Added support to read sp_sign_assertions key to remove hardcoded valu…

…e (#1107)

Co-authored-by: Lucas Michot <[email protected]>

Provider.php

@@ -169,6 +169,7 @@ public static function additionalConfigKeys(): array
             'sp_org_url',
             'sp_default_binding_method',
             'sp_name_id_format',
+            'sp_sign_assertions',
             'idp_binding_method',
             'attribute_map',
         ];
@@ -368,7 +369,9 @@ public function getIdentityProviderEntityDescriptor(): EntityDescriptor
     public function getServiceProviderEntityDescriptor(): EntityDescriptor
     {
         $spSsoDescriptor = new SpSsoDescriptor();
-        $spSsoDescriptor->setWantAssertionsSigned(true)->addNameIDFormat($this->getNameIDFormat());
+        $spSsoDescriptor
+            ->setWantAssertionsSigned((bool) $this->getConfig('sp_sign_assertions', true))
+            ->addNameIDFormat($this->getNameIDFormat());
 
         foreach ([SamlConstants::BINDING_SAML2_HTTP_REDIRECT, SamlConstants::BINDING_SAML2_HTTP_POST] as $binding) {
             $acsRoute = $this->getAssertionConsumerServiceRoute();

README.md

@@ -160,6 +160,7 @@ SAML2 supports the signing and encryption of messages and assertions. Many Ident
   'sp_certificate' => file_get_contents('path/to/sp_saml.crt'),
   'sp_private_key' => file_get_contents('path/to/sp_saml.pem'),
   'sp_private_key_passphrase' => 'passphrase to your private key, provide it only if you have one',
+  'sp_sign_assertions' => true, // or false to disable assertion signing
 ],
 ```