0 Replies Latest reply on Dec 12, 2012 3:41 PM by Alex Jacinto

    SAML Signature

    Alex Jacinto Newbie

      In the latest version, there's some changes in the IDPWebBrowserSSOValve such as using SAML2SignatureGenerationHandler instead of the property signOutgoingMessages.  Is there a corresponding signature handler for 1.1?  When I used the previous version (2.0.x) what I did is subclass the IDP and create/use my own Signature class.


      The implementation below is what I use for release 2.1.6.  I can probably use this and create my own SAML 1.1 SignatureGenerationHandler but want to check if there's another way of doing this or if I'm doing it right.


      Thanks in advance.  I don't have an option on going to SAML 2.0, we are acting an IdP to systems with version 1.1 only.



      import java.security.KeyPair;
      import org.picketlink.identity.federation.api.saml.v2.sig.SAML2Signature;
      import org.picketlink.identity.federation.core.exceptions.ProcessingException;
      import org.picketlink.identity.federation.core.saml.v2.constants.JBossSAMLConstants;
      import org.picketlink.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants;
      import org.picketlink.identity.federation.core.util.XMLSignatureUtil;
      import org.w3c.dom.Document;
      import org.w3c.dom.Element;
      import org.w3c.dom.Node;
      import org.w3c.dom.NodeList;
       * SAML v1.1 class to sign SAMLResponse
      public final class SAML11Signature extends SAML2Signature {
                private final static String RESPONSEID_ATTRIBUTE_NAME = "ResponseID";
          private static final String ASSERTIONID_ATTRIBUTE_NAME = "AssertionID";
                 * Sign a SAML Document
                 * @param samlDocument
                 * @param keypair
                 * @throws ProcessingException
                public void signSAMLDocument(Document samlDocument, KeyPair keypair) throws ProcessingException {
                          // Get the ID from the root
                          String id = samlDocument.getDocumentElement().getAttribute(RESPONSEID_ATTRIBUTE_NAME);
                           * Explicitly state the Id attribute as some JSR105 implementation does not recognize "ResponseID"
                          ((Element) samlDocument.getFirstChild()).setIdAttribute(RESPONSEID_ATTRIBUTE_NAME, true);
                          try {
                        NodeList nodes = samlDocument.getElementsByTagNameNS(JBossSAMLURIConstants.SAML_11_NS.get(),
                        for (int i = 0; i < nodes.getLength(); i++) {
                            Node n = nodes.item(i);
                            if (n instanceof Element) {
                                ((Element) n).setIdAttribute(ASSERTIONID_ATTRIBUTE_NAME, true);
                        String referenceURI = "#" + id;
                        XMLSignatureUtil.sign(samlDocument, keypair, getDigestMethod(), getSignatureMethod(), referenceURI);
                          } catch (Exception e) {
                                    throw new ProcessingException(e);