[Idpy-discuss] Signed authnRequests on Redirect binding in pysaml/SATOSA

Hi, Today I noticed a very strange behaviour of SATOSA SAML backend and was curious if anyone on the list could shed a light on my findings? For SURFnet's SecureID (2factor auth) service an SP needs to send a signed authnRequest on the Redirect binding of the SSO endpoint. The only setting I could find for SATOSA backend conf was authn_requests_signed: true This, however generates an enveloped signed xml messages that is dropped on the Redirect endpoint, which is against the SAML standards, which explicitly mandates the signature element to be removed and a URL request parameter Signature to be added to the request: 3.4.4.1 DEFLATE Encoding 1. Any signature on the SAML protocol message, including the <ds:Signature> XML element itself, MUST be removed 4. The signature value MUST be [...] included as a query string parameter named Signature. source: SAML-bindings-2.0-os Did I miss something in the config to enable this behaviour or is pysaml2 blatantly ignoring the standard? Best regards, Martin van Es