diff --git a/hiboo/models.py b/hiboo/models.py
index e59f2fa2e98ffec417f6a46119c79fd10dec2181..78658181c4125921ed919fe12f02eaa1cb821730 100644
--- a/hiboo/models.py
+++ b/hiboo/models.py
@@ -1,6 +1,6 @@
 from passlib import context, hash
 from flask import current_app as app
-from sqlalchemy.ext import declarative
+from sqlalchemy.ext import declarative, mutable
 from datetime import datetime
 from flask_babel import lazy_gettext as _
 
@@ -57,6 +57,7 @@ class Base(flask_sqlalchemy.Model):
 db = flask_sqlalchemy.SQLAlchemy(model_class=Base)
 
 
+@mutable.MutableDict.as_mutable
 class JSONEncoded(db.TypeDecorator):
     """ Represents an immutable structure as a json-encoded string.
     """
diff --git a/hiboo/sso/forms.py b/hiboo/sso/forms.py
index 30064ab484603d6243e6751683eca279872691cf..9f76b3b34ea9ae756d28db00391a2533c22498d1 100644
--- a/hiboo/sso/forms.py
+++ b/hiboo/sso/forms.py
@@ -7,6 +7,12 @@ import flask_wtf
 class SAMLForm(flask_wtf.FlaskForm):
     entityid = fields.StringField(_('SP entity id'), [validators.URL(require_tld=False)])
     acs = fields.StringField(_('SP ACS'), [validators.URL(require_tld=False)])
+    sign_mode = fields.SelectField(
+        _('Signature mode'), choices=[
+            ('response', _('Sign the full response')),
+            ('assertion', _('Sign only the assertion'))
+        ]
+    )
     submit = fields.SubmitField(_('Submit'))
 
 
diff --git a/hiboo/sso/saml.py b/hiboo/sso/saml.py
index 95c58b5365862657166985e6eef0044756b31f4d..f3b277002335407e83439de7d01496d824e9a85d 100644
--- a/hiboo/sso/saml.py
+++ b/hiboo/sso/saml.py
@@ -30,7 +30,8 @@ class Config(object):
         """
         service.config.update({
             "acs": form.acs.data,
-            "entityid": form.entityid.data
+            "entityid": form.entityid.data,
+            "sign_mode": form.sign_mode.data
         })
         cls.update_keys(service)
 
@@ -41,7 +42,8 @@ class Config(object):
         form.process(
             obj=service,
             acs=service.config.get("acs"),
-            entityid=service.config.get("entityid")
+            entityid=service.config.get("entityid"),
+            sign_mode=service.config.get("sign_mode")
         )
 
     @classmethod
@@ -176,11 +178,13 @@ def saml_redirect(service_uuid):
             'email': picked.email
         },
         in_response_to=request.message.id,
+        issuer=service_uuid,
         destination=service.config["acs"],
         sp_entity_id=service.config["entityid"],
         userid=picked.username,
         authn={'class_ref': saml2.saml.AUTHN_PASSWORD},
-        sign_assertion=True
+        sign_response=service.config["sign_mode"] == "response",
+        sign_assertion=service.config["sign_mode"] == "assertion"
     )
     return flask.render_template('sso_redirect.html', target=service.config["acs"], data={
         'SAMLResponse': base64.b64encode(response).decode('ascii'),