According to the 1.14 docs for saml2-idp-remote, both the "sign.authnrequest" and "sign.logout" properties all state:
"Note that this option also exists in the SP configuration. This value in the IdP remote metadata overrides the value in the SP configuration."
Also in the docs for saml.SP, those same properties state:
"Note that this option also exists in the IdP-remote metadata, and any value in the IdP-remote metadata overrides the one configured in the SP configuration."
Turns out that this is incorrect. In sspmod_saml_Message (simplesamlphp/modules/saml2/lib/Message.php) the "addRedirectSign" method first checks the SP config ($srcMetadata) and only checks the IdP config ($dstMetadata) if null was received from the SP config. Therefore, the value in the remote IdP metadata NEVER overrides the value in the SP config.
Please don't simply change the documentation around :) Its very helpful to have the Idp metadata be the final say if authn/logout requests are signed.
Note that the redirect.sign option is currently handled correctly, only sign.logout and sign.authnrequest are not.
According to the 1.14 docs for saml2-idp-remote, both the "sign.authnrequest" and "sign.logout" properties all state:
"Note that this option also exists in the SP configuration. This value in the IdP remote metadata overrides the value in the SP configuration."
Also in the docs for saml.SP, those same properties state:
"Note that this option also exists in the IdP-remote metadata, and any value in the IdP-remote metadata overrides the one configured in the SP configuration."
Turns out that this is incorrect. In sspmod_saml_Message (simplesamlphp/modules/saml2/lib/Message.php) the "addRedirectSign" method first checks the SP config ($srcMetadata) and only checks the IdP config ($dstMetadata) if null was received from the SP config. Therefore, the value in the remote IdP metadata NEVER overrides the value in the SP config.
Please don't simply change the documentation around :) Its very helpful to have the Idp metadata be the final say if authn/logout requests are signed.
Note that the redirect.sign option is currently handled correctly, only sign.logout and sign.authnrequest are not.