diff --git a/app/models/authentication_provider/saml.rb b/app/models/authentication_provider/saml.rb
index 5f51dccc817..df6a915bfa2 100644
--- a/app/models/authentication_provider/saml.rb
+++ b/app/models/authentication_provider/saml.rb
@@ -433,6 +433,12 @@ class AuthenticationProvider::SAML < AuthenticationProvider::Delegated
                          HostUrl.context_hosts(account, current_host),
                          include_all_encryption_certificates:)
     prior_configs = Set.new
+
+    sp = entity.roles.last
+    unless aps.empty?
+      sp.authn_requests_signed = true if aps.all?(&:sig_alg)
+      sp.authn_requests_signed = false if aps.none?(&:sig_alg)
+    end
     aps.each do |ap|
       federated_attributes = ap.federated_attributes
       next if federated_attributes.empty?
diff --git a/spec/models/authentication_provider/saml_spec.rb b/spec/models/authentication_provider/saml_spec.rb
index ab975bc469b..ece12dd732d 100644
--- a/spec/models/authentication_provider/saml_spec.rb
+++ b/spec/models/authentication_provider/saml_spec.rb
@@ -213,5 +213,38 @@ describe AuthenticationProvider::SAML do
       expect(entity.roles.last.attribute_consuming_services.first.requested_attributes.length).to eq 1
       expect(entity.roles.last.attribute_consuming_services.first.requested_attributes.first.name).to eq "name"
     end
+
+    it "signals if requests will be signed" do
+      ap = @account.authentication_providers.new(auth_type: "saml")
+      ap.sig_alg = "rsa-sha1"
+      ap.save!
+      # ignore invalid saml key configuration in specs
+      allow(AuthenticationProvider::SAML).to receive(:private_keys).and_return({})
+      entity = AuthenticationProvider::SAML.sp_metadata_for_account(@account)
+      expect(entity.roles.last.authn_requests_signed?).to be true
+    end
+
+    it "signals if requests will not be signed" do
+      ap = @account.authentication_providers.new(auth_type: "saml")
+      ap.sig_alg = nil
+      ap.save!
+      # ignore invalid saml key configuration in specs
+      allow(AuthenticationProvider::SAML).to receive(:private_keys).and_return({})
+      entity = AuthenticationProvider::SAML.sp_metadata_for_account(@account)
+      expect(entity.roles.last.authn_requests_signed?).to be false
+    end
+
+    it "does not signals if requests will be signed with mixed providers" do
+      ap = @account.authentication_providers.new(auth_type: "saml")
+      ap.sig_alg = "rsa-sha1"
+      ap.save!
+      ap = @account.authentication_providers.new(auth_type: "saml")
+      ap.sig_alg = nil
+      ap.save!
+      # ignore invalid saml key configuration in specs
+      allow(AuthenticationProvider::SAML).to receive(:private_keys).and_return({})
+      entity = AuthenticationProvider::SAML.sp_metadata_for_account(@account)
+      expect(entity.roles.last.authn_requests_signed?).to be_nil
+    end
   end
 end