...
It's also possible in more unusual cases to set them in the <SSO>, <Logout>, and <NameIDMgmt> elements, allowing for per-protocol behavior. They can also be set in advanced configurations that define individual <SessionInitiator>, <LogoutInitiator>, <AssertionConsumerService><md:AssertionConsumerService>, and <SingleLogoutService> <md:SingleLogoutService> endpoints. In these cases, they override any values set by application or IdP.
...
The default value is usually conditional but is somewhat context-dependent, and defaults to false (with a caveat) for SAML 2.0 SSO initiation. The caveat with SAML 2.0 authentication is that omitting the setting defaults to a softer false that really means "don't sign unless the IdP's metadata includes the WantAuthnRequestsSigned flag and the SP can do so". Unless explicitly disabled, the metadata will typically cause the SP to sign if it can do so.
The goal going forward is for the default behavior to be "what's expected" in any given case.
...