OpenSAML user discussion

[Xavier Drudis Ferran <>]

On Thu, Jun 19, 2008 at 12:18:51PM -0400, 

 wrote:
> I tried to implement this
> if the user clicks a link that is going to another site, i want to send 
> SAML assertion with my company name in it. and i am trying to digitally 
> sign our domain information so that only the recipent will know that the 
> request is coming from us.
> 

Well, at least it doesn't take SAML expertise to answer this. 

When you digitally sign something you enable everybody to make sure 
it is you who signed exatcly that something. But if you need to 
ensure that only the recipient knows the information, you have
to encrypt it, whether you additionally sign it or not. 

The case for signing it would be to ensure that any client going 
to the recipient sign and pretending you sent her there can be uncovered
if it doesn't come from your site. 

> am i going in the right direction? i got the above example XML from 
> securing web services with WS-security jothy rosenberg book listing 6.8.
> please giove me some direction on this
> 

Where's the XML ? 

-- 
Xavi Drudis Ferran