Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


The default value is usually conditional but is somewhat context-dependent, and defaults to false (with a caveat) for SAML 2.0 SSO initiation. The caveat with SAML 2.0 authentication is that omitting the setting defaults to a softer false that really means "don't sign unless the IdP's metadata includes the WantAuthnRequestsSigned flag and the SP can do so". Unless explicitly disabled, the metadata will typically cause the SP to sign if it can do so.

The goal going forward is for the default behavior to be "what's expected" in any given case.