---
title: Defining signature policy (SAML)
description: On the Signature Policy tab, you can control how digital signatures are used for SAML messages.
component: pingfederate
version: 13.1
page_id: pingfederate:administrators_reference_guide:help_spprotocolsettingstasklet_spsignaturepolicystate
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/help_spprotocolsettingstasklet_spsignaturepolicystate.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: July 5, 2022
section_ids:
  before-you-begin: Before you begin
  about-this-task: About this task
  steps: Steps
  result: Result
---

# Defining signature policy (SAML)

On the **Signature Policy** tab, you can control how digital signatures are used for SAML messages.

## Before you begin

For prerequisites and initial steps for configuring Browser SSO protocols, see [Configuring protocol settings](help_spbrowserssotasklet_spprotocolsettingsstate.html).

## About this task

The choices made in this tab depend on your partner agreement and your federation protocol. For more information, see [Digital signing policy coordination](../introduction_to_pingfederate/pf_digi_sign_poli_coordin.html).

* SAML 2.0

  Digital signing is required for SAML response messages sent from the identity provider (IdP) with the POST or redirect binding. Based on the SAML specifications, PingFederate provides three options:

  * Select **Always Sign Assertion** to always sign the assertion portion inside the SAML response message.

  * Select **Sign Response As Required** to sign the SAML response message per the SAML specifications. This is the default selection.

  * Select both to always sign the assertion portion inside the SAML response message for all bindings and to sign the SAML response message per the SAML specifications.

Authentication request messages from the service provider (SP) may also be signed to enforce security. This scenario applies only when the SP-initiated single sign-on (SSO) profile is enabled on the **SAML Profiles** tab. Select**Require Authn Requests to be Signed** to enforce this digital signature requirement. For more information, see [Choosing SAML 2.0 profiles](help_spbrowserssotasklet_selectsamlprofilesstate.html).

* SAML 1.x

  For SAML 1.0 and SAML 1.1, the assertion portion inside the SAML response message can be digitally signed.

  * Select **Always Sign Assertion** to always sign the assertion portion inside the SAML response message.

## Steps

1. On the **Signature Policy** tab, select the options based on your partner agreement and federation protocol.

2. Click **Next** to save changes.

## Result

If you are editing an existing connection, you can reconfigure the digital signature policy, which might require additional configuration changes in subsequent tasks.