for SAML 2.0 SSO initiation. The caveat with SAML 2.0 authentication is that omitting the setting defaults to a softer false that really means "don't sign unless the IdP's metadata includes the WantAuthnRequestsSigned flag and the SP can do so". Unless explicitly disabled, that metadata flag will typically cause the SP to sign if it can do so.

...

As an example, a SOAP message to https://idp.example.com:8443/idp/profile/SAML/SOAP/AttributeQuery will not be signed, nor its content encrypted, while the same message sent to https://idp.example.com/idp/profile/SAML/SOAP/AttributeQuery will be signed and its content encrypted.

...