mace-opensaml-users - Re: [OpenSAML] Signing and Encrypting SOAP Messages
Subject: OpenSAML user discussion
List archive
- From: Frank Mundt <>
- To:
- Subject: Re: [OpenSAML] Signing and Encrypting SOAP Messages
- Date: Fri, 25 Mar 2011 18:00:46 +0000
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=BMKOHE9lrbRCh4hY+GZMwDJcdLMjNfYjOJuxewG7kQ7j/5rOLyUkd/0UtW8vDfuAa2 Qf+LEaCmwHEzXA9q0AKls0dDEYWamvfv7I84PlE2xp2iIYUsdzwdWbekEH+lMycPtKlC QuIZX5zFRJJ8fhskbrZyb99GSPwltrH9TW38Y=
I guess I need to re-read the WS-Security specification then. I've been given the requirement to use WS-Security and SAML 2.0, signing and encrypting the SAML Assertion separately from the SOAP-Body. I have the WS-Security portion completed and I'm starting to look into the signing and encryption of the SOAP-Body. I'm open to any suggestions, best practices, etc.
On Fri, Mar 25, 2011 at 5:30 PM, Brent Putman <> wrote:
On 3/25/11 9:08 AM, Frank Mundt wrote:
In addition to what Chad said, I'd point out that, at least as far as I> I need to sign and encrypt the SOAP Body along with the SAML Assertion
> (I have this working) . I have looked through the OpenSAML, OpenWS and
> XMLTooling projects and I don't see that this capability exists. I'm
> looking at the http://www.w3.org/TR/SOAP-dsig/ spec as a guideline.
> Does anyone know if the w3 spec has been implemented within OpenSAML
> or another compatible library? Or should I consider implementing it.
know, this "spec" (which really isn't a spec, as Chad noted) has
probably been superseded by the WS-Security spec. This one appears to
have been published in Feb 2001. WS-S 1.0 came out in March 2004 and
the latest 1.1 was ratified in Feb 2006. AFAIK, WS-Security is the
defacto standard for signing and encrypting SOAP messages. I'd also
note (since you mention encryption) that this document predates the XML
Encryption spec and therefore doesn't support encryption
(confidentiality) of the SOAP message, which is supported by WS-S .
Unless you are working with some (ancient?) piece of software which
requires use of this "spec" for interop, you might want to consider
looking at using WS-Security instead.
OpenSAML does have full support for the schema defined in WS-S 1.1.
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss
- [OpenSAML] Signing and Encrypting SOAP Messages, Frank Mundt, 03/25/2011
- Re: [OpenSAML] Signing and Encrypting SOAP Messages, Chad La Joie, 03/25/2011
- Re: [OpenSAML] Signing and Encrypting SOAP Messages, Brent Putman, 03/25/2011
- Re: [OpenSAML] Signing and Encrypting SOAP Messages, Frank Mundt, 03/25/2011
Archive powered by MHonArc 2.6.16.