ePrivacy and GPDR Cookie Consent by Cookie Consent

Signing with OpenSAML

When exchanging information with SAML it is highly recommended to sign and verify signatures on all messages. This to ensure the the sender really is how he says he is and that the information sent has not been manipulated during transport.

Every SAML object that implements the SignableXMLObject interface can be signed.

The signing of a SAML message is done in three steps. First, all the properties for the signature is put in a Signature object. Properties that can be set include singing credentials, algorithm and optionally a KeyInfo object. The KeyInfo object identifies what key should be used to verify the signature.

1signature.setSigningCredential(credential);
2signature.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);
3signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);

The Signature object is then added to the SAML object using the setSignature method. entityDescriptor.setSignature(signature); The second step is to marchal the object. This must be done before signing or else you will get a message like this.

1SEVERE: Unable to compute signature, Signature XMLObject does not have the XMLSignature created during marshalling.

1Element element = Configuration
2        .getMarshallerFactory()
3        .getMarshaller(entityDescriptor)
4        .marshall(entityDescriptor);
The third step is to perform the actual signing to produce a cryptographic signature, this is done with the Signer class.

1Signer.signObject(signature);

Here is how the signed object might look after signing and marshalling.

 1<md:entitiesdescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
 2   <ds:signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
 3      <ds:signedinfo>
 4         <ds:canonicalizationmethod algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
 5            <ds:signaturemethod algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1">
 6               <ds:reference uri="">
 7                  <ds:transforms>
 8                     <ds:transform algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature">
 9                        <ds:transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
10                        </ds:transform>
11                     </ds:transform>
12                  </ds:transforms>
13                  <ds:digestmethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1">
14                     <ds:digestvalue>a3HbFE7e2n/x2yqDTKyXrQNaDHs=</ds:digestvalue>
15                  </ds:digestmethod>
16               </ds:reference>
17            </ds:signaturemethod>
18         </ds:canonicalizationmethod>
19      </ds:signedinfo>
20 <ds:signaturevalue>b8cPqphGwZIvBy1DuEWoS/lhreiMp7WtcukC2TkXl2nRwuJ5i1TN+ifefxvsjs9ocQ4XAL6EVrXXaJvyRMkepuDYAFqYYGle4iPkl5XZpCDeMjTEt/T45f3etOdn5EGmNgA5MwUQxFTnERYkdNiN//r8BYuNfEKFNd+BqyVRjRWBbgywWRfSBBz8u1m4aysyeYcz9M72pI9YhC4QqRtXG7cght78Lt3JLUMDHKZMg9itvs1rPwItLFCzaJr57Q/V+nQ8uIb0bCUUrXZw9hGl5b3SYIuJLdHI0IDPt8YGpNa/yzVqnKOk5FvhASmMQur3/CbdCvRKr8yTpalW3zDgfw==</ds:signaturevalue>
21</ds:signature>
22</md:entitiesdescriptor>