We have noticed that the Jenkins SAML plugin >= 1.0.2 adds a signature to the SAML request. This requires the Jenkins server metadata to be accessible in /securityRealm/metadata for login and for the registration of the site in the IdP.

This is very inconvenient as our workflow consists on registering Jenkins instances in the IdP before they are actually running. This was working fine with SAML-plugin < 1.0.2, but not anymore as the metadata needs to be accessible.

Is there a way to disable the signature and metadata via configuration at the moment?

We are not very proficient with Java but the forceSignRedirectBindingAuthnRequest and authnRequestSigned variables in the SAML library seem to control this, see [1] but at the moment there does not seem a way to control this from the plugin.

Would you consider to add such option to disable signatures and (optionally) have the old behavior back?

[1]
https://github.com/pac4j/pac4j/blob/master/pac4j-saml/src/main/java/org/pac4j/saml/client/SAML2ClientConfiguration.java#L84
https://github.com/pac4j/pac4j/blob/master/pac4j-saml/src/main/java/org/pac4j/saml/client/SAML2ClientConfiguration.java#L68
https://github.com/pac4j/pac4j/blob/master/pac4j-saml/src/main/java/org/pac4j/saml/transport/Pac4jHTTPRedirectDeflateEncoder.java#L64-L66