OpenSAML user discussion

[Brent Putman <>]

Scott Cantor wrote:

Thanks.  In my specific example (ID-WSF 2.0), the resultant
ds:Signature is added as a child of the wsse:Security SOAP Header.  I
am signing the SOAP Body and several Headers, including some elements
of the wsse:Security header.  At present, I am doing the signing with
my own signing class, I'd like to transition to using the OpenSAML
signing features.  Is the case I described above be easily possible?
    

I don't think that it would be all that appropriate to treat a Security
header as a plain signature parent. Typically the Signature in there
references more than just the parent element, and is application-specific.
Plus which the spec allows multiple signatures in there.
  

Yes, agreed, I don't think your wsse:Security header or whatever would extend from AbstractSignableXMLObject.  It may or may not be signed itself, depending on the profile, and there could be multiple ones, which that class does not allow.   That class was really centric to the SAML single enveloped signature case.

I don't see a problem with treating the Signature(s) as just plain children of the header.