<![CDATA[Why FusionAuth SAML Metadata Always Sets WantAssertionsSigned to False]]>We have a client requirement for our SAML metadata to specify WantAssertionsSigned="true".
We’ve configured a verification key in the Identity Provider (IdP) settings, but when we generate the metadata, the value still appears as WantAssertionsSigned="false".
Is there a way to configure FusionAuth to set this value to true in the generated metadata?

]]>https://fusionauth.io/community/forum/topic/3082/why-fusionauth-saml-metadata-always-sets-wantassertionssigned-to-falseRSS for NodeSun, 14 Jun 2026 19:54:19 GMTSat, 20 Dec 2025 01:55:46 GMT60<![CDATA[Reply to Why FusionAuth SAML Metadata Always Sets WantAssertionsSigned to False on Sat, 20 Dec 2025 01:57:52 GMT]]>At this time, FusionAuth does not support changing WantAssertionsSigned to true in the generated SAML metadata. This value is hard-coded and cannot be modified through IdP configuration or other settings.

From a practical standpoint, this should not impact security or standards compliance. FusionAuth signs the entire SAML response using the verification key configured in the IdP. Since the assertion is part of the signed response, signing the assertion itself would be redundant and is not required by the SAML specification.

If your client strictly requires WantAssertionsSigned="true" due to a non-standard or legacy implementation, this would need to be addressed on the Service Provider side, as FusionAuth cannot currently emit metadata with that value set to true.

]]>https://fusionauth.io/community/forum/post/8458https://fusionauth.io/community/forum/post/8458Sat, 20 Dec 2025 01:57:52 GMT