philduba.com

It is important to note that XML Digital Signature is different from the XML Encryption specification. The XML Signature is in plain text as part of an overall XML document. There are three ways that a signature can be constructed:

• Enveloping - The signature contains the information it signed
• Enveloped - The signature is contained within the document it is signing
• Detached - The signature is outside of the document it is signing and contained within a different document

I believe, and I could be wrong on this, but the requirements of SAML indicate the need to utilize an enveloped digital signature within a SAML artifact. Well, this is all well and good, but what exactly comprises an XML Digital Signature and what's it mean for a SAML assertion? Well, I could go into a lot of detail here, but instead, I will redirect you to some of the resources I used in my latest SAML project:

• W3C Xml Digital Signature specification
• Sitepoint article on Getting Started with XML Security
• Xml.com article Introduction to XML Digital Signatures

As you will see, the XML Digital Signature is comprised of essentially the following:

The Signature element can be comprised of 3 main areas: SignedInfo, SignatureValue, KeyInfo. At a minimum, the Singature node must contain the SignedInfo and SignatureValue nodes. It is possible to generate and send a signature without the KeyInfo node if both the generating and validating parties have exchanged certificates or keys already. The text value in the SignatureValue node is the encrypted form of the SignedInfo area of the Signature node. The Reference node can be a self-contained or external reference to some piece of data. This data does not have to be XML, HTML or any type of text as it can, through a URI reference, be an image or a file as well. This markup will have gone through transformation or processing directives identified in the Transforms node (there can be more than one Transform child node) and is encrypted using the Algorithm attribute of the DigestMethod to produce the text in the DigestValue node. Two nodes I haven't talked about are the SignatureMethod and CanonicalizationMethod nodes. The SignatureMethod describes how the Signature itself was created, ensuring that the document can be validated and that no substitution or alterations to the signature has occurred. The CanonicalizationMethod node identifies the method of XML canonicalization that has been used on the signature itself to ensure that the XML is processed correctly by varying XML parsers. Most likely one would also find canonicalization as a transformation of a reference as well. Finally, the KeyInfo node can contain various items all related to the key needed for decryption from the KeyName to an X509 Serial Number and even the entire X509 certificate itself. In most of the real-world examples I have seen, the KeyInfo is either omitted entirely or contains a simple KeyName or X509/X509SerialNumber node for certificate references. Below is a good example of an Assertion and Digital Signature together.

In the next part of this series, I will go into how we can create a SAML Assertion and sign it using ColdFusion and Java, what libraries to use, where to put them, and what steps are needed to ensure compilation and execution are done correctly.