Support for WantAssertionsSigned and AuthnRequestsSigned in SAML 2.0 SP metadata. New hosted SP configuration option WantAssertionsSigned to control this attribute in exported metadata.

3 files changed, 29 insertions, 2 deletions

diff --git a/lib/SimpleSAML/Metadata/SAMLBuilder.php b/lib/SimpleSAML/Metadata/SAMLBuilder.php
index f684d82..70f92f5 100644
--- a/lib/SimpleSAML/Metadata/SAMLBuilder.php
+++ b/lib/SimpleSAML/Metadata/SAMLBuilder.php
@@ -441,6 +441,15 @@ class SimpleSAML_Metadata_SAMLBuilder {
 		$e = new SAML2_XML_md_SPSSODescriptor();
 		$e->protocolSupportEnumeration = $protocols;
 
+		if ($metadata->hasValue('saml20.sign.assertion')) {
+			$e->WantAssertionsSigned = $metadata->getBoolean('saml20.sign.assertion');
+		}
+
+		if ($metadata->hasValue('redirect.validate')) {
+			$e->AuthnRequestsSigned = $metadata->getBoolean('redirect.validate');
+		} elseif ($metadata->hasValue('validate.authnrequest')) {
+			$e->AuthnRequestsSigned = $metadata->getBoolean('validate.authnrequest');
+		}
 
 		$this->addExtensions($metadata, $e);
 
diff --git a/modules/saml/docs/sp.txt b/modules/saml/docs/sp.txt
index 45c1e60..063be47 100644
--- a/modules/saml/docs/sp.txt
+++ b/modules/saml/docs/sp.txt
@@ -270,11 +270,13 @@ Options
 
 `redirect.sign`
 :   Whether authentication requests, logout requests and logout responses sent from this SP should be signed. The default is `FALSE`.
+    If set, the `AuthnRequestsSigned` attribute of the `SPSSODescriptor` element in SAML 2.0 metadata will contain its value. This
+    option takes precedence over the `sign.authnrequest` option in any metadata generated for this SP.
 
 :   *Note*: SAML 2 specific.
 
 `redirect.validate`
-:   Whether logout requests and logout responses received received by this SP should be validated. The default is `FALSE`.
+:   Whether logout requests and logout responses received by this SP should be validated. The default is `FALSE`.
 
 :   *Note*: SAML 2 specific.
 
@@ -312,7 +314,8 @@ Options
     See the documentation for the [Holder-of-Key profile](./simplesamlphp-hok-sp).
 
 `sign.authnrequest`
-:   Whether to sign authentication requests sent from this SP.
+:   Whether to sign authentication requests sent from this SP. If set, the `AuthnRequestsSigned` attribute of the
+    `SPSSODescriptor` element in SAML 2.0 metadata will contain its value.
 
 :   Note that this option also exists in the IdP-remote metadata, and
     any value in the IdP-remote metadata overrides the one configured
@@ -366,6 +369,11 @@ Options
 
 :   *Note*: SAML 2 specific.
 
+`WantAssertionsSigned`
+:   Whether assertions received by this SP must be signed. The default value is `FALSE`.
+    The value set for this option will be used to set the `WantAssertionsSigned` attribute of the `SPSSODescriptor` element in
+    the exported SAML 2.0 metadata.
+
 
 Examples
 --------
diff --git a/modules/saml/www/sp/metadata.php b/modules/saml/www/sp/metadata.php
index 5a74709..6547db1 100644
--- a/modules/saml/www/sp/metadata.php
+++ b/modules/saml/www/sp/metadata.php
@@ -194,6 +194,16 @@ if ($spconfig->hasValue('RegistrationInfo')) {
 	$metaArray20['RegistrationInfo'] = $spconfig->getArray('RegistrationInfo');
 }
 
+// add signature options
+if ($spconfig->hasValue('WantAssertionsSigned')) {
+	$metaArray20['saml20.sign.assertion'] = $spconfig->getBoolean('WantAssertionsSigned');
+}
+if ($spconfig->hasValue('redirect.sign')) {
+	$metaArray20['redirect.validate'] = $spconfig->getBoolean('redirect.sign');
+} elseif ($spconfig->hasValue('sign.authnrequest')) {
+	$metaArray20['validate.authnrequest'] = $spconfig->getBoolean('sign.authnrequest');
+}
+
 $supported_protocols = array('urn:oasis:names:tc:SAML:1.1:protocol', SAML2_Const::NS_SAMLP);
 
 $metaArray20['metadata-set'] = 'saml20-sp-remote';