I'm working with Spring Security SAML extension and met there ability to sign SP metadata. What are the use-cases of SP metadata signing? For my customization of the Metadata Generator I need to remove this feature and want to know consequences of such change(what I will loose in terms of security if SP metadata won't be signed).
Thanks!
The reason for the metadata being signed is to ensure that it has not been manipulated when transfered from the SP to the IDP or later at the IDP. This is for example usefull if you'r transmitting the the metadata over an unsecure channel.
If you make sure to transmit the metadata over some secure channel and the IDP means it can safely protect the metadata during storage, I can not see the need for signing.