Skip to Content.
Sympa Menu

mace-opensaml-users - Re: [OpenSAML] Signing and Encrypting SOAP Messages

Subject: OpenSAML user discussion

List archive

Re: [OpenSAML] Signing and Encrypting SOAP Messages


Chronological Thread 
  • From: Frank Mundt <>
  • To:
  • Subject: Re: [OpenSAML] Signing and Encrypting SOAP Messages
  • Date: Fri, 25 Mar 2011 18:00:46 +0000
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=BMKOHE9lrbRCh4hY+GZMwDJcdLMjNfYjOJuxewG7kQ7j/5rOLyUkd/0UtW8vDfuAa2 Qf+LEaCmwHEzXA9q0AKls0dDEYWamvfv7I84PlE2xp2iIYUsdzwdWbekEH+lMycPtKlC QuIZX5zFRJJ8fhskbrZyb99GSPwltrH9TW38Y=

I guess I need to re-read the WS-Security specification then.  I've been given the requirement to use WS-Security and SAML 2.0, signing and encrypting the SAML Assertion separately from the SOAP-Body. I have the WS-Security portion completed and I'm starting to look into the signing and encryption of the SOAP-Body. I'm open to any suggestions, best practices, etc. 



On Fri, Mar 25, 2011 at 5:30 PM, Brent Putman <> wrote:


On 3/25/11 9:08 AM, Frank Mundt wrote:
> I need to sign and encrypt the SOAP Body along with the SAML Assertion
> (I have this working) . I have looked through the OpenSAML, OpenWS and
> XMLTooling projects and I don't see that this capability exists. I'm
> looking at the http://www.w3.org/TR/SOAP-dsig/ spec as a guideline.
> Does anyone know if the w3 spec has been implemented within OpenSAML
> or another compatible library? Or should I consider implementing it.


In addition to what Chad said, I'd point out that, at least as far as I
know, this "spec" (which really isn't a spec, as Chad noted) has
probably been superseded by the WS-Security spec.  This one appears to
have been published in Feb 2001.  WS-S 1.0 came out in March 2004 and
the latest 1.1 was ratified in Feb 2006.   AFAIK, WS-Security is the
defacto standard for signing and encrypting SOAP messages.  I'd also
note (since you mention encryption) that this document predates the XML
Encryption spec and therefore doesn't support encryption
(confidentiality) of the SOAP message, which is supported by WS-S .
Unless you are working with some (ancient?) piece of software which
requires use of this "spec" for interop, you might want to consider
looking at using WS-Security instead.

OpenSAML does have full support for the schema defined in WS-S 1.1.


http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss






Archive powered by MHonArc 2.6.16.

Top of Page