---
title: Configuring signature policy
description: The Signature Policy tab provides options controlling how digital signatures are used for SAML and WS-Federation single sign-on (SSO) messages.
component: pingfederate
version: 13.1
page_id: pingfederate:administrators_reference_guide:help_idpprotocolsettingstasklet_idpsignaturepolicystate
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/help_idpprotocolsettingstasklet_idpsignaturepolicystate.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: July 5, 2022
section_ids:
  about-this-task: About this task
  steps: Steps
  result: Result
---

# Configuring signature policy

The **Signature Policy** tab provides options controlling how digital signatures are used for SAML and WS-Federation single sign-on (SSO) messages.

## About this task

The choices made on this tab depend on your partner agreement. For more information, see [Digital signing policy coordination](../introduction_to_pingfederate/pf_digi_sign_poli_coordin.html).

Digital signing is required for SAML response messages sent from the identity provider (IdP) through POST or redirect for SAML 2.0. The SAML specifications allow the signing of the entire SAML response message or the assertion portion inside the SAML response message. If you and your partner agree on the latter, select the **Specify additional signature requirements** and **Require signed SAML Assertions** options on this tab. When the latter is selected, only the assertion portion of the SAML response message is signed, not the entire SAML response message. This is the only option that appears for SAML 1.x and WS-Federation connections.

SAML 2.0 authentication requests from the service provider (SP) can also be signed to enforce security. This option appears only for SAML 2.0 connections and when the SP-initiated SSO profile is enabled on the **SAML Profiles** tab.

Select **Always Sign Artifact Response** if you want the SAML ArtifactResponse to be signed regardless of the protocol being used to transport it.

## Steps

* To continue, select the options based on your partner agreement.

## Result

If you are editing an existing connection, you can reconfigure the digital signature policy, which might require additional configuration changes in subsequent tasks.