From 63c1a25a0a0fb3bcf8ea054c49ce88ffc81599cc Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 17 Jul 2015 16:15:35 -0400
Subject: [PATCH] Set the value of WantAuthnRequestsSigned to True

The spec says the default should be False if not specified
but lasso sets it to true unless it is explicitly set to
False. So let's be explicit and set it to True.

https://fedorahosted.org/ipsilon/ticket/136

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
---
 ipsilon/tools/saml2metadata.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ipsilon/tools/saml2metadata.py b/ipsilon/tools/saml2metadata.py
index d360ccd..2138777 100755
--- a/ipsilon/tools/saml2metadata.py
+++ b/ipsilon/tools/saml2metadata.py
@@ -86,6 +86,8 @@ class Metadata(object):
             raise ValueError('invalid role: %s' % role)
         self.role = mdElement(self.root, description)
         self.role.set('protocolSupportEnumeration', lasso.SAML2_PROTOCOL_HREF)
+        if role == IDP_ROLE:
+            self.role.set('WantAuthnRequestsSigned', 'true')
         return self.role
 
     def set_expiration(self, exp):
-- 
2.20.1