djangosaml2 SP and simòlesamlPHP IdP

Question

I have an SP configured with djangosaml2. This authenticates against a simplesamlPHP IdP. The configuration seems the right one, but the IPD responds that my AuthnRequest should be signed.

This is my djangosaml2 configuration:

SAML_CONFIG = {
   # full path to the xmlsec1 binary programm
   'xmlsec_binary': '/usr/bin/xmlsec1',

   # your entity id, usually your subdomain plus the url to the metadata view
   'entityid': 'https://<my_url>/saml2/metadata/',

   # directory with attribute mapping
   'attribute_map_dir': os.path.join(BASE_DIR, 'attribute-maps'),

   # this block states what services we provide
   'service': {
       'sp' : {
           'name': 'Federated SP',
           'endpoints': {
               'assertion_consumer_service': [
                   ('https://<my_url>/saml2/acs/',
                    saml2.BINDING_HTTP_POST),
                   ],
               'single_logout_service': [
                   ('https://<my_url>/saml2/ls/',
                     saml2.BINDING_HTTP_REDIRECT),

                   ('https://<my_url>/saml2/ls/post',
                    saml2.BINDING_HTTP_POST),
                   ],
               },

            # attributes that this project need to identify a user
           'required_attributes': ['uid'],
           'authn_requests_signed': "true",
           'want_assertions_signed': "true",
           'want_responses_signed': "true",

            # attributes that may be useful to have but not required
           'optional_attributes': [],

           # in this section the list of IdPs we talk to are defined
             'idp': {
               'idpID': {
                   'single_sign_on_service': {
                         saml2.BINDING_HTTP_POST: "https://<their_url>/idp/SSO.saml2",
                     },
                   'single_logout_service': {
                     saml2.BINDING_HTTP_POST: "https://<their_url>/idp/SLO.saml2",
                   },
               },
             },
           },
       },

   # where the remote metadata is stored
   'metadata': {
       'local': [os.path.join(BASE_DIR, 'saml-data/metadata.xml')],
       },

   # set to 1 to output debugging information
   'debug': 1,

   # certificate
   'key_file': os.path.join(BASE_DIR, 'saml-data/mykey.key'),  # private part
   'cert_file': os.path.join(BASE_DIR, 'saml-data/mycert.pem'),  # public part


   'valid_for': 24,  # how long is our metadata valid
 }

This is my AuthnRequest:

<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceURL="https://MY_URL/saml2/acs/" Destination="https://THEIR_URL/idp/SSO.saml2" ID="id-438e1715fd5fe61333879b19e2238773" IssueInstant="2015-06-01T15:20:37Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
   <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://MY_URL/saml2/metadata/</saml:Issuer>
   <ds:Signature Id="Signature1">
      <ds:SignedInfo>
         <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
         <ds:Reference URI="#id-438e1715fd5fe61333879b19e2238773">
            <ds:Transforms>
               <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
               <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <ds:DigestValue>Ool+AyPuBNA1WmBEeOzDZJhLz7Y=</ds:DigestValue>
         </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>MY_SIGNATURE</ds:SignatureValue>
      <ds:KeyInfo>
         <ds:X509Data>
            <ds:X509Certificate>MY_CERT</ds:X509Certificate>
         </ds:X509Data>
      </ds:KeyInfo>
   </ds:Signature>
   <samlp:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />
</samlp:AuthnRequest>

And this is IdP's response:

<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Version="2.0" ID="gBreDljemX37io8bvhlEBeINLUm" IssueInstant="2015-06-01T15:20:53.388Z" InResponseTo="id-438e1715fd5fe61333879b19e2238773" Destination="https://MY_URL/saml2/acs/">
   <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">idpdecathlon</saml:Issuer>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
         <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
         <ds:Reference URI="#gBreDljemX37io8bvhlEBeINLUm">
            <ds:Transforms>
               <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
               <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <ds:DigestValue>f0jH/VawZS9hrx9ErTJfjLGneBM=</ds:DigestValue>
         </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>STUFF</ds:SignatureValue>
      <ds:KeyInfo>
         <ds:X509Data>
            <ds:X509Certificate>THEIR_CERT</ds:X509Certificate>
         </ds:X509Data>
         <ds:KeyValue>
            <ds:RSAKeyValue>
               <ds:Modulus>MODULUS</ds:Modulus>
               <ds:Exponent>AQAB</ds:Exponent>
            </ds:RSAKeyValue>
         </ds:KeyValue>
      </ds:KeyInfo>
   </ds:Signature>
   <samlp:Status>
      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester" />
      <samlp:StatusMessage>Signature required</samlp:StatusMessage>
   </samlp:Status>
</samlp:Response>