[OpenSAML] Signing and Encrypting SOAP Messages

130 views
Skip to first unread message

Frank Mundt

unread,
Mar 25, 2011, 9:08:15 AM3/25/11
to mace-open...@internet2.edu
I need to sign and encrypt the SOAP Body along with the SAML Assertion (I have this working) . I have looked through the OpenSAML, OpenWS and XMLTooling projects and I don't see that this capability exists. I'm looking at the http://www.w3.org/TR/SOAP-dsig/ spec as a guideline. Does anyone know if the w3 spec has been implemented within OpenSAML or another compatible library? Or should I consider implementing it. 

Thanks
Frank

Chad La Joie

unread,
Mar 25, 2011, 9:28:25 AM3/25/11
to mace-open...@internet2.edu
xmltooling has generic signature support. You can look at it's unit
tests for examples of doing enveloped, enveloping, and detached
signatures. There are is no specific support for the document (which is
not a spec) that you reference but I don't see anything in that document
that would be incompatible with the OpenSAML libraries.

--
Chad La Joie
http://itumi.biz
trusted identities, delivered

Brent Putman

unread,
Mar 25, 2011, 1:30:38 PM3/25/11
to mace-open...@internet2.edu

On 3/25/11 9:08 AM, Frank Mundt wrote:


In addition to what Chad said, I'd point out that, at least as far as I
know, this "spec" (which really isn't a spec, as Chad noted) has
probably been superseded by the WS-Security spec. This one appears to
have been published in Feb 2001. WS-S 1.0 came out in March 2004 and
the latest 1.1 was ratified in Feb 2006. AFAIK, WS-Security is the
defacto standard for signing and encrypting SOAP messages. I'd also
note (since you mention encryption) that this document predates the XML
Encryption spec and therefore doesn't support encryption
(confidentiality) of the SOAP message, which is supported by WS-S .
Unless you are working with some (ancient?) piece of software which
requires use of this "spec" for interop, you might want to consider
looking at using WS-Security instead.

OpenSAML does have full support for the schema defined in WS-S 1.1.


http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss


Frank Mundt

unread,
Mar 25, 2011, 2:00:46 PM3/25/11
to mace-open...@internet2.edu
I guess I need to re-read the WS-Security specification then.  I've been given the requirement to use WS-Security and SAML 2.0, signing and encrypting the SAML Assertion separately from the SOAP-Body. I have the WS-Security portion completed and I'm starting to look into the signing and encryption of the SOAP-Body. I'm open to any suggestions, best practices, etc. 
Reply all
Reply to author
Forward
0 new messages