FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Why FusionAuth SAML Metadata Always Sets WantAssertionsSigned to False

    Scheduled Pinned Locked Moved Solved
    Frequently Asked Questions (FAQ)
    saml
    1
    2
    2
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wesley
      last edited by

      We have a client requirement for our SAML metadata to specify WantAssertionsSigned="true".
      We’ve configured a verification key in the Identity Provider (IdP) settings, but when we generate the metadata, the value still appears as WantAssertionsSigned="false".
      Is there a way to configure FusionAuth to set this value to true in the generated metadata?

      W 1 Reply Last reply Reply Quote 0
      • W
        wesley @wesley
        last edited by

        At this time, FusionAuth does not support changing WantAssertionsSigned to true in the generated SAML metadata. This value is hard-coded and cannot be modified through IdP configuration or other settings.

        From a practical standpoint, this should not impact security or standards compliance. FusionAuth signs the entire SAML response using the verification key configured in the IdP. Since the assertion is part of the signed response, signing the assertion itself would be redundant and is not required by the SAML specification.

        If your client strictly requires WantAssertionsSigned="true" due to a non-standard or legacy implementation, this would need to be addressed on the Service Provider side, as FusionAuth cannot currently emit metadata with that value set to true.

        1 Reply Last reply Reply Quote 0
        • W wesley has marked this topic as solved
        • First post
          Last post