Coverage increased (+0.006%) to 95.138% when pulling 1980b19 on waynewoodfield:conditional-certs into 9274e6b on onelogin:master.

Coverage increased (+0.006%) to 95.138% when pulling 8e2f124 on waynewoodfield:conditional-certs into 9274e6b on onelogin:master.

Coverage increased (+0.006%) to 95.138% when pulling c04427c on waynewoodfield:conditional-certs into 9274e6b on onelogin:master.

Thanks for the call-out. We haven't implemented the SLO yet at my company, so I had a blind spot to that. Added them into the condition now.

I don't actually care whether we send the signing key all the time or not. The encryption key is the one I mostly cared about, because there's no "wantResponsesEncrypted" property in the SP Metadata, so the only way I know to tell the IdP that I don't want SAMLResponses to be encrypted is to not send an encryption key.

I agree that the encryption part is the most important.

Can you add some unit test as well?

I also noticed that if getWantNameIdEncrypted is true, encryption key should be also sent.

Avoid key signing publication is weird for me.

I will follow the approach we did on php-saml:
https://github.com/onelogin/php-saml/blob/master/lib/Saml2/Metadata.php#L199

I've updated this fork to include recommendations by Sixto - the signing key is published unconditionally, and encryption key will still be sent when getWantNameIdEncrypted is true. If you'd like to use that fork, I can resubmit a pull request. Otherwise, looking forward to your fix.

Hi @waynewoodfield, I followed what I did on php-saml, adding a boolean to decide when to encrypt or not instead of sending the full settings object. This way we keep the back-compatibility.

Thanks for contribute!