Skip to Content.
Sympa Menu

mace-opensaml-users - questions about signature generation/verification

Subject: OpenSAML user discussion

List archive

questions about signature generation/verification


Chronological Thread 
  • From: "Jad S. Boutros" <>
  • To:
  • Subject: questions about signature generation/verification
  • Date: Wed, 22 Jan 2003 14:28:09 -0800 (PST)


Generating a signature for a request (the same applies for
response/assertions) seems to be a two step process.

a) construct the SAMLRequest with a non-null XMLSignature object
b) call the method 'sign' on that same XMLSignature object, after
optinally adding KeyInfo.

A code snippet:

// create XMLSignature object
XMLSignature sig = new XMLSignature(doc, baseURI,
XMLSignature.ALGO_ID_SIGNATURE_DSA);

// pass it to the SAMLRequest constructor with a pre-defined query
SAMLRequest req = new SAMLRequest(null, sig, query);

// optionally add KeyInfo (here X509Certificate)
sig.addKeyInfo(cert);

// then do the actual signing
sig.sign(privateKey);

Questions:
1. Are there plans to integrate signature generation/verification into the
OpenSAML library directly? Currently it appends the signature node with
the transformations defined but does not invoke the actual signing, which
is done outside.

2. The SAML specs [cs-sstc-core-01] section 5.4.3 says we must use the
enveloped-signature transform
(http://www.w3.org/2000/09/xmldsig#enveloped-signature). The OpenSAML
library seems to be using XPath filters to achieve the same effect (remove
the signature from the request and sign the rest). I just wanted some
confirmation that the two methods are equivalent for a valid SAML
request/response. If not, are there any more transformations we need to
invoke before we sign the request?

thanks,
jad




---------------------------------------------------mace-opensaml-users-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at

http://archives.internet2.edu/

---------------------------------------------------mace-opensaml-users--




Archive powered by MHonArc 2.6.16.

Top of Page