The test case org.picketlink.test.identity.federation.web.saml.handlers.SAML2SignatureHandlerUnitTestCase is used to test the handler responsible for signing saml request and response. This handler uses the SAML2Signature to do that.
When running this test the signature is properly generated.
I think you should try that:
SAML2Signature samlSignature = new SAML2Signature();
Node nextSibling = samlSignature.getNextSiblingOfIssuer(samlDocument);
samlSignature.setNextSibling(nextSibling); // ADD THIS TO YOUR CODE. It will make the signature go after the Issuer.
Your suggestion means the code calling signSAMLDocument is unnecessarily complicated. I would suggest that the method could be improved to figure out where the signature should be placed to avoid returning an invalid Document.
The test only works because it's been written to meet the unclear behaviour of the method.
The SAML2Signature provides others methods for signing without the need to set the sibling node. I think that you are looking for something like the SAML2Signature.sign(RequestAbstractType request, KeyPair keypair).
But with a DOM Document instance as an argument. Am I right ?