Signing with OpenSAML

When exchanging information with SAML it is highly recomended to sign and verify signatures on all messages. This to ensure the the sender really is how he seas he is and that the information sent has not been manipulated during transport.

Every SAML object that implements the SignableXMLObject interface can be signed.

The signing of a SAML message is done in three steps. First all the properties for the signature is put in a Signature object. Properties that can be set include singing credentials, algorithm and optionally a key info object that can bu used during verification.

signature.setSigningCredential(credential);
signature.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);
signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);

The Signature object is then added to the SAML object using the setSignature method.
entityDescriptor.setSignature(signature); The second step is to marchal the object. This must be done before signing or else you will get a message like this.

SEVERE: Unable to compute signature, Signature XMLObject does not have the XMLSignature created during marshalling.

Element element = Configuration.getMarshallerFactory().getMarshaller(entityDescriptor).marshall(entityDescriptor);

The third step is to perform the actual signing to produce a cryptographic signature, this is done with the Signer class.

Signer.signObject(signature);

Here is how the signed object might look after signing and marshalling.

a3HbFE7e2n/x2yqDTKyXrQNaDHs=


b8cPqphGwZIvBy1DuEWoS/lhreiMp7WtcukC2TkXl2nRwuJ5i1TN+ifefxvsjs9ocQ4XAL6EVrXXaJvyRMkepuDYAFqYYGle4iPkl5XZpCDeMjTEt/T45f3etOdn5EGmNgA5MwUQxFTnERYkdNiN//r8BYuNfEKFNd+BqyVRjRWBbgywWRfSBBz8u1m4aysyeYcz9M72pI9YhC4QqRtXG7cght78Lt3JLUMDHKZMg9itvs1rPwItLFCzaJr57Q/V+nQ8uIb0bCUUrXZw9hGl5b3SYIuJLdHI0IDPt8YGpNa/yzVqnKOk5FvhASmMQur3/CbdCvRKr8yTpalW3zDgfw==