OpenSAML user discussion

["Jad S. Boutros" <>]

Generating a signature for a request (the same applies for 
response/assertions) seems to be a two step process.

a) construct the SAMLRequest with a non-null XMLSignature object
b) call the method 'sign' on that same XMLSignature object, after 
optinally adding KeyInfo.

A code snippet:

 // create XMLSignature object
 XMLSignature sig = new XMLSignature(doc, baseURI, 
XMLSignature.ALGO_ID_SIGNATURE_DSA);

 // pass it to the SAMLRequest constructor with a pre-defined query
 SAMLRequest req = new SAMLRequest(null, sig, query);

 // optionally add KeyInfo (here X509Certificate)
 sig.addKeyInfo(cert);

 // then do the actual signing
 sig.sign(privateKey);

Questions:
1. Are there plans to integrate signature generation/verification into the 
OpenSAML library directly? Currently it appends the signature node with 
the transformations defined but does not invoke the actual signing, which 
is done outside.

2. The SAML specs [cs-sstc-core-01] section 5.4.3 says we must use the
enveloped-signature transform
(http://www.w3.org/2000/09/xmldsig#enveloped-signature). The OpenSAML
library seems to be using XPath filters to achieve the same effect (remove
the signature from the request and sign the rest). I just wanted some 
confirmation that the two methods are equivalent for a valid SAML 
request/response. If not, are there any more transformations we need to 
invoke before we sign the request?

thanks,
jad




---------------------------------------------------mace-opensaml-users-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

---------------------------------------------------mace-opensaml-users--