OpenSAML user discussion

[Brent Putman <>]

You can certainly sign them with the same *key*, but you can't reuse the
same Signature object.  You need to create a new Signature object for
each SignableXMLObject that will be signed, and set all the parameters
on each Signature appropriately.  The library error you're seeing occurs
because an XMLObject can not be the child of two different parents.

This library issue aside, you probably wouldn't want to do this anyway. 
It is likely that the Reference element(s) in the two signatures (as
signified by the the ContentReference object(s) that you add to the
Signature object) would need to be different, since they likely point to
different things that are being signed.  As far as I know, this would
definitely be the case in any SAML signing one might want to do.

--Brent


Mike Klein wrote:
> I know at a minimum it is assertions most important to sign but I
> thought I should sign enclosing response as well...but I get error when
> doing this.
>
>         Signature sig = SAMLUtil.getSignature(response);
>         assertion.setSignature(sig);
>         String signedEncodedResponse = SAMLUtil.marshall(response, sig,
> true);
>
> As soon as I set signature on assertion I get following:
>
> java.lang.IllegalArgumentException:
> org.opensaml.xml.signature.impl.SignatureImpl cannot be added - it is
> already the child of another SAML Object
>     at
> org.opensaml.xml.AbstractXMLObject.prepareForAssignment(AbstractXMLObject.java:370)
>
> How should I be going about this? Is perhaps signing just broken in this
> sense?
>