diff --git a/src/onelogin/saml2/metadata.py b/src/onelogin/saml2/metadata.py
index 212c0e95..11adbf49 100644
--- a/src/onelogin/saml2/metadata.py
+++ b/src/onelogin/saml2/metadata.py
@@ -227,7 +227,7 @@ def sign_metadata(metadata, key, cert, sign_algorithm=OneLogin_Saml2_Constants.R
return OneLogin_Saml2_Utils.add_sign(metadata, key, cert, False, sign_algorithm, digest_algorithm)
@staticmethod
- def add_x509_key_descriptors(metadata, cert=None, add_encryption=True):
+ def add_x509_key_descriptors(metadata, cert=None):
"""
Adds the x509 descriptors (sign/encryption) to the metadata
The same cert will be used for sign/encrypt
@@ -238,9 +238,6 @@ def add_x509_key_descriptors(metadata, cert=None, add_encryption=True):
:param cert: x509 cert
:type cert: string
- :param add_encryption: Determines if the KeyDescriptor[use="encryption"] should be added.
- :type add_encryption: boolean
-
:returns: Metadata with KeyDescriptors
:rtype: string
"""
@@ -268,18 +265,17 @@ def add_x509_key_descriptors(metadata, cert=None, add_encryption=True):
sp_sso_descriptor = entity_descriptor.getElementsByTagName('md:SPSSODescriptor')[0]
sp_sso_descriptor.insertBefore(key_descriptor.cloneNode(True), sp_sso_descriptor.firstChild)
- if add_encryption:
- sp_sso_descriptor.insertBefore(key_descriptor.cloneNode(True), sp_sso_descriptor.firstChild)
signing = xml.getElementsByTagName('md:KeyDescriptor')[0]
signing.setAttribute('use', 'signing')
+
+ encryption = xml.getElementsByTagName('md:KeyDescriptor')[1]
+ encryption.setAttribute('use', 'encryption')
+
signing.appendChild(key_info)
- signing.setAttribute('xmlns:ds', OneLogin_Saml2_Constants.NS_DS)
+ encryption.appendChild(key_info.cloneNode(True))
- if add_encryption:
- encryption = xml.getElementsByTagName('md:KeyDescriptor')[1]
- encryption.setAttribute('use', 'encryption')
- encryption.appendChild(key_info.cloneNode(True))
- encryption.setAttribute('xmlns:ds', OneLogin_Saml2_Constants.NS_DS)
+ signing.setAttribute('xmlns:ds', OneLogin_Saml2_Constants.NS_DS)
+ encryption.setAttribute('xmlns:ds', OneLogin_Saml2_Constants.NS_DS)
return xml.toxml()
diff --git a/src/onelogin/saml2/settings.py b/src/onelogin/saml2/settings.py
index f3c53be1..de3200c9 100644
--- a/src/onelogin/saml2/settings.py
+++ b/src/onelogin/saml2/settings.py
@@ -622,13 +622,11 @@ def get_sp_metadata(self):
self.get_contacts(), self.get_organization()
)
- add_encryption = self.__security['wantNameIdEncrypted'] or self.__security['wantAssertionsEncrypted']
-
cert_new = self.get_sp_cert_new()
- metadata = OneLogin_Saml2_Metadata.add_x509_key_descriptors(metadata, cert_new, add_encryption)
+ metadata = OneLogin_Saml2_Metadata.add_x509_key_descriptors(metadata, cert_new)
cert = self.get_sp_cert()
- metadata = OneLogin_Saml2_Metadata.add_x509_key_descriptors(metadata, cert, add_encryption)
+ metadata = OneLogin_Saml2_Metadata.add_x509_key_descriptors(metadata, cert)
# Sign metadata
if 'signMetadata' in self.__security and self.__security['signMetadata'] is not False:
diff --git a/tests/src/OneLogin/saml2_tests/settings_test.py b/tests/src/OneLogin/saml2_tests/settings_test.py
index 4b79715d..bca6de7a 100644
--- a/tests/src/OneLogin/saml2_tests/settings_test.py
+++ b/tests/src/OneLogin/saml2_tests/settings_test.py
@@ -341,10 +341,7 @@ def testGetSPMetadata(self):
Tests the getSPMetadata method of the OneLogin_Saml2_Settings
Case unsigned metadata
"""
- settings_info = self.loadSettingsJSON()
- settings_info['security']['wantNameIdEncrypted'] = False
- settings_info['security']['wantAssertionsEncrypted'] = False
- settings = OneLogin_Saml2_Settings(settings_info)
+ settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
metadata = settings.get_sp_metadata()
self.assertNotEqual(len(metadata), 0)
@@ -355,14 +352,6 @@ def testGetSPMetadata(self):
self.assertIn('', metadata)
self.assertIn('', metadata)
self.assertIn('urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified', metadata)
- self.assertEquals(1, metadata.count('