diff --git a/lib/SimpleSAML/Command/RouterDebugCommand.php b/lib/SimpleSAML/Command/RouterDebugCommand.php
index d1bfab227e89241faeed568dac483997dea75863..05edf2fe6553363a5ad686ce68d81a79c5d71043 100644
--- a/lib/SimpleSAML/Command/RouterDebugCommand.php
+++ b/lib/SimpleSAML/Command/RouterDebugCommand.php
@@ -26,7 +26,7 @@ class RouterDebugCommand extends Command
 
 
     /**
-     * @param Symfony\Component\Routing\RouterInterface
+     * @param \Symfony\Component\Routing\RouterInterface
      *
      * @throws \Symfony\Component\Console\Exception\LogicException When the command name is empty
      */
@@ -58,7 +58,7 @@ EOF
     /**
      * @param \Symfony\Component\Console\Input\InputInterface $input
      * @param \Symfony\Component\Console\Output\OutputInterface $output
-     * @return int 0 if everything went fine, or an exit code
+     * @return void
      */
     protected function execute(InputInterface $input, OutputInterface $output)
     {
diff --git a/lib/SimpleSAML/Configuration.php b/lib/SimpleSAML/Configuration.php
index 5059487a96de5c0b63377fd1918052c4a1f4c0df..be7ad8955b464b2ae85d7cf4e35f0fb8cd027847 100644
--- a/lib/SimpleSAML/Configuration.php
+++ b/lib/SimpleSAML/Configuration.php
@@ -468,8 +468,6 @@ class Configuration implements Utils\ClearableState
             return null;
         }
 
-        Assert::string($path);
-
         return Utils\System::resolvePath($path, $this->getBaseDir());
     }
 
@@ -790,8 +788,6 @@ class Configuration implements Utils\ClearableState
      */
     public function getArrayize(string $name, $default = self::REQUIRED_OPTION)
     {
-        Assert::string($name);
-
         $ret = $this->getValue($name, $default);
 
         if ($ret === $default) {
@@ -817,7 +813,7 @@ class Configuration implements Utils\ClearableState
      *                       required if this parameter isn't given. The default value can be any value, including
      *                       null.
      *
-     * @return array The option with the given name, or $default if the option isn't found and $default is specified.
+     * @return mixed The option with the given name, or $default if the option isn't found and $default is specified.
      *
      * @throws \Exception If the option is not a string or an array of strings.
      */
@@ -858,7 +854,8 @@ class Configuration implements Utils\ClearableState
      *                        This function will only return null if $default is set to null and the option
      *                        doesn't exist.
      *
-     * @return \SimpleSAML\Configuration|null The option with the given name, or $default if the option isn't found and $default is specified.
+     * @return \SimpleSAML\Configuration|null The option with the given name,
+     *   or $default if the option isn't found and $default is specified.
      *
      * @throws \Exception If the option is not an array.
      */
@@ -1022,7 +1019,7 @@ class Configuration implements Utils\ClearableState
      * @param mixed  $default The default value to return if no matching endpoint is found. If no default is provided,
      *     an exception will be thrown.
      *
-     * @return array|null The default endpoint, or null if no acceptable endpoints are used.
+     * @return mixed|null The default endpoint, or null if no acceptable endpoints are used.
      *
      * @throws \Exception If no supported endpoint is found.
      */
diff --git a/lib/SimpleSAML/Error/AuthSource.php b/lib/SimpleSAML/Error/AuthSource.php
index b836b93b806166d3070bf71bf560f506e16ad0c9..b42ab25d0d85e6a6c4eab9dd45c65d19ea8575e9 100644
--- a/lib/SimpleSAML/Error/AuthSource.php
+++ b/lib/SimpleSAML/Error/AuthSource.php
@@ -4,13 +4,12 @@ declare(strict_types=1);
 
 namespace SimpleSAML\Error;
 
-use Exception;
 use Webmozart\Assert\Assert;
 
 /**
  * Baseclass for auth source exceptions.
  *
- * @package SimpleSAMLphp_base
+ * @package SimpleSAMLphp
  *
  */
 
@@ -36,7 +35,7 @@ class AuthSource extends Error
      * @param string $reason  Description of the error.
      * @param \Exception|null $cause
      */
-    public function __construct(string $authsource, string $reason, Exception $cause = null)
+    public function __construct(string $authsource, string $reason, \Exception $cause = null)
     {
         $this->authsource = $authsource;
         $this->reason = $reason;
diff --git a/lib/SimpleSAML/Logger.php b/lib/SimpleSAML/Logger.php
index 0805dd328da930d2b2400ad01f0c42db3aaa3a83..be1742dcdf5c2c69416f75046809f85d162c0271 100644
--- a/lib/SimpleSAML/Logger.php
+++ b/lib/SimpleSAML/Logger.php
@@ -426,7 +426,6 @@ class Logger
 
         // get the configuration
         $config = Configuration::getInstance();
-        Assert::isInstanceOf($config, Configuration::class);
 
         // setting minimum log_level
         self::$logLevel = $config->getInteger('logging.level', self::INFO);
diff --git a/lib/SimpleSAML/Memcache.php b/lib/SimpleSAML/Memcache.php
index 7eff621f7238c4263905dcff90131b8ccddd57ae..07302815eddd96112e60891921216d56d33e850a 100644
--- a/lib/SimpleSAML/Memcache.php
+++ b/lib/SimpleSAML/Memcache.php
@@ -408,7 +408,6 @@ class Memcache
     {
         // get the configuration instance
         $config = Configuration::getInstance();
-        Assert::isInstanceOf($config, Configuration::class);
 
         // get the expire-value from the configuration
         $expire = $config->getInteger('memcache_store.expires', 0);
diff --git a/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php b/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php
index ac8407ce3d4c0b055ca079fd580042772cbbe487..e4a88e189edef243107c90a68e653cd8d7341ee3 100644
--- a/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php
+++ b/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php
@@ -108,7 +108,6 @@ class MetaDataStorageHandler implements \SimpleSAML\Utils\ClearableState
 
         // get the configuration
         $config = Configuration::getInstance();
-        Assert::isInstanceOf($config, Configuration::class);
 
         $baseurl = Utils\HTTP::getSelfURLHost() . $config->getBasePath();
 
@@ -311,8 +310,6 @@ class MetaDataStorageHandler implements \SimpleSAML\Utils\ClearableState
             $index = $this->getMetaDataCurrentEntityID($set, 'metaindex');
         }
 
-        Assert::string($index);
-
         foreach ($this->sources as $source) {
             $metadata = $source->getMetaData($index, $set);
 
diff --git a/lib/SimpleSAML/Metadata/SAMLBuilder.php b/lib/SimpleSAML/Metadata/SAMLBuilder.php
index f598e7e0295cb2afe98f846ebda0c9d517ae85f5..d7ae636765d36ec2f6cd11b1f87fa0ddb6c34a67 100644
--- a/lib/SimpleSAML/Metadata/SAMLBuilder.php
+++ b/lib/SimpleSAML/Metadata/SAMLBuilder.php
@@ -76,8 +76,6 @@ class SAMLBuilder
      */
     public function __construct(string $entityId, int $maxCache = null, int $maxDuration = null)
     {
-        Assert::string($entityId);
-
         $this->maxCache = $maxCache;
         $this->maxDuration = $maxDuration;
 
@@ -132,8 +130,6 @@ class SAMLBuilder
      */
     public function getEntityDescriptorText(bool $formatted = true): string
     {
-        Assert::boolean($formatted);
-
         $xml = $this->getEntityDescriptor();
         if ($formatted) {
             Utils\XML::formatDOMElement($xml);
diff --git a/lib/SimpleSAML/Module.php b/lib/SimpleSAML/Module.php
index e59418bdca6795ac13b4c3bb8c4b2ea6de38a78f..285882f7c47642f0f8e5fdc1b73da0d8f3272977 100644
--- a/lib/SimpleSAML/Module.php
+++ b/lib/SimpleSAML/Module.php
@@ -583,7 +583,7 @@ class Module
      *
      * This method removes the trailing slash and redirects to the resulting URL.
      *
-     * @param Symfony\Component\HttpFoundation\Request $request The request to process by this controller method.
+     * @param \Symfony\Component\HttpFoundation\Request $request The request to process by this controller method.
      *
      * @return \Symfony\Component\HttpFoundation\RedirectResponse
      *   A redirection to the URI specified in the request, but without the trailing slash.
diff --git a/lib/SimpleSAML/Session.php b/lib/SimpleSAML/Session.php
index e0a16dd3e79c0b838e3495704bdd5185851aa723..61428d3e935eb726bcb7b67e88c1997cf054318e 100644
--- a/lib/SimpleSAML/Session.php
+++ b/lib/SimpleSAML/Session.php
@@ -352,8 +352,6 @@ class Session implements \Serializable, Utils\ClearableState
             return null;
         }
 
-        Assert::isInstanceOf($session, self::class);
-
         if ($checkToken) {
             $globalConfig = Configuration::getInstance();
 
diff --git a/lib/SimpleSAML/Utils/Crypto.php b/lib/SimpleSAML/Utils/Crypto.php
index 44752f4e5cf8ad82d6d792fc002e332035d35861..f37c31803db5d848781e5ba8d7aaac7a0e996b5a 100644
--- a/lib/SimpleSAML/Utils/Crypto.php
+++ b/lib/SimpleSAML/Utils/Crypto.php
@@ -328,9 +328,7 @@ class Crypto
      */
     public static function pwHash(string $password): string
     {
-        if (!is_string($password)) {
-            throw new \InvalidArgumentException('Invalid input parameter.');
-        } elseif (!is_string($hash = password_hash($password, PASSWORD_DEFAULT))) {
+        if (!is_string($hash = password_hash($password, PASSWORD_DEFAULT))) {
             throw new \InvalidArgumentException('Error while hashing password.');
         }
         return $hash;
diff --git a/lib/SimpleSAML/Utils/System.php b/lib/SimpleSAML/Utils/System.php
index 2c2b4d181db62ac2bcb64685cde1947cb01ce49d..a61b6784c56e31218fd2881a6ba990bf19961d94 100644
--- a/lib/SimpleSAML/Utils/System.php
+++ b/lib/SimpleSAML/Utils/System.php
@@ -28,7 +28,8 @@ class System
     /**
      * This function returns the Operating System we are running on.
      *
-     * @return string|false A predefined constant identifying the OS we are running on. False if we are unable to determine it.
+     * @return int|false A predefined constant identifying the OS we are running on.
+     *                   False if we are unable to determine it.
      *
      * @author Jaime Perez, UNINETT AS <jaime.perez@uninett.no>
      */
diff --git a/modules/admin/lib/Controller/Config.php b/modules/admin/lib/Controller/Config.php
index ad94e0df787de7f4c0bac48391819f1a1f4b0afb..423adafb05868b749a6642c7cf4e20cd4a91882a 100644
--- a/modules/admin/lib/Controller/Config.php
+++ b/modules/admin/lib/Controller/Config.php
@@ -57,7 +57,7 @@ class Config
      *
      * @return \SimpleSAML\XHTML\Template
      */
-    public function diagnostics(Request $request)
+    public function diagnostics(Request $request): Template
     {
         Utils\Auth::requireAdmin();
 
@@ -90,7 +90,7 @@ class Config
      *
      * @return \SimpleSAML\XHTML\Template
      */
-    public function main()
+    public function main(): Template
     {
         Utils\Auth::requireAdmin();
 
@@ -127,7 +127,7 @@ class Config
      *
      * @return RunnableResponse
      */
-    public function phpinfo()
+    public function phpinfo(): RunnableResponse
     {
         Utils\Auth::requireAdmin();
 
@@ -148,7 +148,7 @@ class Config
      *
      * @return array
      */
-    protected function getPrerequisiteChecks()
+    protected function getPrerequisiteChecks(): array
     {
         $matrix = [
             [
@@ -333,7 +333,7 @@ class Config
      *
      * @return array
      */
-    protected function getWarnings()
+    protected function getWarnings(): array
     {
         $warnings = [];
 
diff --git a/modules/admin/lib/Controller/Federation.php b/modules/admin/lib/Controller/Federation.php
index 6b6e0ca3710b152700ffc72cfba9f10173f6e1da..7ba872b7d2fa7cdc6c7550c0ab130d3ce4a297cd 100644
--- a/modules/admin/lib/Controller/Federation.php
+++ b/modules/admin/lib/Controller/Federation.php
@@ -62,7 +62,7 @@ class Federation
      * @throws \SimpleSAML\Error\Exception
      * @throws \SimpleSAML\Error\Exception
      */
-    public function main()
+    public function main(): Template
     {
         Utils\Auth::requireAdmin();
 
@@ -344,7 +344,7 @@ class Federation
      *
      * @return \SimpleSAML\XHTML\Template
      */
-    public function metadataConverter(Request $request)
+    public function metadataConverter(Request $request): Template
     {
         Utils\Auth::requireAdmin();
         if ($xmlfile = $request->files->get('xmlfile')) {
@@ -411,7 +411,7 @@ class Federation
      *
      * @return Response PEM-encoded certificate.
      */
-    public function downloadCert(Request $request)
+    public function downloadCert(Request $request): Response
     {
         Utils\Auth::requireAdmin();
 
@@ -454,7 +454,7 @@ class Federation
      *
      * @return Response
      */
-    public function showRemoteEntity(Request $request)
+    public function showRemoteEntity(Request $request): Response
     {
         Utils\Auth::requireAdmin();
 
diff --git a/modules/admin/lib/Controller/Menu.php b/modules/admin/lib/Controller/Menu.php
index 6887fab1abd066809ea8b0207d8db5d701c6bfb7..bd1b2f4304ef621b3e695a7c244e2bb6f764940c 100644
--- a/modules/admin/lib/Controller/Menu.php
+++ b/modules/admin/lib/Controller/Menu.php
@@ -55,7 +55,7 @@ final class Menu
      * @param string $name The name of the option for display purposes.
      * @return void
      */
-    public function addOption($id, $url, $name)
+    public function addOption(string $id, string $url, string $name): void
     {
         $this->options[$id] = [
             'url' => $url,
@@ -84,7 +84,7 @@ final class Menu
      *
      * @return \SimpleSAML\XHTML\Template The template with the added menu.
      */
-    public function insert(Template $template)
+    public function insert(Template $template): Template
     {
         $template->data['menu'] = $this->options;
         Module::callHooks('adminmenu', $template);
diff --git a/modules/admin/lib/Controller/Test.php b/modules/admin/lib/Controller/Test.php
index 06b4baa0f7d6ea4b80b5e76b6491428642016b1d..5a9dd1db208dcbfab92e8d901704dce1dca62724 100644
--- a/modules/admin/lib/Controller/Test.php
+++ b/modules/admin/lib/Controller/Test.php
@@ -58,7 +58,7 @@ class Test
      * @param string|null $as
      * @return \SimpleSAML\XHTML\Template
      */
-    public function main(Request $request, $as)
+    public function main(Request $request, string $as = null)
     {
         Utils\Auth::requireAdmin();
         if (is_null($as)) {
diff --git a/modules/core/hooks/hook_frontpage.php b/modules/core/hooks/hook_frontpage.php
index f6ff146a3978a41970a25dbefc0979a22e4a7612..8eb6d6416498b9bbf19586579f4868ad9906f194 100644
--- a/modules/core/hooks/hook_frontpage.php
+++ b/modules/core/hooks/hook_frontpage.php
@@ -10,9 +10,8 @@ use Webmozart\Assert\Assert;
  * @param array &$links  The links on the frontpage, split into sections.
  * @return void
  */
-function core_hook_frontpage(&$links)
+function core_hook_frontpage(array &$links): void
 {
-    Assert::isArray($links);
     Assert::keyExists($links, 'links');
 
     $links['links']['frontpage_welcome'] = [
diff --git a/modules/core/hooks/hook_sanitycheck.php b/modules/core/hooks/hook_sanitycheck.php
index c786872bb70049a549d8e81c4ea825ddb4a22a6d..d37d6c62b43fa4e81a7906215058575f85cdc103 100644
--- a/modules/core/hooks/hook_sanitycheck.php
+++ b/modules/core/hooks/hook_sanitycheck.php
@@ -10,9 +10,8 @@ use Webmozart\Assert\Assert;
  * @param array &$hookinfo  hookinfo
  * @return void
  */
-function core_hook_sanitycheck(&$hookinfo)
+function core_hook_sanitycheck(array &$hookinfo): void
 {
-    Assert::isArray($hookinfo);
     Assert::keyExists($hookinfo, 'errors');
     Assert::keyExists($hookinfo, 'info');
 
diff --git a/modules/core/lib/ACL.php b/modules/core/lib/ACL.php
index 6ab1baa790f1ea76cf345e95b5794ac05221e0cb..0840cd12b95846137eeee8ed87d9f76478d47cb9 100644
--- a/modules/core/lib/ACL.php
+++ b/modules/core/lib/ACL.php
@@ -23,6 +23,7 @@ class ACL
      */
     private $acl;
 
+
     /**
      * Initializer for this access control list.
      *
@@ -70,13 +71,14 @@ class ACL
         return $config->getArray($id);
     }
 
+
     /**
      * Match the attributes against the access control list.
      *
      * @param array $attributes  The attributes of an user.
      * @return boolean  TRUE if the user is allowed to access the resource, FALSE if not.
      */
-    public function allows(array $attributes)
+    public function allows(array $attributes): bool
     {
         foreach ($this->acl as $rule) {
             $action = array_shift($rule);
@@ -94,6 +96,7 @@ class ACL
         return false;
     }
 
+
     /**
      * Match the attributes against the given rule.
      *
@@ -129,6 +132,7 @@ class ACL
         }
     }
 
+
     /**
      * 'and' match operator.
      *
@@ -148,6 +152,7 @@ class ACL
         return true;
     }
 
+
     /**
      * 'equals' match operator.
      *
@@ -188,6 +193,7 @@ class ACL
         return true;
     }
 
+
     /**
      * 'equals-preg' match operator.
      *
@@ -229,6 +235,7 @@ class ACL
         return true;
     }
 
+
     /**
      * 'has' match operator.
      *
@@ -256,6 +263,7 @@ class ACL
         return true;
     }
 
+
     /**
      * 'has-preg' match operator.
      *
@@ -284,6 +292,7 @@ class ACL
         return true;
     }
 
+
     /**
      * 'or' match operator.
      *
diff --git a/modules/core/lib/Auth/Process/AttributeMap.php b/modules/core/lib/Auth/Process/AttributeMap.php
index 63c81aad0e6ba97ec2aba50eff5627e8c5fb45a7..5a79368b94ed03c9d46b08f2641b33790ec2ec48 100644
--- a/modules/core/lib/Auth/Process/AttributeMap.php
+++ b/modules/core/lib/Auth/Process/AttributeMap.php
@@ -101,6 +101,7 @@ class AttributeMap extends \SimpleSAML\Auth\ProcessingFilter
             throw new \Exception('Could not find attribute map file: ' . $filePath);
         }
 
+        /** @psalm-var mixed|null $attributemap */
         $attributemap = null;
         include($filePath);
         if (!is_array($attributemap)) {
diff --git a/modules/core/lib/Auth/Source/AdminPassword.php b/modules/core/lib/Auth/Source/AdminPassword.php
index 5f2b8f7b5fbff5146445e3b24197b4cc9e195e76..9433372556bf500d2aa7d8ae27f0b63724612ef5 100644
--- a/modules/core/lib/Auth/Source/AdminPassword.php
+++ b/modules/core/lib/Auth/Source/AdminPassword.php
@@ -25,9 +25,6 @@ class AdminPassword extends \SimpleSAML\Module\core\Auth\UserPassBase
      */
     public function __construct(array $info, array $config)
     {
-        Assert::isArray($info);
-        Assert::isArray($config);
-
         // Call the parent constructor first, as required by the interface
         parent::__construct($info, $config);
 
@@ -50,9 +47,6 @@ class AdminPassword extends \SimpleSAML\Module\core\Auth\UserPassBase
      */
     protected function login(string $username, string $password): array
     {
-        Assert::string($username);
-        Assert::string($password);
-
         $config = Configuration::getInstance();
         $adminPassword = $config->getString('auth.adminpassword', '123');
         if ($adminPassword === '123') {
diff --git a/modules/core/lib/Auth/UserPassBase.php b/modules/core/lib/Auth/UserPassBase.php
index 4b2ac3452e52f067564bc3f42b2f1848928bf6fd..14890d8de6a49e110f18f220a5c1bbfc3a5129c5 100644
--- a/modules/core/lib/Auth/UserPassBase.php
+++ b/modules/core/lib/Auth/UserPassBase.php
@@ -100,11 +100,8 @@ abstract class UserPassBase extends \SimpleSAML\Auth\Source
      * @param array $info  Information about this authentication source.
      * @param array &$config  Configuration for this authentication source.
      */
-    public function __construct($info, &$config)
+    public function __construct(array $info, array &$config)
     {
-        Assert::isArray($info);
-        Assert::isArray($config);
-
         if (isset($config['core:loginpage_links'])) {
             $this->loginLinks = $config['core:loginpage_links'];
         }
@@ -135,7 +132,7 @@ abstract class UserPassBase extends \SimpleSAML\Auth\Source
      * @param string|null $forcedUsername  The forced username.
      * @return void
      */
-    public function setForcedUsername($forcedUsername): void
+    public function setForcedUsername(?string $forcedUsername): void
     {
         Assert::nullOrString($forcedUsername);
         $this->forcedUsername = $forcedUsername;
@@ -143,7 +140,7 @@ abstract class UserPassBase extends \SimpleSAML\Auth\Source
 
     /**
      * Return login links from configuration
-     * @return array
+     * @return string[]
      */
     public function getLoginLinks(): array
     {
@@ -238,7 +235,6 @@ abstract class UserPassBase extends \SimpleSAML\Auth\Source
             }
 
             $attributes = $this->login($username, $password);
-            Assert::isArray($attributes);
             $state['Attributes'] = $attributes;
 
             return;
@@ -271,9 +267,9 @@ abstract class UserPassBase extends \SimpleSAML\Auth\Source
      *
      * @param string $username  The username the user wrote.
      * @param string $password  The password the user wrote.
-     * @return array  Associative array with the user's attributes.
+     * @return array Associative array with the user's attributes.
      */
-    abstract protected function login($username, $password): array;
+    abstract protected function login(string $username, string $password): array;
 
 
     /**
@@ -288,7 +284,7 @@ abstract class UserPassBase extends \SimpleSAML\Auth\Source
      * @param string $password  The password the user wrote.
      * @return void
      */
-    public static function handleLogin(string $authStateId, string $username, string $password)
+    public static function handleLogin(string $authStateId, string $username, string $password): void
     {
         // Here we retrieve the state array we saved in the authenticate-function.
         /** @var array $state */
@@ -319,7 +315,6 @@ abstract class UserPassBase extends \SimpleSAML\Auth\Source
         Logger::stats('User \'' . $username . '\' successfully authenticated from ' . $_SERVER['REMOTE_ADDR']);
 
         // Save the attributes we received from the login-function in the $state-array
-        Assert::isArray($attributes);
         $state['Attributes'] = $attributes;
 
         // Return control to SimpleSAMLphp after successful authentication.
diff --git a/modules/core/lib/Auth/UserPassOrgBase.php b/modules/core/lib/Auth/UserPassOrgBase.php
index f8ba52fd0aec98f56a94152fcf31e59fcd8fdc60..b854a240ddf4d5ba679b0caf97e624e2efd13e8d 100644
--- a/modules/core/lib/Auth/UserPassOrgBase.php
+++ b/modules/core/lib/Auth/UserPassOrgBase.php
@@ -99,11 +99,8 @@ abstract class UserPassOrgBase extends \SimpleSAML\Auth\Source
      * @param array $info  Information about this authentication source.
      * @param array &$config  Configuration for this authentication source.
      */
-    public function __construct($info, &$config)
+    public function __construct(array $info, array &$config)
     {
-        Assert::isArray($info);
-        Assert::isArray($config);
-
         // Call the parent constructor first, as required by the interface
         parent::__construct($info, $config);
 
@@ -143,7 +140,7 @@ abstract class UserPassOrgBase extends \SimpleSAML\Auth\Source
      * @param string $usernameOrgMethod  The method which should be used.
      * @return void
      */
-    protected function setUsernameOrgMethod($usernameOrgMethod): void
+    protected function setUsernameOrgMethod(string $usernameOrgMethod): void
     {
         Assert::oneOf($usernameOrgMethod, ['none', 'allow', 'force']);
 
diff --git a/modules/core/lib/Controller/Login.php b/modules/core/lib/Controller/Login.php
index 99b13664e7a1e0edecd7260e34b73a4b7aedd869..e117cdc2c6537e486c00d6b416a7d23fd53cb823 100644
--- a/modules/core/lib/Controller/Login.php
+++ b/modules/core/lib/Controller/Login.php
@@ -199,7 +199,7 @@ class Login
      * @param Request $request The request that lead to this login operation.
      * @return void
      */
-    public function cleardiscochoices(Request $request)
+    public function cleardiscochoices(Request $request): void
     {
         // The base path for cookies. This should be the installation directory for SimpleSAMLphp.
         $cookiePath = $this->config->getBasePath();
diff --git a/modules/core/lib/Stats/Output/File.php b/modules/core/lib/Stats/Output/File.php
index a6562637ab104c6d4ffc94fb924b503277b874d9..df83076923caba53db330feb33e9bc3ff5f5acf8 100644
--- a/modules/core/lib/Stats/Output/File.php
+++ b/modules/core/lib/Stats/Output/File.php
@@ -58,7 +58,7 @@ class File extends \SimpleSAML\Stats\Output
      * @param string $date  The date for the log file.
      * @return void
      */
-    private function openLog(string $date)
+    private function openLog(string $date): void
     {
         if ($this->file !== null && $this->file !== false) {
             fclose($this->file);
diff --git a/modules/core/lib/Storage/SQLPermanentStorage.php b/modules/core/lib/Storage/SQLPermanentStorage.php
index 541bb711792249df973adf4b1b91cf6c49863e17..dda3fa35c3898550d479dc3c7a04631ed7bdff58 100644
--- a/modules/core/lib/Storage/SQLPermanentStorage.php
+++ b/modules/core/lib/Storage/SQLPermanentStorage.php
@@ -28,7 +28,7 @@ class SQLPermanentStorage
      * @param \SimpleSAML\Configuration|null $config
      * @throws \Exception
      */
-    public function __construct($name, $config = null)
+    public function __construct(string $name, Configuration $config = null)
     {
         if (is_null($config)) {
             $config = Configuration::getInstance();
@@ -78,7 +78,7 @@ class SQLPermanentStorage
      * @param int|null $duration
      * @return void
      */
-    public function set($type, $key1, $key2, $value, $duration = null)
+    public function set(string $type, string $key1, string $key2, string $value, int $duration = null): void
     {
         if ($this->exists($type, $key1, $key2)) {
             $this->update($type, $key1, $key2, $value, $duration);
@@ -140,12 +140,12 @@ class SQLPermanentStorage
 
 
     /**
-     * @param string $type
-     * @param string $key1
-     * @param string $key2
+     * @param string|null $type
+     * @param string|null $key1
+     * @param string|null $key2
      * @return array|null
      */
-    public function get($type = null, $key1 = null, $key2 = null)
+    public function get(string $type = null, string $key1 = null, string $key2 = null): ?array
     {
         $conditions = $this->getCondition($type, $key1, $key2);
         $query = 'SELECT * FROM data WHERE ' . $conditions;
@@ -165,12 +165,12 @@ class SQLPermanentStorage
     /**
      * Return the value directly (not in a container)
      *
-     * @param string $type
-     * @param string $key1
-     * @param string $key2
-     * @return array|null
+     * @param string|null $type
+     * @param string|null $key1
+     * @param string|null $key2
+     * @return string|null
      */
-    public function getValue($type = null, $key1 = null, $key2 = null)
+    public function getValue(string $type = null, string $key1 = null, string $key2 = null): ?string
     {
         $res = $this->get($type, $key1, $key2);
         if ($res === null) {
@@ -186,7 +186,7 @@ class SQLPermanentStorage
      * @param string $key2
      * @return bool
      */
-    public function exists($type, $key1, $key2)
+    public function exists(string $type, string $key1, string $key2): bool
     {
         $query = 'SELECT * FROM data WHERE type = :type AND key1 = :key1 AND key2 = :key2 LIMIT 1';
         $prepared = $this->db->prepare($query);
@@ -198,12 +198,12 @@ class SQLPermanentStorage
 
 
     /**
-     * @param string $type
-     * @param string $key1
-     * @param string $key2
+     * @param string|null $type
+     * @param string|null $key1
+     * @param string|null $key2
      * @return array|false
      */
-    public function getList($type = null, $key1 = null, $key2 = null)
+    public function getList(string $type = null, string $key1 = null, string $key2 = null)
     {
         $conditions = $this->getCondition($type, $key1, $key2);
         $query = 'SELECT * FROM data WHERE ' . $conditions;
@@ -223,15 +223,19 @@ class SQLPermanentStorage
 
 
     /**
-     * @param string $type
-     * @param string $key1
-     * @param string $key2
+     * @param string|null $type
+     * @param string|null $key1
+     * @param string|null $key2
      * @param string $whichKey
      * @throws \Exception
      * @return array|null
      */
-    public function getKeys($type = null, $key1 = null, $key2 = null, $whichKey = 'type')
-    {
+    public function getKeys(
+        string $type = null,
+        string $key1 = null,
+        string $key2 = null,
+        string $whichKey = 'type'
+    ): ?array {
         if (!in_array($whichKey, ['key1', 'key2', 'type'], true)) {
             throw new \Exception('Invalid key type');
         }
@@ -254,13 +258,14 @@ class SQLPermanentStorage
         return $resarray;
     }
 
+
     /**
      * @param string $type
      * @param string $key1
      * @param string $key2
      * @return bool
      */
-    public function remove($type, $key1, $key2)
+    public function remove(string $type, string $key1, string $key2): bool
     {
         $query = 'DELETE FROM data WHERE type = :type AND key1 = :key1 AND key2 = :key2';
         $prepared = $this->db->prepare($query);
@@ -274,7 +279,7 @@ class SQLPermanentStorage
     /**
      * @return int
      */
-    public function removeExpired()
+    public function removeExpired(): int
     {
         $query = "DELETE FROM data WHERE expire IS NOT NULL AND expire < :expire";
         $prepared = $this->db->prepare($query);
@@ -286,9 +291,9 @@ class SQLPermanentStorage
     /**
      * Create a SQL condition statement based on parameters
      *
-     * @param string $type
-     * @param string $key1
-     * @param string $key2
+     * @param string|null $type
+     * @param string|null $key1
+     * @param string|null $key2
      * @return string
      */
     private function getCondition(string $type = null, string $key1 = null, string $key2 = null): string
diff --git a/modules/cron/hooks/hook_configpage.php b/modules/cron/hooks/hook_configpage.php
index 136888a0036582a91a086acf69179db53fa81fce..cb43582994a0e41e690f878e95684711370fb8d6 100644
--- a/modules/cron/hooks/hook_configpage.php
+++ b/modules/cron/hooks/hook_configpage.php
@@ -6,7 +6,7 @@
  * @param \SimpleSAML\XHTML\Template &$template The template that we should alter in this hook.
  * @return void
  */
-function cron_hook_configpage(\SimpleSAML\XHTML\Template &$template)
+function cron_hook_configpage(\SimpleSAML\XHTML\Template &$template): void
 {
     $template->data['links']['cron'] = [
         'href' => SimpleSAML\Module::getModuleURL('cron/croninfo.php'),
diff --git a/modules/cron/hooks/hook_cron.php b/modules/cron/hooks/hook_cron.php
index 18b18847b750b9b263f6bdaf1e57882cf1f59245..2211d7a40260ae56e97d7c58c4028a15eef31d7f 100644
--- a/modules/cron/hooks/hook_cron.php
+++ b/modules/cron/hooks/hook_cron.php
@@ -8,9 +8,8 @@ use Webmozart\Assert\Assert;
  * @param array &$croninfo  Output
  * @return void
  */
-function cron_hook_cron(&$croninfo)
+function cron_hook_cron(array &$croninfo): void
 {
-    Assert::isArray($croninfo);
     Assert::keyExists($croninfo, 'summary');
     Assert::keyExists($croninfo, 'tag');
 
diff --git a/modules/cron/hooks/hook_frontpage.php b/modules/cron/hooks/hook_frontpage.php
index 3ca4903136dbf2064e59cf529cbc95260c970750..4e34f505d0c0a97307bf97d7d9b2b5e8414de439 100644
--- a/modules/cron/hooks/hook_frontpage.php
+++ b/modules/cron/hooks/hook_frontpage.php
@@ -8,9 +8,8 @@ use Webmozart\Assert\Assert;
  * @param array &$links  The links on the frontpage, split into sections.
  * @return void
  */
-function cron_hook_frontpage(&$links)
+function cron_hook_frontpage(array &$links): void
 {
-    Assert::isArray($links);
     Assert::keyExists($links, 'links');
 
     $links['config'][] = [
diff --git a/modules/cron/lib/Controller/Cron.php b/modules/cron/lib/Controller/Cron.php
index 7654533f347fdafe6c1b4ffa0402a42b21f942d9..e3d1a01767b694d98a9a15c01b119414be6581f8 100644
--- a/modules/cron/lib/Controller/Cron.php
+++ b/modules/cron/lib/Controller/Cron.php
@@ -63,7 +63,7 @@ class Cron
      * @return \SimpleSAML\XHTML\Template
      *   An HTML template or a redirection if we are not authenticated.
      */
-    public function info()
+    public function info(): Template
     {
         Utils\Auth::requireAdmin();
 
@@ -100,14 +100,14 @@ class Cron
      *
      * @param string $tag The tag
      * @param string $key The secret key
-     * @param string|null $output The output format, defaulting to xhtml
+     * @param string $output The output format, defaulting to xhtml
      *
      * @return \SimpleSAML\XHTML\Template|\Symfony\Component\HttpFoundation\Response
      *   An HTML template, a redirect or a "runnable" response.
      *
      * @throws \SimpleSAML\Error\Exception
      */
-    public function run($tag, $key, $output)
+    public function run(string $tag, string $key, string $output = 'xhtml'): Response
     {
         $configKey = $this->cronconfig->getValue('key', 'secret');
         if ($key !== $configKey) {
@@ -116,7 +116,7 @@ class Cron
         }
 
         $cron = new \SimpleSAML\Module\cron\Cron();
-        if ($tag === null || !$cron->isValidTag($tag)) {
+        if (!$cron->isValidTag($tag)) {
             Logger::error('Cron - Illegal tag [' . $tag . '].');
             exit;
         }
diff --git a/modules/cron/lib/Cron.php b/modules/cron/lib/Cron.php
index 81b3641b69837556652500ff2655e6f8c3920ebe..128ddc8bcfdcbc9c58d18027854038f714b8d0a7 100644
--- a/modules/cron/lib/Cron.php
+++ b/modules/cron/lib/Cron.php
@@ -38,7 +38,7 @@ class Cron
      * @return array the tag, and summary information from the run.
      * @throws \Exception If an invalid tag specified
      */
-    public function runTag($tag)
+    public function runTag(string $tag): array
     {
         if (!$this->isValidTag($tag)) {
             throw new \Exception("Invalid cron tag '$tag''");
@@ -63,7 +63,7 @@ class Cron
      * @param string $tag
      * @return bool
      */
-    public function isValidTag($tag)
+    public function isValidTag(string $tag): bool
     {
         if (!is_null($this->cronconfig->getValue('allowed_tags'))) {
             return in_array($tag, $this->cronconfig->getArray('allowed_tags'), true);
diff --git a/modules/exampleauth/lib/Auth/Source/External.php b/modules/exampleauth/lib/Auth/Source/External.php
index 966ab4b57d57b09e78126709715572cc396041d2..606479543cf59c24bf2c51b74aabc30a1fe3850d 100644
--- a/modules/exampleauth/lib/Auth/Source/External.php
+++ b/modules/exampleauth/lib/Auth/Source/External.php
@@ -44,11 +44,8 @@ class External extends \SimpleSAML\Auth\Source
      * @param array $info  Information about this authentication source.
      * @param array $config  Configuration.
      */
-    public function __construct($info, $config)
+    public function __construct(array $info, array $config)
     {
-        Assert::isArray($info);
-        Assert::isArray($config);
-
         // Call the parent constructor first, as required by the interface
         parent::__construct($info, $config);
 
@@ -109,8 +106,6 @@ class External extends \SimpleSAML\Auth\Source
      */
     public function authenticate(array &$state): void
     {
-        Assert::isArray($state);
-
         $attributes = $this->getUser();
         if ($attributes !== null) {
             /*
@@ -273,8 +268,6 @@ class External extends \SimpleSAML\Auth\Source
      */
     public function logout(array &$state): void
     {
-        Assert::isArray($state);
-
         if (!session_id()) {
             // session_start not called before. Do it here
             session_start();
diff --git a/modules/exampleauth/lib/Auth/Source/StaticSource.php b/modules/exampleauth/lib/Auth/Source/StaticSource.php
index 21c86c697944e374f31d36834bb1c4f3fecfa0f2..75e6a57da5c2604be0b4081e9b8f8b03c2124393 100644
--- a/modules/exampleauth/lib/Auth/Source/StaticSource.php
+++ b/modules/exampleauth/lib/Auth/Source/StaticSource.php
@@ -31,11 +31,8 @@ class StaticSource extends \SimpleSAML\Auth\Source
      * @param array $info  Information about this authentication source.
      * @param array $config  Configuration.
      */
-    public function __construct($info, $config)
+    public function __construct(array $info, array $config)
     {
-        Assert::isArray($info);
-        Assert::isArray($config);
-
         // Call the parent constructor first, as required by the interface
         parent::__construct($info, $config);
 
@@ -57,7 +54,6 @@ class StaticSource extends \SimpleSAML\Auth\Source
      */
     public function authenticate(array &$state): void
     {
-        Assert::isArray($state);
         $state['Attributes'] = $this->attributes;
     }
 }
diff --git a/modules/exampleauth/lib/Auth/Source/UserPass.php b/modules/exampleauth/lib/Auth/Source/UserPass.php
index 6d6849f2377e862b27f5c629f4e800ae2c08bf9c..e4e6b21883a755574ea39a6763284615a27a6f22 100644
--- a/modules/exampleauth/lib/Auth/Source/UserPass.php
+++ b/modules/exampleauth/lib/Auth/Source/UserPass.php
@@ -35,11 +35,8 @@ class UserPass extends \SimpleSAML\Module\core\Auth\UserPassBase
      * @param array $info  Information about this authentication source.
      * @param array $config  Configuration.
      */
-    public function __construct($info, $config)
+    public function __construct(array $info, array $config)
     {
-        Assert::isArray($info);
-        Assert::isArray($config);
-
         // Call the parent constructor first, as required by the interface
         parent::__construct($info, $config);
 
@@ -86,11 +83,8 @@ class UserPass extends \SimpleSAML\Module\core\Auth\UserPassBase
      * @param string $password  The password the user wrote.
      * @return array  Associative array with the users attributes.
      */
-    protected function login($username, $password)
+    protected function login(string $username, string $password): array
     {
-        Assert::string($username);
-        Assert::string($password);
-
         $userpass = $username . ':' . $password;
         if (!array_key_exists($userpass, $this->users)) {
             throw new Error\Error('WRONGUSERPASS');
diff --git a/modules/multiauth/lib/Auth/Source/MultiAuth.php b/modules/multiauth/lib/Auth/Source/MultiAuth.php
index 5bad36250774b37089d70e77d4826348af30407f..009b9fb8c399ffa6037413ae6e3e882a059792f8 100644
--- a/modules/multiauth/lib/Auth/Source/MultiAuth.php
+++ b/modules/multiauth/lib/Auth/Source/MultiAuth.php
@@ -59,11 +59,8 @@ class MultiAuth extends \SimpleSAML\Auth\Source
      * @param array $info Information about this authentication source.
      * @param array $config Configuration.
      */
-    public function __construct($info, $config)
+    public function __construct(array $info, array $config)
     {
-        Assert::isArray($info);
-        Assert::isArray($config);
-
         // Call the parent constructor first, as required by the interface
         parent::__construct($info, $config);
 
@@ -141,8 +138,6 @@ class MultiAuth extends \SimpleSAML\Auth\Source
      */
     public function authenticate(array &$state): void
     {
-        Assert::isArray($state);
-
         $state[self::AUTHID] = $this->authId;
         $state[self::SOURCESID] = $this->sources;
 
@@ -184,11 +179,8 @@ class MultiAuth extends \SimpleSAML\Auth\Source
      * @return void
      * @throws \Exception
      */
-    public static function delegateAuthentication($authId, $state)
+    public static function delegateAuthentication(string $authId, array $state): void
     {
-        assert::string($authId);
-        Assert::isArray($state);
-
         $as = Auth\Source::getById($authId);
         $valid_sources = array_map(
             /**
@@ -236,8 +228,6 @@ class MultiAuth extends \SimpleSAML\Auth\Source
      */
     public function logout(array &$state): void
     {
-        Assert::isArray($state);
-
         // Get the source that was used to authenticate
         $session = Session::getSessionFromRequest();
         $authId = $session->getData(self::SESSION_SOURCE, $this->authId);
@@ -260,10 +250,8 @@ class MultiAuth extends \SimpleSAML\Auth\Source
      * @param string $source Name of the authentication source the user selected.
      * @return void
      */
-    public function setPreviousSource($source)
+    public function setPreviousSource(string $source): void
     {
-        Assert::string($source);
-
         $cookieName = 'multiauth_source_' . $this->authId;
 
         $config = Configuration::getInstance();
@@ -286,7 +274,7 @@ class MultiAuth extends \SimpleSAML\Auth\Source
      * last time or NULL if this is the first time or remembering is disabled.
      * @return string|null
      */
-    public function getPreviousSource()
+    public function getPreviousSource(): ?string
     {
         $cookieName = 'multiauth_source_' . $this->authId;
         if (array_key_exists($cookieName, $_COOKIE)) {
diff --git a/modules/portal/hooks/hook_htmlinject.php b/modules/portal/hooks/hook_htmlinject.php
index d446a6ed63b8c1a60a0011ab67f6eed95b631afb..acd88405c47fa7897f9d4d0ebf3df4a7b691ea10 100644
--- a/modules/portal/hooks/hook_htmlinject.php
+++ b/modules/portal/hooks/hook_htmlinject.php
@@ -8,9 +8,8 @@ use Webmozart\Assert\Assert;
  * @param array &$hookinfo  hookinfo
  * @return void
  */
-function portal_hook_htmlinject(&$hookinfo)
+function portal_hook_htmlinject(array &$hookinfo)
 {
-    Assert::isArray($hookinfo);
     Assert::keyExists($hookinfo, 'pre');
     Assert::keyExists($hookinfo, 'post');
     Assert::keyExists($hookinfo, 'page');
diff --git a/modules/portal/lib/Portal.php b/modules/portal/lib/Portal.php
index e116c6e5a5d93aaf967555029c401622f4e68833..f397953fee4026f476c494301174279d55fa6b41 100644
--- a/modules/portal/lib/Portal.php
+++ b/modules/portal/lib/Portal.php
@@ -21,7 +21,7 @@ class Portal
      * @param array $pages
      * @param array|null $config
      */
-    public function __construct($pages, $config = null)
+    public function __construct(array $pages, array $config = null)
     {
         $this->pages = $pages;
         $this->config = $config;
@@ -32,7 +32,7 @@ class Portal
      * @param string $thispage
      * @return array|null
      */
-    public function getTabset($thispage)
+    public function getTabset(string $thispage): ?array
     {
         if (!isset($this->config)) {
             return null;
@@ -50,7 +50,7 @@ class Portal
      * @param string $thispage
      * @return bool
      */
-    public function isPortalized($thispage)
+    public function isPortalized(string $thispage): bool
     {
         if (!isset($this->config)) {
             return false;
@@ -69,7 +69,7 @@ class Portal
      * @param string $thispage
      * @return string
      */
-    public function getLoginInfo($translator, $thispage)
+    public function getLoginInfo(Translate $translator, string $thispage): string
     {
         $info = ['info' => '', 'translator' => $translator, 'thispage' => $thispage];
         Module::callHooks('portalLoginInfo', $info);
@@ -81,7 +81,7 @@ class Portal
      * @param string $thispage
      * @return string
      */
-    public function getMenu($thispage)
+    public function getMenu(string $thispage): string
     {
         $config = Configuration::getInstance();
         $t = new Translate($config);
diff --git a/modules/saml/hooks/hook_metadata_hosted.php b/modules/saml/hooks/hook_metadata_hosted.php
index 75ee581b251354789831b7f8b8c24b68770f1c55..38f35ccfe2234b3ea5d9f42fb2ec7aa534ca2c57 100644
--- a/modules/saml/hooks/hook_metadata_hosted.php
+++ b/modules/saml/hooks/hook_metadata_hosted.php
@@ -8,10 +8,8 @@ use Webmozart\Assert\Assert;
  * @param array &$metadataHosted  The metadata links for hosted metadata on the frontpage.
  * @return void
  */
-function saml_hook_metadata_hosted(&$metadataHosted)
+function saml_hook_metadata_hosted(array &$metadataHosted)
 {
-    Assert::isArray($metadataHosted);
-
     $sources = \SimpleSAML\Auth\Source::getSourcesOfType('saml:SP');
 
     foreach ($sources as $source) {
diff --git a/modules/saml/lib/Auth/Process/ExpectedAuthnContextClassRef.php b/modules/saml/lib/Auth/Process/ExpectedAuthnContextClassRef.php
index cd64ac6ad8c89cf460d66dfab731b62c45c594ea..d33f6bad767675ac2f2eb1aacd0d9e58cbc32a42 100644
--- a/modules/saml/lib/Auth/Process/ExpectedAuthnContextClassRef.php
+++ b/modules/saml/lib/Auth/Process/ExpectedAuthnContextClassRef.php
@@ -97,7 +97,7 @@ class ExpectedAuthnContextClassRef extends \SimpleSAML\Auth\ProcessingFilter
      * @param array $request
      * @return void
      */
-    protected function unauthorized(&$request): void
+    protected function unauthorized(array &$request): void
     {
         Logger::error(
             'ExpectedAuthnContextClassRef: Invalid authentication context: ' . strval($this->AuthnContextClassRef) .
diff --git a/modules/saml/lib/Auth/Source/SP.php b/modules/saml/lib/Auth/Source/SP.php
index 5dedebf5181088a4b47f9d6c77642ac809555a7a..eb9536602608983aaf7b1dcc9b25a811e40a158e 100644
--- a/modules/saml/lib/Auth/Source/SP.php
+++ b/modules/saml/lib/Auth/Source/SP.php
@@ -71,11 +71,8 @@ class SP extends \SimpleSAML\Auth\Source
      * @param array $info  Information about this authentication source.
      * @param array $config  Configuration.
      */
-    public function __construct($info, $config)
+    public function __construct(array $info, array $config)
     {
-        Assert::isArray($info);
-        Assert::isArray($config);
-
         // Call the parent constructor first, as required by the interface
         parent::__construct($info, $config);
 
@@ -107,7 +104,7 @@ class SP extends \SimpleSAML\Auth\Source
      *
      * @return string  The metadata URL.
      */
-    public function getMetadataURL()
+    public function getMetadataURL(): string
     {
         return Module::getModuleURL('saml/sp/metadata.php/' . urlencode($this->authId));
     }
@@ -118,7 +115,7 @@ class SP extends \SimpleSAML\Auth\Source
      *
      * @return string  The entity id of this SP.
      */
-    public function getEntityId()
+    public function getEntityId(): string
     {
         return $this->entityId;
     }
@@ -129,7 +126,7 @@ class SP extends \SimpleSAML\Auth\Source
      *
      * @return array The metadata array for its use by a remote IdP.
      */
-    public function getHostedMetadata()
+    public function getHostedMetadata(): array
     {
         $entityid = $this->getEntityId();
         $metadata = [
@@ -286,10 +283,8 @@ class SP extends \SimpleSAML\Auth\Source
      * @param string $entityId  The entity id of the IdP.
      * @return \SimpleSAML\Configuration  The metadata of the IdP.
      */
-    public function getIdPMetadata($entityId)
+    public function getIdPMetadata(string $entityId): Configuration
     {
-        Assert::string($entityId);
-
         if ($this->idp !== null && $this->idp !== $entityId) {
             throw new Error\Exception('Cannot retrieve metadata for IdP ' .
                 var_export($entityId, true) . ' because it isn\'t a valid IdP for this SP.');
@@ -316,7 +311,7 @@ class SP extends \SimpleSAML\Auth\Source
      *
      * @return \SimpleSAML\Configuration  The metadata of this SP.
      */
-    public function getMetadata()
+    public function getMetadata(): Configuration
     {
         return $this->metadata;
     }
@@ -325,9 +320,9 @@ class SP extends \SimpleSAML\Auth\Source
     /**
      * Get a list with the protocols supported by this SP.
      *
-     * @return array
+     * @return string[]
      */
-    public function getSupportedProtocols()
+    public function getSupportedProtocols(): array
     {
         return $this->protocols;
     }
@@ -455,7 +450,7 @@ class SP extends \SimpleSAML\Auth\Source
      * @param array $state  The state array for the current authentication.
      * @return void
      */
-    private function startSSO2(Configuration $idpMetadata, array $state)
+    private function startSSO2(Configuration $idpMetadata, array $state): void
     {
         if (isset($state['saml:ProxyCount']) && $state['saml:ProxyCount'] < 0) {
             Auth\State::throwException(
@@ -654,7 +649,7 @@ class SP extends \SimpleSAML\Auth\Source
      * @param \SAML2\AuthnRequest  $ar  The authentication request.
      * @return void
      */
-    public function sendSAML2AuthnRequest(array &$state, Binding $binding, AuthnRequest $ar)
+    public function sendSAML2AuthnRequest(array &$state, Binding $binding, AuthnRequest $ar): void
     {
         $binding->send($ar);
         Assert::true(false);
@@ -668,10 +663,8 @@ class SP extends \SimpleSAML\Auth\Source
      * @param array $state  The state array for the current authentication.
      * @return void
      */
-    public function startSSO($idp, array $state)
+    public function startSSO(string $idp, array $state): void
     {
-        Assert::string($idp);
-
         $idpMetadata = $this->getIdPMetadata($idp);
 
         $type = $idpMetadata->getString('metadata-set');
@@ -692,7 +685,7 @@ class SP extends \SimpleSAML\Auth\Source
      * @param array $state  The state array.
      * @return void
      */
-    private function startDisco(array $state)
+    private function startDisco(array $state): void
     {
         $id = Auth\State::saveState($state, 'saml:sp:sso');
 
@@ -732,8 +725,6 @@ class SP extends \SimpleSAML\Auth\Source
      */
     public function authenticate(array &$state): void
     {
-        Assert::isArray($state);
-
         // We are going to need the authId in order to retrieve this authentication source later
         $state['saml:sp:AuthId'] = $this->authId;
 
@@ -877,7 +868,7 @@ class SP extends \SimpleSAML\Auth\Source
      * @return void
      * @throws \SimpleSAML\Module\saml\Error\NoPassive In case the authentication request was passive.
      */
-    public static function askForIdPChange(array &$state)
+    public static function askForIdPChange(array &$state): void
     {
         Assert::keyExists($state, 'saml:sp:IdPMetadata');
         Assert::keyExists($state, 'saml:sp:AuthId');
@@ -908,7 +899,7 @@ class SP extends \SimpleSAML\Auth\Source
      * @param array $state The state array.
      * @return void
      */
-    public static function reauthLogout(array $state)
+    public static function reauthLogout(array $state): void
     {
         Logger::debug('Proxy: logging the user out before re-authentication.');
 
@@ -929,7 +920,7 @@ class SP extends \SimpleSAML\Auth\Source
      * @param array $state  The authentication state.
      * @return void
      */
-    public static function reauthPostLogin(array $state)
+    public static function reauthPostLogin(array $state): void
     {
         Assert::keyExists($state, 'ReturnCallback');
 
@@ -953,7 +944,7 @@ class SP extends \SimpleSAML\Auth\Source
      * @param array &$state The state array with the state during logout.
      * @return void
      */
-    public static function reauthPostLogout(IdP $idp, array $state)
+    public static function reauthPostLogout(IdP $idp, array $state): void
     {
         Assert::keyExists($state, 'saml:sp:AuthId');
 
@@ -978,9 +969,8 @@ class SP extends \SimpleSAML\Auth\Source
      * @param array $state  The logout state.
      * @return void
      */
-    public function startSLO2(&$state)
+    public function startSLO2(array &$state): void
     {
-        Assert::isArray($state);
         Assert::keyExists($state, 'saml:logout:IdP');
         Assert::keyExists($state, 'saml:logout:NameID');
         Assert::keyExists($state, 'saml:logout:SessionIndex');
@@ -1036,14 +1026,10 @@ class SP extends \SimpleSAML\Auth\Source
      */
     public function logout(array &$state): void
     {
-        Assert::isArray($state);
         Assert::keyExists($state, 'saml:logout:Type');
 
         $logoutType = $state['saml:logout:Type'];
         switch ($logoutType) {
-            case 'saml1':
-                // Nothing to do
-                return;
             case 'saml2':
                 $this->startSLO2($state);
                 return;
@@ -1062,9 +1048,8 @@ class SP extends \SimpleSAML\Auth\Source
      * @param array $attributes  The attributes.
      * @return void
      */
-    public function handleResponse(array $state, $idp, array $attributes)
+    public function handleResponse(array $state, string $idp, array $attributes): void
     {
-        Assert::string($idp);
         Assert::keyExists($state, 'LogoutState');
         Assert::keyExists($state, 'saml:logout:Type');
 
@@ -1107,10 +1092,8 @@ class SP extends \SimpleSAML\Auth\Source
      * @param string $idpEntityId  The entity ID of the IdP.
      * @return void
      */
-    public function handleLogout($idpEntityId)
+    public function handleLogout(string $idpEntityId): void
     {
-        Assert::string($idpEntityId);
-
         /* Call the logout callback we registered in onProcessingCompleted(). */
         $this->callLogoutCallback($idpEntityId);
     }
@@ -1131,11 +1114,8 @@ class SP extends \SimpleSAML\Auth\Source
      * configuration directive for more information about allowing (or disallowing) URLs.
      * @return void
      */
-    public static function handleUnsolicitedAuth($authId, array $state, $redirectTo)
+    public static function handleUnsolicitedAuth(string $authId, array $state, string $redirectTo): void
     {
-        Assert::string($authId);
-        Assert::string($redirectTo);
-
         $session = Session::getSessionFromRequest();
         $session->doLogin($authId, Auth\State::getPersistentAuthData($state));
 
@@ -1149,7 +1129,7 @@ class SP extends \SimpleSAML\Auth\Source
      * @param array $authProcState  The processing chain state.
      * @return void
      */
-    public static function onProcessingCompleted(array $authProcState)
+    public static function onProcessingCompleted(array $authProcState): void
     {
         Assert::keyExists($authProcState, 'saml:sp:IdP');
         Assert::keyExists($authProcState, 'saml:sp:State');
diff --git a/modules/saml/lib/BaseNameIDGenerator.php b/modules/saml/lib/BaseNameIDGenerator.php
index 0e7dc5c9cf67213e52e4e8a22f814373dce1a98f..15bb39770fd1b55287e795a8cefd5ae7a9d9c2d2 100644
--- a/modules/saml/lib/BaseNameIDGenerator.php
+++ b/modules/saml/lib/BaseNameIDGenerator.php
@@ -78,7 +78,7 @@ abstract class BaseNameIDGenerator extends \SimpleSAML\Auth\ProcessingFilter
      *
      * @return string|null  The NameID value.
      */
-    abstract protected function getValue(array &$state);
+    abstract protected function getValue(array &$state): ?string;
 
 
     /**
diff --git a/modules/saml/lib/Error.php b/modules/saml/lib/Error.php
index e299117b2eda06e8ecdb9e99a511236987340904..9c28eab9e2edc95bd932444cb8a1248d5d334d8a 100644
--- a/modules/saml/lib/Error.php
+++ b/modules/saml/lib/Error.php
@@ -47,12 +47,12 @@ class Error extends \SimpleSAML\Error\Exception
      * Can be NULL, in which case there is no status message.
      * @param \Exception|null $cause  The cause of this exception. Can be NULL.
      */
-    public function __construct($status, $subStatus = null, $statusMessage = null, \Exception $cause = null)
-    {
-        Assert::string($status);
-        Assert::nullOrString($subStatus);
-        Assert::nullOrString($statusMessage);
-
+    public function __construct(
+        string $status,
+        string $subStatus = null,
+        string $statusMessage = null,
+        \Exception $cause = null
+    ) {
         $st = self::shortStatus($status);
         if ($subStatus !== null) {
             $st .= '/' . self::shortStatus($subStatus);
@@ -73,7 +73,7 @@ class Error extends \SimpleSAML\Error\Exception
      *
      * @return string  The top-level status code.
      */
-    public function getStatus()
+    public function getStatus(): string
     {
         return $this->status;
     }
@@ -84,7 +84,7 @@ class Error extends \SimpleSAML\Error\Exception
      *
      * @return string|null  The second-level status code or NULL if no second-level status code is present.
      */
-    public function getSubStatus()
+    public function getSubStatus(): ?string
     {
         return $this->subStatus;
     }
@@ -95,7 +95,7 @@ class Error extends \SimpleSAML\Error\Exception
      *
      * @return string|null  The status message or NULL if no status message is present.
      */
-    public function getStatusMessage()
+    public function getStatusMessage(): ?string
     {
         return $this->statusMessage;
     }
@@ -115,23 +115,6 @@ class Error extends \SimpleSAML\Error\Exception
         if ($exception instanceof \SimpleSAML\Module\saml\Error) {
             // Return the original exception unchanged
             return $exception;
-
-        // TODO: remove this branch in 2.0
-        } elseif ($exception instanceof \SimpleSAML\Error\NoPassive) {
-            $e = new self(
-                Constants::STATUS_RESPONDER,
-                Constants::STATUS_NO_PASSIVE,
-                $exception->getMessage(),
-                $exception
-            );
-        // TODO: remove this branch in 2.0
-        } elseif ($exception instanceof \SimpleSAML\Error\ProxyCountExceeded) {
-            $e = new self(
-                Constants::STATUS_RESPONDER,
-                Constants::STATUS_PROXY_COUNT_EXCEEDED,
-                $exception->getMessage(),
-                $exception
-            );
         } else {
             $e = new self(
                 \SAML2\Constants::STATUS_RESPONDER,
@@ -156,7 +139,7 @@ class Error extends \SimpleSAML\Error\Exception
      *
      * @return \SimpleSAML\Error\Exception  An exception representing this error.
      */
-    public function toException()
+    public function toException(): \SimpleSAML\Error\Exception
     {
         $e = null;
 
diff --git a/modules/saml/lib/Error/NoAuthnContext.php b/modules/saml/lib/Error/NoAuthnContext.php
index 508da8e0ca4f0f347d060fa8c1f9ba32408e8a1d..f9a3a40b16d4fc2287fad442b9bc1dfdb5241133 100644
--- a/modules/saml/lib/Error/NoAuthnContext.php
+++ b/modules/saml/lib/Error/NoAuthnContext.php
@@ -23,7 +23,7 @@ class NoAuthnContext extends \SimpleSAML\Module\saml\Error
      * @param string|null $message A short message explaining why this error happened.
      * @param \Exception|null $cause An exception that caused this error.
      */
-    public function __construct($responsible, $message = null, \Exception $cause = null)
+    public function __construct(string $responsible, string $message = null, \Exception $cause = null)
     {
         parent::__construct($responsible, Constants::STATUS_NO_AUTHN_CONTEXT, $message, $cause);
     }
diff --git a/modules/saml/lib/Error/NoAvailableIDP.php b/modules/saml/lib/Error/NoAvailableIDP.php
index f1c66ab4bbe7493ed2056f92163f202216a61c3c..f740aedc6ffc1a15c3dea3cf2d4ccfee0c7f3236 100644
--- a/modules/saml/lib/Error/NoAvailableIDP.php
+++ b/modules/saml/lib/Error/NoAvailableIDP.php
@@ -23,7 +23,7 @@ class NoAvailableIDP extends \SimpleSAML\Module\saml\Error
      * @param string|null $message A short message explaining why this error happened.
      * @param \Exception|null $cause An exception that caused this error.
      */
-    public function __construct($responsible, $message = null, \Exception $cause = null)
+    public function __construct(string $responsible, string $message = null, \Exception $cause = null)
     {
         parent::__construct($responsible, Constants::STATUS_NO_AVAILABLE_IDP, $message, $cause);
     }
diff --git a/modules/saml/lib/Error/NoPassive.php b/modules/saml/lib/Error/NoPassive.php
index 3fc03e0499b61f9a93c64259cd2c10f5c573fb3b..46ed47a3b553dc13f8a523c969898d13470d2c1a 100644
--- a/modules/saml/lib/Error/NoPassive.php
+++ b/modules/saml/lib/Error/NoPassive.php
@@ -23,7 +23,7 @@ class NoPassive extends \SimpleSAML\Module\saml\Error
      * @param string|null $message A short message explaining why this error happened.
      * @param \Exception|null $cause An exception that caused this error.
      */
-    public function __construct($responsible, $message = null, \Exception $cause = null)
+    public function __construct(string $responsible, string $message = null, \Exception $cause = null)
     {
         parent::__construct($responsible, Constants::STATUS_NO_PASSIVE, $message, $cause);
     }
diff --git a/modules/saml/lib/Error/NoSupportedIDP.php b/modules/saml/lib/Error/NoSupportedIDP.php
index 7806fb379e925e87301aa6cfae70743c8ad47c08..8e2a31dcd92876c5cce79c87c9640d5cc0e084b6 100644
--- a/modules/saml/lib/Error/NoSupportedIDP.php
+++ b/modules/saml/lib/Error/NoSupportedIDP.php
@@ -23,7 +23,7 @@ class NoSupportedIDP extends \SimpleSAML\Module\saml\Error
      * @param string|null $message A short message explaining why this error happened.
      * @param \Exception|null $cause An exception that caused this error.
      */
-    public function __construct($responsible, $message = null, \Exception $cause = null)
+    public function __construct(string $responsible, string $message = null, \Exception $cause = null)
     {
         parent::__construct($responsible, Constants::STATUS_NO_SUPPORTED_IDP, $message, $cause);
     }
diff --git a/modules/saml/lib/Error/ProxyCountExceeded.php b/modules/saml/lib/Error/ProxyCountExceeded.php
index 044aded1f9dd0d3ae5d2de0c3af8cd8abfb87f72..cfdbfb1e0083861bd29dd91a5a44cee7d8725e99 100644
--- a/modules/saml/lib/Error/ProxyCountExceeded.php
+++ b/modules/saml/lib/Error/ProxyCountExceeded.php
@@ -23,7 +23,7 @@ class ProxyCountExceeded extends \SimpleSAML\Module\saml\Error
      * @param string|null $message A short message explaining why this error happened.
      * @param \Exception|null $cause An exception that caused this error.
      */
-    public function __construct($responsible, $message = null, \Exception $cause = null)
+    public function __construct(string $responsible, string $message = null, \Exception $cause = null)
     {
         parent::__construct($responsible, Constants::STATUS_PROXY_COUNT_EXCEEDED, $message, $cause);
     }
diff --git a/modules/saml/lib/IdP/SAML2.php b/modules/saml/lib/IdP/SAML2.php
index da474da24406bdeed92155e013c469cafca6c40c..89b035128b3adfd8c392592e3886377df4e886d5 100644
--- a/modules/saml/lib/IdP/SAML2.php
+++ b/modules/saml/lib/IdP/SAML2.php
@@ -49,7 +49,7 @@ class SAML2
      * @param array $state The authentication state.
      * @return void
      */
-    public static function sendResponse(array $state)
+    public static function sendResponse(array $state): void
     {
         Assert::keyExists($state, 'saml:RequestId'); // Can be NULL
         Assert::keyExists($state, 'saml:RelayState'); // Can be NULL.
@@ -127,7 +127,7 @@ class SAML2
      * @param array $state The error state.
      * @return void
      */
-    public static function handleAuthError(\SimpleSAML\Error\Exception $exception, array $state)
+    public static function handleAuthError(\SimpleSAML\Error\Exception $exception, array $state): void
     {
         Assert::keyExists($state, 'saml:RequestId'); // Can be NULL.
         Assert::keyExists($state, 'saml:RelayState'); // Can be NULL.
@@ -200,7 +200,7 @@ class SAML2
         string $AssertionConsumerServiceURL = null,
         string $ProtocolBinding = null,
         int $AssertionConsumerServiceIndex = null
-    ) {
+    ): ?array {
         /* We want to pick the best matching endpoint in the case where for example
          * only the ProtocolBinding is given. We therefore pick endpoints with the
          * following priority:
@@ -277,7 +277,7 @@ class SAML2
      * @return void
      * @throws \SimpleSAML\Error\BadRequest In case an error occurs when trying to receive the request.
      */
-    public static function receiveAuthnRequest(\SimpleSAML\IdP $idp)
+    public static function receiveAuthnRequest(IdP $idp): void
     {
         $metadata = MetaDataStorageHandler::getMetadataHandler();
         $idpMetadata = $idp->getConfig();
@@ -494,10 +494,8 @@ class SAML2
      * @param string|null     $relayState An id that should be carried across the logout.
      * @return void
      */
-    public static function sendLogoutRequest(IdP $idp, array $association, $relayState)
+    public static function sendLogoutRequest(IdP $idp, array $association, string $relayState = null): void
     {
-        Assert::nullOrString($relayState);
-
         Logger::info('Sending SAML 2.0 LogoutRequest to: ' . var_export($association['saml:entityID'], true));
 
         $metadata = MetaDataStorageHandler::getMetadataHandler();
@@ -532,7 +530,7 @@ class SAML2
      * @param array           &$state The logout state array.
      * @return void
      */
-    public static function sendLogoutResponse(IdP $idp, array $state)
+    public static function sendLogoutResponse(IdP $idp, array $state): void
     {
         Assert::keyExists($state, 'saml:RelayState'); // Can be NULL.
         Assert::notNull($state['saml:SPEntityId']);
@@ -593,7 +591,7 @@ class SAML2
      * @return void
      * @throws \SimpleSAML\Error\BadRequest In case an error occurs while trying to receive the logout message.
      */
-    public static function receiveLogoutMessage(IdP $idp)
+    public static function receiveLogoutMessage(IdP $idp): void
     {
         $binding = Binding::getCurrentBinding();
         $message = $binding->receive();
@@ -602,15 +600,8 @@ class SAML2
         if ($issuer === null) {
             /* Without an issuer we have no way to respond to the message. */
             throw new Error\BadRequest('Received message on logout endpoint without issuer.');
-        } elseif ($issuer instanceof Issuer) {
-            /** @psalm-var string|null $spEntityId */
-            $spEntityId = $issuer->getValue();
-            if ($spEntityId === null) {
-                /* Without an issuer we have no way to respond to the message. */
-                throw new Error\BadRequest('Received message on logout endpoint without issuer.');
-            }
         } else {
-            $spEntityId = $issuer;
+            $spEntityId = $issuer->getValue();
         }
 
         $metadata = MetaDataStorageHandler::getMetadataHandler();
@@ -676,10 +667,8 @@ class SAML2
      *
      * @return string The logout URL.
      */
-    public static function getLogoutURL(IdP $idp, array $association, $relayState)
+    public static function getLogoutURL(IdP $idp, array $association, string $relayState = null): string
     {
-        Assert::nullOrString($relayState);
-
         Logger::info('Sending SAML 2.0 LogoutRequest to: ' . var_export($association['saml:entityID'], true));
 
         $metadata = MetaDataStorageHandler::getMetadataHandler();
@@ -718,7 +707,7 @@ class SAML2
      *
      * @return \SimpleSAML\Configuration  Configuration object for the SP metadata.
      */
-    public static function getAssociationConfig(IdP $idp, array $association)
+    public static function getAssociationConfig(IdP $idp, array $association): Configuration
     {
         $metadata = MetaDataStorageHandler::getMetadataHandler();
         try {
@@ -739,7 +728,7 @@ class SAML2
      * @throws \SimpleSAML\Error\Exception
      * @throws \SimpleSAML\Error\MetadataNotFound
      */
-    public static function getHostedMetadata($entityid)
+    public static function getHostedMetadata(string $entityid): array
     {
         $handler = MetaDataStorageHandler::getMetadataHandler();
         $config = $handler->getMetaDataConfig($entityid, 'saml20-idp-hosted');
@@ -942,7 +931,7 @@ class SAML2
         Configuration $idpMetadata,
         Configuration $spMetadata,
         array &$state
-    ) {
+    ): ?string {
         $attribute = $spMetadata->getString('simplesaml.nameidattribute', null);
         if ($attribute === null) {
             $attribute = $idpMetadata->getString('simplesaml.nameidattribute', null);
diff --git a/modules/saml/lib/IdP/SQLNameID.php b/modules/saml/lib/IdP/SQLNameID.php
index 37a3a2899ae56ed753212a3f4d4a6a1ae61e1afb..1d810040b910a8e4ed7d96ea2cec4fb357dd3bd5 100644
--- a/modules/saml/lib/IdP/SQLNameID.php
+++ b/modules/saml/lib/IdP/SQLNameID.php
@@ -178,12 +178,13 @@ class SQLNameID
      * @param array $config
      * @return void
      */
-    public static function add($idpEntityId, $spEntityId, $user, $value, array $config = [])
-    {
-        Assert::string($idpEntityId);
-        Assert::string($spEntityId);
-        Assert::string($user);
-        Assert::string($value);
+    public static function add(
+        string $idpEntityId,
+        string $spEntityId,
+        string $user,
+        string $value,
+        array $config = []
+    ): void {
 
         $params = [
             '_idp' => $idpEntityId,
@@ -207,12 +208,12 @@ class SQLNameID
      * @param array $config
      * @return string|null $value  The NameID value, or NULL of no NameID value was found.
      */
-    public static function get($idpEntityId, $spEntityId, $user, array $config = [])
-    {
-        Assert::string($idpEntityId);
-        Assert::string($spEntityId);
-        Assert::string($user);
-
+    public static function get(
+        string $idpEntityId,
+        string $spEntityId,
+        string $user,
+        array $config = []
+    ): ?string {
         $params = [
             '_idp' => $idpEntityId,
             '_sp' => $spEntityId,
@@ -229,7 +230,7 @@ class SQLNameID
             return null;
         }
 
-        return $row['_value'];
+        return strval($row['_value']);
     }
 
 
@@ -242,12 +243,12 @@ class SQLNameID
      * @param array $config
      * @return void
      */
-    public static function delete($idpEntityId, $spEntityId, $user, array $config = [])
-    {
-        Assert::string($idpEntityId);
-        Assert::string($spEntityId);
-        assert::string($user);
-
+    public static function delete(
+        string $idpEntityId,
+        string $spEntityId,
+        string $user,
+        array $config = []
+    ): void {
         $params = [
             '_idp' => $idpEntityId,
             '_sp' => $spEntityId,
@@ -268,11 +269,8 @@ class SQLNameID
      * @param array $config
      * @return array  Array of userid => NameID.
      */
-    public static function getIdentities($idpEntityId, $spEntityId, array $config = [])
+    public static function getIdentities(string $idpEntityId, string $spEntityId, array $config = []): array
     {
-        Assert::string($idpEntityId);
-        assert::string($spEntityId);
-
         $params = [
             '_idp' => $idpEntityId,
             '_sp' => $spEntityId,
diff --git a/modules/saml/lib/Message.php b/modules/saml/lib/Message.php
index 7027e4f7e18fe342d1b49807cfd309f6aa911cfd..c5194aeca622586e2f602ae393cd74e0f332ccf7 100644
--- a/modules/saml/lib/Message.php
+++ b/modules/saml/lib/Message.php
@@ -43,7 +43,7 @@ class Message
         Configuration $srcMetadata,
         Configuration $dstMetadata,
         SignedElement $element
-    ) {
+    ): void {
         $dstPrivateKey = $dstMetadata->getString('signature.privatekey', null);
 
         if ($dstPrivateKey !== null) {
@@ -95,8 +95,7 @@ class Message
         Configuration $srcMetadata,
         Configuration $dstMetadata,
         \SAML2\Message $message
-    ) {
-
+    ): void {
         $signingEnabled = null;
         if ($message instanceof LogoutRequest || $message instanceof LogoutResponse) {
             $signingEnabled = $srcMetadata->getBoolean('sign.logout', null);
@@ -171,7 +170,7 @@ class Message
      * @throws \SimpleSAML\Error\Exception if there is not certificate in the metadata for the entity.
      * @throws \Exception if the signature validation fails with an exception.
      */
-    public static function checkSign(Configuration $srcMetadata, SignedElement $element)
+    public static function checkSign(Configuration $srcMetadata, SignedElement $element): bool
     {
         // find the public key that should verify signatures by this entity
         $keys = $srcMetadata->getPublicKeys('signing');
@@ -239,7 +238,7 @@ class Message
         Configuration $srcMetadata,
         Configuration $dstMetadata,
         \SAML2\Message $message
-    ) {
+    ): void {
         $enabled = null;
         if ($message instanceof LogoutRequest || $message instanceof LogoutResponse) {
             $enabled = $srcMetadata->getBoolean('validate.logout', null);
@@ -283,7 +282,7 @@ class Message
     public static function getDecryptionKeys(
         Configuration $srcMetadata,
         Configuration $dstMetadata
-    ) {
+    ): array {
         $sharedKey = $srcMetadata->getString('sharedkey', null);
         if ($sharedKey !== null) {
             $key = new XMLSecurityKey(XMLSecurityKey::AES128_CBC);
@@ -338,7 +337,7 @@ class Message
     public static function getBlacklistedAlgorithms(
         Configuration $srcMetadata,
         Configuration $dstMetadata
-    ) {
+    ): array {
         $blacklist = $srcMetadata->getArray('encryption.blacklisted-algorithms', null);
         if ($blacklist === null) {
             $blacklist = $dstMetadata->getArray('encryption.blacklisted-algorithms', [XMLSecurityKey::RSA_1_5]);
@@ -424,7 +423,7 @@ class Message
         Configuration $srcMetadata,
         Configuration $dstMetadata,
         Assertion &$assertion
-    ) {
+    ): void {
         if (!$assertion->hasEncryptedAttributes()) {
             return;
         }
@@ -461,7 +460,7 @@ class Message
      *
      * @return \SimpleSAML\Module\saml\Error The error.
      */
-    public static function getResponseError(StatusResponse $response)
+    public static function getResponseError(StatusResponse $response): \SimpleSAML\Module\saml\Error
     {
         $status = $response->getStatus();
         return new \SimpleSAML\Module\saml\Error($status['Code'], $status['SubCode'], $status['Message']);
@@ -478,7 +477,7 @@ class Message
     public static function buildAuthnRequest(
         Configuration $spMetadata,
         Configuration $idpMetadata
-    ) {
+    ): AuthnRequest {
         $ar = new AuthnRequest();
 
         // get the NameIDPolicy to apply. IdP metadata has precedence.
@@ -540,7 +539,7 @@ class Message
     public static function buildLogoutRequest(
         Configuration $srcMetadata,
         Configuration $dstMetadata
-    ) {
+    ): LogoutRequest {
         $lr = new LogoutRequest();
         $issuer = new Issuer();
         $issuer->setValue($srcMetadata->getString('entityid'));
@@ -563,7 +562,7 @@ class Message
     public static function buildLogoutResponse(
         Configuration $srcMetadata,
         Configuration $dstMetadata
-    ) {
+    ): LogoutResponse {
         $lr = new LogoutResponse();
         $issuer = new Issuer();
         $issuer->setValue($srcMetadata->getString('entityid'));
@@ -594,7 +593,7 @@ class Message
         Configuration $spMetadata,
         Configuration $idpMetadata,
         Response $response
-    ) {
+    ): array {
         if (!$response->isSuccess()) {
             throw self::getResponseError($response);
         }
@@ -891,7 +890,7 @@ class Message
      *
      * @throws \SimpleSAML\Error\Exception if there is no supported encryption key in the metadata of this entity.
      */
-    public static function getEncryptionKey(Configuration $metadata)
+    public static function getEncryptionKey(Configuration $metadata): XMLSecurityKey
     {
         $sharedKey = $metadata->getString('sharedkey', null);
         if ($sharedKey !== null) {
diff --git a/modules/saml/lib/SP/LogoutStore.php b/modules/saml/lib/SP/LogoutStore.php
index 8b941acd9611a1bcd092465f2349646ae475755a..a229d43bd3434bd4976c8818570c89b0a7f04aff 100644
--- a/modules/saml/lib/SP/LogoutStore.php
+++ b/modules/saml/lib/SP/LogoutStore.php
@@ -26,7 +26,7 @@ class LogoutStore
      * @param \SimpleSAML\Store\SQL $store  The datastore.
      * @return void
      */
-    private static function createLogoutTable(Store\SQL $store)
+    private static function createLogoutTable(Store\SQL $store): void
     {
         $tableVer = $store->getTableVersion('saml_LogoutStore');
         if ($tableVer === 4) {
@@ -201,7 +201,7 @@ class LogoutStore
      * @param \SimpleSAML\Store\SQL $store  The datastore.
      * @return void
      */
-    private static function cleanLogoutStore(Store\SQL $store)
+    private static function cleanLogoutStore(Store\SQL $store): void
     {
         Logger::debug('saml.LogoutStore: Cleaning logout store.');
 
@@ -231,7 +231,7 @@ class LogoutStore
         string $sessionIndex,
         int $expire,
         string $sessionId
-    ) {
+    ): void {
         self::createLogoutTable($store);
 
         if (rand(0, 1000) < 10) {
@@ -330,12 +330,8 @@ class LogoutStore
      * @param int $expire
      * @return void
      */
-    public static function addSession($authId, $nameId, $sessionIndex, $expire)
+    public static function addSession(string $authId, NameID $nameId, ?string $sessionIndex, int $expire): void
     {
-        Assert::string($authId);
-        Assert::nullorString($sessionIndex);
-        Assert::integer($expire);
-
         $session = Session::getSessionFromRequest();
         if ($session->isTransient()) {
             // transient sessions are useless for this purpose, nothing to do
@@ -385,10 +381,8 @@ class LogoutStore
      * @param array $sessionIndexes  The SessionIndexes we should log out of. Logs out of all if this is empty.
      * @return int|false  Number of sessions logged out, or FALSE if not supported.
      */
-    public static function logoutSessions($authId, $nameId, array $sessionIndexes)
+    public static function logoutSessions(string $authId, NameID $nameId, array $sessionIndexes)
     {
-        Assert::string($authId);
-
         $store = Store::getInstance();
         if ($store === false) {
             // We don't have a datastore
diff --git a/tests/Utils/SpTester.php b/tests/Utils/SpTester.php
index 9580819c5d3575099a2bd6b7fd6a8901a1077e71..bca15ff61d789a0802b068d265fdfe37ed1d4697 100644
--- a/tests/Utils/SpTester.php
+++ b/tests/Utils/SpTester.php
@@ -21,7 +21,7 @@ class SpTester extends \SimpleSAML\Module\saml\Auth\Source\SP
      * @param array $config
      * @return void
      */
-    public function __construct($info, $config)
+    public function __construct(array $info, array $config)
     {
         parent::__construct($info, $config);
     }
@@ -30,7 +30,7 @@ class SpTester extends \SimpleSAML\Module\saml\Auth\Source\SP
     /**
      * @return void
      */
-    public function startSSO2Test(Configuration $idpMetadata, array $state)
+    public function startSSO2Test(Configuration $idpMetadata, array $state): void
     {
         $reflector = new ReflectionObject($this);
         $method = $reflector->getMethod('startSSO2');
@@ -43,7 +43,7 @@ class SpTester extends \SimpleSAML\Module\saml\Auth\Source\SP
      * override the method that sends the request to avoid sending anything
      * @return void
      */
-    public function sendSAML2AuthnRequest(array &$state, Binding $binding, AuthnRequest $ar)
+    public function sendSAML2AuthnRequest(array &$state, Binding $binding, AuthnRequest $ar): void
     {
         // Exit test. Continuing would mean running into a assert(FALSE)
         throw new ExitTestException(
diff --git a/tests/lib/SimpleSAML/DatabaseTest.php b/tests/lib/SimpleSAML/DatabaseTest.php
index eea953043b25098d6a3eda157fcd0bbe419a78a7..95b4671e2056e6d51431c33ce3846b162f80a0a9 100644
--- a/tests/lib/SimpleSAML/DatabaseTest.php
+++ b/tests/lib/SimpleSAML/DatabaseTest.php
@@ -72,7 +72,6 @@ class DatabaseTest extends TestCase
         $this->config = new Configuration($config, "test/SimpleSAML/DatabaseTest.php");
 
         // Ensure that we have a functional configuration class
-        $this->assertInstanceOf(Configuration::class, $this->config);
         $this->assertEquals($config['database.dsn'], $this->config->getString('database.dsn'));
 
         $this->db = Database::getInstance($this->config);