Hi, (Apologies sending this to the satosa-dev list but I don't recall that there is a dedicated pysaml2-dev email list?) I submitted a pull request to pysaml2 that enables configuration of signature verification for responses from a MDQ server: https://github.com/rohe/pysaml2/pull/483 I formally clicked to ask Ioannis for a review but welcome feedback from anyone. The current code allows MDQ configuration like this: metadata: mdq: - http://mdq.ukfederation.org.uk/ There is no way to specify a certificate to use to verify the signature and there is no verification done. The version in the pull request would still support that configuration but would enable this configuration: metadata: mdq: - url: http://mdq.ukfederation.org.uk/ cert: /etc/satosa/ukfederation-mdq.pem That follows the same configuration pattern as for remote metadata (ie. an aggregate downloaded from a URL). I did both positive and negative tests with the UK MDQ server and the Incommon beta MDQ server. I also updated the config.rst metadata example to show the explicit configuration. Please let me know if you have any questions or concerns. Thanks, Scott K