diff --git a/config-templates/config.php b/config-templates/config.php
index 01a57d0a0fd1a16c895f19d02b64fc7998cf76d7..14ae1ec8ff26fa69775f897526e04f8f3f7e725f 100644
--- a/config-templates/config.php
+++ b/config-templates/config.php
@@ -214,14 +214,13 @@ $config = array (
 	'idpdisco.layout' => 'links',
 
 	/*
-	 * Whether simpleSAMLphp should sign the response or the assertion in SAML 2.0 authentication
+	 * Whether simpleSAMLphp should sign the response or the assertion in SAML 1.1 authentication
 	 * responses.
 	 *
 	 * The default is to sign the assertion element, but that can be overridden by setting this
 	 * option to TRUE. It can also be overridden on a pr. SP basis by adding an option with the
 	 * same name to the metadata of the SP.
 	 */
-	'saml20.signresponse' => FALSE,
 	'shib13.signresponse' => TRUE,
 	
 	
diff --git a/docs/simplesamlphp-reference-idp-hosted.txt b/docs/simplesamlphp-reference-idp-hosted.txt
index 7cfe0da5ee6dcb296855032a520981d4131bb390..6e1360f26fdfe4525de6f5ae5dd7cee2ff6e96e3 100644
--- a/docs/simplesamlphp-reference-idp-hosted.txt
+++ b/docs/simplesamlphp-reference-idp-hosted.txt
@@ -140,6 +140,22 @@ The following SAML 2.0 options are available:
     configure your webserver to deliver this URL to the correct PHP
     page.
 
+`saml20.sign.response`
+:   Whether `<samlp:Response> messages should be signed.
+    Defaults to `TRUE`.
+
+:   Note that this option also exists in the SP-remote metadata, and
+    any value in the SP-remote metadata overrides the one configured
+    in the IdP metadata.
+
+`saml20.sign.assertion`
+:   Whether `<saml:Assertion> elements should be signed.
+    Defaults to `TRUE`.
+
+:   Note that this option also exists in the SP-remote metadata, and
+    any value in the SP-remote metadata overrides the one configured
+    in the IdP metadata.
+
 
 ### Fields for signing and validating messages
 
diff --git a/docs/simplesamlphp-reference-sp-remote.txt b/docs/simplesamlphp-reference-sp-remote.txt
index e6a20ff80274ceb17d5e259b955fb6d7dfbd3ceb..c02b7a937e13ad49eb438bc7ef2b084e8cb17983 100644
--- a/docs/simplesamlphp-reference-sp-remote.txt
+++ b/docs/simplesamlphp-reference-sp-remote.txt
@@ -161,14 +161,19 @@ The following SAML 2.0 options are available:
     (if `assertion.encryption` is set to TRUE and `sharedkey` is
     unset.)
 
-`signresponse`
-:   The default behaviour of simpleSAMLphp is to sign the Assertion
-    element in the SAML 2.0 response sent to SPs. This option allows
-    you to override this behaviour on a per SP basis. Set this to
-    `TRUE` to sign the Response element. `FALSE` will make the SP sign
-    the Assertion. If this option is unset, the value from
-    `saml2.signresponse` in `config.php` will be used. That value is
-    `FALSE` by default.
+`saml20.sign.response`
+:   Whether `<samlp:Response> messages should be signed.
+    Defaults to `TRUE`.
+
+:   Note that this option also exists in the IdP-hosted metadata.
+    The value in the SP-remote metadata overrides the value in the IdP-hosted metadata.
+
+`saml20.sign.assertion`
+:   Whether `<saml:Assertion> elements should be signed.
+    Defaults to `TRUE`.
+
+:   Note that this option also exists in the IdP-hosted metadata.
+    The value in the SP-remote metadata overrides the value in the IdP-hosted metadata.
 
 `simplesaml.nameidattribute`
 :   When the value of the `NameIDFormat`-option is set to either
diff --git a/modules/saml2/lib/Message.php b/modules/saml2/lib/Message.php
index 5ab009571988cc188a19c639958c050b5b96fbb7..f9583f3b203dded71fe6fc32b0ed825b52c333f5 100644
--- a/modules/saml2/lib/Message.php
+++ b/modules/saml2/lib/Message.php
@@ -502,10 +502,18 @@ class sspmod_saml2_Message {
 	public static function buildAssertion(SimpleSAML_Configuration $srcMetadata,
 		SimpleSAML_Configuration $dstMetadata, array $attributes) {
 
+		$signAssertion = $dstMetadata->getBoolean('saml20.sign.assertion', NULL);
+		if ($signAssertion === NULL) {
+			$signAssertion = $srcMetadata->getBoolean('saml20.sign.assertion', TRUE);
+		}
+
 		$config = SimpleSAML_Configuration::getInstance();
 
 		$a = new SAML2_Assertion();
-		self::addSign($srcMetadata, $dstMetadata, $a);
+		if ($signAssertion) {
+			self::addSign($srcMetadata, $dstMetadata, $a);
+		}
+
 		$a->setIssuer($srcMetadata->getString('entityid'));
 		$a->setDestination($dstMetadata->getString('AssertionConsumerService'));
 		$a->setValidAudiences(array($dstMetadata->getString('entityid')));
@@ -574,12 +582,19 @@ class sspmod_saml2_Message {
 	 */
 	public static function buildResponse(SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata) {
 
+		$signResponse = $dstMetadata->getBoolean('saml20.sign.response', NULL);
+		if ($signResponse === NULL) {
+			$signResponse = $srcMetadata->getBoolean('saml20.sign.response', TRUE);
+		}
+
 		$r = new SAML2_Response();
 
 		$r->setIssuer($srcMetadata->getString('entityid'));
 		$r->setDestination($dstMetadata->getString('AssertionConsumerService'));
 
-		self::addSign($srcMetadata, $dstMetadata, $r);
+		if ($signResponse) {
+			self::addSign($srcMetadata, $dstMetadata, $r);
+		}
 
 		return $r;
 	}
diff --git a/www/admin/metadata.php b/www/admin/metadata.php
index ad5f9c0e0b3ecf173019ff3c38860ea8c5bdd2d3..ae63358527a71a74889736141e43f48e0dea1b20 100644
--- a/www/admin/metadata.php
+++ b/www/admin/metadata.php
@@ -54,7 +54,7 @@ try {
 		foreach ($metalist AS $entityid => $mentry) {
 			$results[$entityid] = SimpleSAML_Utilities::checkAssocArrayRules($mentry,
 				array('entityid', 'host', 'privatekey', 'certificate', 'auth'),
-				array('redirect.sign', 'redirect.validate', 'privatekey_pass', 'authority', 'userid.attribute', 'metadata.sign.enable', 'metadata.sign.privatekey', 'metadata.sign.privatekey_pass', 'metadata.sign.certificate', 'AttributeNameFormat', 'name', 'authproc')
+				array('redirect.sign', 'redirect.validate', 'privatekey_pass', 'authority', 'userid.attribute', 'metadata.sign.enable', 'metadata.sign.privatekey', 'metadata.sign.privatekey_pass', 'metadata.sign.certificate', 'AttributeNameFormat', 'name', 'authproc', 'saml20.sign.assertion', 'saml20.sign.response')
 			);
 		}
 		$et->data['metadata.saml20-idp-hosted'] = $results;
@@ -64,7 +64,7 @@ try {
 		foreach ($metalist AS $entityid => $mentry) {
 			$results[$entityid] = SimpleSAML_Utilities::checkAssocArrayRules($mentry,
 				array('entityid', 'AssertionConsumerService'),
-				array('SingleLogoutService', 'NameIDFormat', 'SPNameQualifier', 'base64attributes', 'simplesaml.nameidattribute', 'simplesaml.attributes', 'attributes', 'name', 'description', 'redirect.sign', 'redirect.validate', 'certificate', 'ForceAuthn', 'sharedkey', 'assertion.encryption', 'userid.attribute', 'signresponse', 'AttributeNameFormat', 'authproc')
+				array('SingleLogoutService', 'NameIDFormat', 'SPNameQualifier', 'base64attributes', 'simplesaml.nameidattribute', 'simplesaml.attributes', 'attributes', 'name', 'description', 'redirect.sign', 'redirect.validate', 'certificate', 'ForceAuthn', 'sharedkey', 'assertion.encryption', 'userid.attribute', 'AttributeNameFormat', 'authproc', 'saml20.sign.assertion', 'saml20.sign.response')
 			);
 		}
 		$et->data['metadata.saml20-sp-remote'] = $results;