diff --git a/src/config.yaml b/src/config.yaml
index f18f67c..1ca2272 100644
--- a/src/config.yaml
+++ b/src/config.yaml
@@ -50,3 +50,15 @@ options:
       Default is on.
       This can be used for testing with something like testshib if
       you are behind a NAT.
+  authn-requests-signed:
+    type: boolean
+    default: true
+    description: |
+      Indicates whether the <samlp:AuthnRequest> messages sent by the
+      service provider (mellon) will be signed.
+  want-assertions-signed:
+    type: boolean
+    default: true
+    description: |
+      Indicates a requirement for the <saml:Assertion> elements received
+      by this service provider to be signed.
diff --git a/src/templates/mellon-sp-metadata.xml b/src/templates/mellon-sp-metadata.xml
index 8d316f2..eb67a76 100644
--- a/src/templates/mellon-sp-metadata.xml
+++ b/src/templates/mellon-sp-metadata.xml
@@ -1,5 +1,11 @@
-<EntityDescriptor entityID="{{ options.sp_auth_url }}" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
-	<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+<EntityDescriptor
+	entityID="{{ options.sp_auth_url }}"
+	xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+	<SPSSODescriptor
+		protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"
+		AuthnRequestsSigned="{{ options.authn_requests_signed|lower }}"
+		WantAssertionsSigned="{{ options.want_assertions_signed|lower }}">
 		<KeyDescriptor use="signing">
 			{{ options.sp_signing_keyinfo }}
 		</KeyDescriptor>