Support for WantAssertionsSigned and AuthnRequestsSigned in SAML 2.0 SP...

Support for WantAssertionsSigned and AuthnRequestsSigned in SAML 2.0 SP metadata. New hosted SP configuration option WantAssertionsSigned to control this attribute in exported metadata.

lib/SimpleSAML/Metadata/SAMLBuilder.php

@@ -441,6 +441,15 @@ class SimpleSAML_Metadata_SAMLBuilder {
 		$e = new SAML2_XML_md_SPSSODescriptor();
 		$e->protocolSupportEnumeration = $protocols;
 
+		if ($metadata->hasValue('saml20.sign.assertion')) {
+			$e->WantAssertionsSigned = $metadata->getBoolean('saml20.sign.assertion');
+		}
+
+		if ($metadata->hasValue('redirect.validate')) {
+			$e->AuthnRequestsSigned = $metadata->getBoolean('redirect.validate');
+		} elseif ($metadata->hasValue('validate.authnrequest')) {
+			$e->AuthnRequestsSigned = $metadata->getBoolean('validate.authnrequest');
+		}
 
 		$this->addExtensions($metadata, $e);
 

modules/saml/docs/sp.txt

@@ -270,11 +270,13 @@ Options
 
 `redirect.sign`
 :   Whether authentication requests, logout requests and logout responses sent from this SP should be signed. The default is `FALSE`.
+    If set, the `AuthnRequestsSigned` attribute of the `SPSSODescriptor` element in SAML 2.0 metadata will contain its value. This
+    option takes precedence over the `sign.authnrequest` option in any metadata generated for this SP.
 
 :   *Note*: SAML 2 specific.
 
 `redirect.validate`
-:   Whether logout requests and logout responses received received by this SP should be validated. The default is `FALSE`.
+:   Whether logout requests and logout responses received by this SP should be validated. The default is `FALSE`.
 
 :   *Note*: SAML 2 specific.
 
@@ -312,7 +314,8 @@ Options
     See the documentation for the [Holder-of-Key profile](./simplesamlphp-hok-sp).
 
 `sign.authnrequest`
-:   Whether to sign authentication requests sent from this SP.
+:   Whether to sign authentication requests sent from this SP. If set, the `AuthnRequestsSigned` attribute of the
+    `SPSSODescriptor` element in SAML 2.0 metadata will contain its value.
 
 :   Note that this option also exists in the IdP-remote metadata, and
     any value in the IdP-remote metadata overrides the one configured
@@ -366,6 +369,11 @@ Options
 
 :   *Note*: SAML 2 specific.
 
+`WantAssertionsSigned`
+:   Whether assertions received by this SP must be signed. The default value is `FALSE`.
+    The value set for this option will be used to set the `WantAssertionsSigned` attribute of the `SPSSODescriptor` element in
+    the exported SAML 2.0 metadata.
+
 
 Examples
 --------

modules/saml/www/sp/metadata.php

@@ -194,6 +194,16 @@ if ($spconfig->hasValue('RegistrationInfo')) {
 	$metaArray20['RegistrationInfo'] = $spconfig->getArray('RegistrationInfo');
 }
 
+// add signature options
+if ($spconfig->hasValue('WantAssertionsSigned')) {
+	$metaArray20['saml20.sign.assertion'] = $spconfig->getBoolean('WantAssertionsSigned');
+}
+if ($spconfig->hasValue('redirect.sign')) {
+	$metaArray20['redirect.validate'] = $spconfig->getBoolean('redirect.sign');
+} elseif ($spconfig->hasValue('sign.authnrequest')) {
+	$metaArray20['validate.authnrequest'] = $spconfig->getBoolean('sign.authnrequest');
+}
+
 $supported_protocols = array('urn:oasis:names:tc:SAML:1.1:protocol', SAML2_Const::NS_SAMLP);
 
 $metaArray20['metadata-set'] = 'saml20-sp-remote';