diff --git a/lib/SimpleSAML/Metadata/SAMLBuilder.php b/lib/SimpleSAML/Metadata/SAMLBuilder.php
index b978d6f6ae0de8ce1d83048398a60ab40c9e08e5..1bf1568ea013ce3fa0297cd99915151a4d1ce4a5 100644
--- a/lib/SimpleSAML/Metadata/SAMLBuilder.php
+++ b/lib/SimpleSAML/Metadata/SAMLBuilder.php
@@ -153,6 +153,10 @@ class SimpleSAML_Metadata_SAMLBuilder {
$e = $this->createElement('IDPSSODescriptor');
$e->setAttribute('protocolSupportEnumeration', 'urn:oasis:names:tc:SAML:2.0:protocol');
+ if (array_key_exists('redirect.sign', $metadata) && $metadata['redirect.sign']) {
+ $e->setAttribute('WantAuthnRequestSigned', 'true');
+ }
+
$this->addCertificate($e, $metadata);
if (array_key_exists('SingleLogoutService', $metadata)) {
diff --git a/lib/SimpleSAML/Metadata/SAMLParser.php b/lib/SimpleSAML/Metadata/SAMLParser.php
index 5c1ce47a23f638b514d4df683549df28ceebd877..d1bb4247745ef1153eb380df7ad10dcb65f3c586 100644
--- a/lib/SimpleSAML/Metadata/SAMLParser.php
+++ b/lib/SimpleSAML/Metadata/SAMLParser.php
@@ -647,6 +647,7 @@ class SimpleSAML_Metadata_SAMLParser {
$ret['name'] = $this->entityId;
+
/* Find IdP information which supports the SAML 2.0 protocol. */
$idp = $this->getIdPDescriptors(self::$SAML20Protocols);
if(count($idp) === 0) {
@@ -661,6 +662,11 @@ class SimpleSAML_Metadata_SAMLParser {
$ret['expire'] = $idp['expire'];
}
+ /* Enable redirect.sign if WantAuthnRequestsSigned is enabled. */
+ if ($idp['wantAuthnRequestsSigned']) {
+ $ret['redirect.sign'] = TRUE;
+ }
+
/* Find the SSO service endpoint. */
$sso = $this->getDefaultEndpoint($idp['singleSignOnServices'], array(self::SAML_20_REDIRECT_BINDING));
if($sso === NULL) {
@@ -842,6 +848,11 @@ class SimpleSAML_Metadata_SAMLParser {
$idp['singleSignOnServices'][] = self::parseSingleSignOnService($child);
}
+ if ($element->getAttribute('WantAuthnRequestsSigned') === 'true') {
+ $idp['wantAuthnRequestsSigned'] = TRUE;
+ } else {
+ $idp['wantAuthnRequestsSigned'] = FALSE;
+ }
$this->idpDescriptors[] = $idp;
}