From cafe99d1164cdc8dac3b3fb95f9ab9d5cc6660a2 Mon Sep 17 00:00:00 2001
From: yu-i-i <kla9555@gmail.com>
Date: Thu, 6 Feb 2025 12:21:46 +0100
Subject: [PATCH] Update README.md (add ENV variables to control SAML signature
 validation)

---
 README.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/README.md b/README.md
index a196d10bec..6c9b6be287 100644
--- a/README.md
+++ b/README.md
@@ -579,6 +579,10 @@ If no matching record is found, the database is searched for a user with the pri
     * If `never`, then InResponseTo  won't be validated (default).
     * If `ifPresent`, then InResponseTo will only be validated if present in the incoming SAML response.
 
+- `OVERLEAF_SAML_WANT_ASSERTIONS_SIGNED` and `OVERLEAF_SAML_WANT_AUTHN_RESPONSE_SIGNED`
+    * When set to `true` (default), Overleaf expects the SAML Assertions, respectively the entire SAML Authentication Response, to be signed by the IdP.
+      When both options are `false`, at least one of the assertions or the response must be signed.
+
 - `OVERLEAF_SAML_REQUEST_ID_EXPIRATION_PERIOD_MS`
     * Defines the expiration time when a Request ID generated for a SAML request will not be valid if seen
           in a SAML response in the `InResponseTo` field. Default: 28800000 (8 hours).