如何使用开放式SAML签名SAML响应？

Question

I have to implement a similar logic to this in Java.

I have an XML which is not signed and the message before sending to Service provider. I have both private and public key and unsigned XML.

Can some one help me providing a code snippet exactly which method to called in order to sign the message using public and private key.

Answer 1

You can also use onelogin saml-java utils from Onelogin Saml Java - that one seems to be much easier to use (they have method to load public, private key, document from string, etc. Then you can use it to sign either the whole SAML response or to sign assertion and then the response:

Document document = Util.loadXML(saml); //loads string to document

//load private key and certificate
X509Certificate cert = Util.loadCert(pubKeyBytes);
PrivateKey privateKey = Util.loadPrivateKey(privKeyBytes);

//sign the response
String signedResponse = Util.addSign(document, privateKey, cert, null);

to use this library, just add

<dependency>
    <groupId>com.onelogin</groupId>
    <artifactId>java-saml</artifactId>
    <version>2.0.0</version>
</dependency>

dependency to your project's pom.xml

Answer 2

You create a Signature object and set the signing properties on it

signature.setSigningCredential(credential);
signature.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);
signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);

Then you set the signature object on the Response

.setSignature(signature)

Next you marshall the response object

XMLObjectProviderRegistrySupport
   .getMarshallerFactory()
   .getMarshaller(response)
   .marshall(response);

Lastly you use the Signer class to perform the signing

Signer.signObject(signature);

I have more information in this post on my blog

Answer 3

对于opensaml3，请使用：

import org.opensaml.xmlsec.signature.support.Signer;