Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 Niels Heinis (NielsHeinis)
Ordina
Pega CLSA
Ordina
NL
NielsHeinis Member since 2015 3 posts
Ordina
Posted: Apr 7, 2021
Last activity: Apr 7, 2021
Posted: 7 Apr 2021 11:38 EDT
Last activity: 7 Apr 2021 11:49 EDT
Closed

How to sign SAML 2.0 SP metadata?

Our SAML 2.0 IDP is updating their requirements which forces us to supply SP metadata that goes beyond the metadata we can configure in the authentication service form. For most of the additional attributes and element values we can quite simply extend the mapping in the pyMapSPSAMLMetadata data transform.

Now, the part I'm struggling with is that the metadata has to be signed. There must be a Signature element with signing based on this protocol: https://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd#enveloped-signature

So, we need a block like this:

Show More

Our SAML 2.0 IDP is updating their requirements which forces us to supply SP metadata that goes beyond the metadata we can configure in the authentication service form. For most of the additional attributes and element values we can quite simply extend the mapping in the pyMapSPSAMLMetadata data transform.

Now, the part I'm struggling with is that the metadata has to be signed. There must be a Signature element with signing based on this protocol: https://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd#enveloped-signature

So, we need a block like this:

<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
        <dsig:SignedInfo>
            <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <dsig:SignatureMethod Algorithm="http://www.w3.org2001/04/xmldsig-more#rsa-sha256" />
            <dsig:Reference URI="#_d611bce3fb2b4ee587bd508acfb89f2f1154815b">
                <dsig:Transforms>
                    <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </dsig:Transforms>
                <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha256" />
                <dsig:DigestValue>...</dsig:DigestValue>
            </dsig:Reference>
        </dsig:SignedInfo>
        <dsig:SignatureValue>...</dsig:SignatureValue>
        <dsig:KeyInfo>
            <dsig:X509Data>
                <dsig:X509Certificate>...</dsig:X509Certificate>
            </dsig:X509Data>
        </dsig:KeyInfo>
</dsig:Signature>

How could we sign the metadata and achieve the above? Has anyone done this before or does anyone have any useful resources to accomplish this?

Show Less
To see attachments, please log in.
Pega Platform 8.4.4
Security
Lead System Architect

  • Gerardo Di Santo

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice