• Home
  • XACML
    • XACML Policy Editors
    • XACML Samples
    • XACML Performance
    • XACML Discussions
    • Balana
  • SAML2
  • OAuth2
  • OpenID-Connect
  • SCIM
  • WS-Security
  • User Management
  • KeyStore Management
  • Patterns
  • WSO2
    • WSO2IS
    • WSO2APIM
    • WSO2ESB
    • WSO2 Extension
    • Load Balance
    • Clustering
    • Multitenancy
  • Shibboleth
  • Contact Us

How to Generate Signature for SAML Metadata

In my previous blog post,  Lets talk about generating  SAML2 metadata manually.  But there would be cases that you want to sign the manually created metadata. You can do it using some handy tool called XmlSec Tool. You can download latest version of it from here.    Let go through step by step to sign the SAML2 metadata content that can be found here.  Please note, you want to install Java before trying out this tool.

Step1. Download XmlSec tool and Extract in to your file system.

Step2.  Go through xmlsectool.sh and xmlsectool.bat file  and if there are any issues. Please fix them.  Currently there is no .bat file by default and xmlsectool.sh file is not working properly. You can download fixed versions of script files from here

Step3. Copy SAML2 Metatdata content to some file.  Let name it as  saml2metadata.xml

Step4. Run following command ,  Here you want to specify the input file path (which is saml2metadata.xml ), output file path and keystore file details  (path to keystore file, keystore password,  private key alias and private key password) that is used to sign

sh xmlsectool.sh --sign --inFile saml2metadata.xml --outFile signedsaml2metadata.xml --keystore wso2carbon.jks --keystorePassword wso2carbon  --key wso2carbon  --keyPassword wso2carbon

Step5. You can find the signed metadata content from out put file which is signedsaml2metadata.xml

Please find the attached Siged content.

<EntityDescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://localhost:9443/samlsso" validUntil="2023-09-23T06:57:15.396Z"><ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>XZYDbLxToXvr8wkAb2+Zg/B6JEg=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
Yp2RTuqq+/ypqQ18sEGoI3a2WIVDwl+JgQP3C9BdGLDAmreZHbCCq1+UgMoP9GWuUd9vkZNH3Xvu
ZO9IBkf5DInpxIZrsOfu7wnkNW8/VyowBw093ee4hifbpPDAzhwQjlklkG7LVzBBhr8i0sb4oo3d
3kpj4oukxk4N0okJ+rc=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
lKf6Fdb1nPP05EEogL06LrDMzjOGrAdopba9kCqM54uWlRbvNfDKTi2SK/CzJ081pZSb72gOUQAH
aWxAm/uPBY2wXtIbHlHTeR6cL5x/w1vGXHBr5OdyOjq6u4Swr9WR7bjgqJIIc/wE64cj6vkJLTH1
50UuB6yhiU88WgnFOzk=
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
<ds:X509Data>
<ds:X509Certificate>
MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UE
CAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxv
Y2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQsw
CQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UE
AwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTou
sMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5
HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQID
AQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44i
QlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJR
O4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
 <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
 <KeyDescriptor use="signing">
 <ds:KeyInfo>
 <ds:X509Data>
 <ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UE
 CAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxv
 Y2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQsw
 CQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UE
 AwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTou
 sMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5
 HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQID
 AQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44i
 QlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJR
 O4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=
 </ds:X509Certificate>
 </ds:X509Data>
 </ds:KeyInfo>
 </KeyDescriptor>
 <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:9443/samlsso" ResponseLocation="https://localhost:9443/samlsso"/>
 <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:9443/samlsso"/>
 <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:9443/samlsso"/>
 </IDPSSODescriptor>
</EntityDescriptor>

 

 

Share this:

  • Facebook
  • LinkedIn
  • Twitter
  • Tumblr
  • Pinterest

Related posts:

  1. How to Generate SAML Metadata for SAML2 SSO IDP
  2. IDP Initiated SAML2 SSO with WSO2 Identity Server
  3. SAML2 Signature validation tool for SAML2 Response and Assertion
  4. SAML2 Bearer Assertion Profile for OAuth 2.0
Discuss this article on Stack Overflow
Tags: Metadata, SAML2, Signature
◀ Access Control for Data Access Layer with XACML
How to Cluster WSO2 Identity Server for HA and Fail-Over ▶

Related Posts (YARPP)

  1. SSL profiles in WSO2 ESB
  2. How Install PostgreSQL database in Ubuntu
  3. How to Deploy Axis2 services in WSO2 BPS
  4. Configure WSO2 Identity Server as SAML2 SSO IDP

Recent Posts

  • Exchanging An OAuth2 Access token for An OpenAM Cookie (Cookie base OAuth2 grant)
  • How to renew self signed certificate keeping old private key
  • JIT provisioning & user association with WSO2IS
  • Mutual SSL (X.509 Certificate) grant type for OAuth2
  • Service provider grouping with WSO2 Identity Server
  • Custom authenticator for WSO2 Identity Server (WSO2IS) SSO login
  • How to configure session time out in WSO2 Identity Server (WSO2IS)
  • Deployment pattern of WSO2 Identity Server in production
  • Resolving ERR_SSL_WEAK_EPHEMERAL_DH_KEY error in WSO2 Products (Server has a weak ephemeral Dillie-Heffman public key).
  • Custom notification module for account management in WSO2 Identity Server (WSO2IS)
  • Configure Multiple Federated Identity Providers with WSO2 Identity Server (WSO2IS).
  • Configure KeyStore (JKS) files in WSO2 products in Production
  • Secure WSO2 ESB proxy service with HTTP Basic Authentication.
  • How to enable Hash Passwords in OpenLDAP
  • How to Install OpenLDAP server
  • User Password Hashing with WSO2 Identity Server (WSO2IS)
  • Securing APIs using Mutual SSL with WSO2 API Manager.
  • Federated authenticators in WSO2 API Manager - WSO2APIM
  • [Federated Authentication] Integration OpenAM with WSO2IS using Openid-Connect
  • Openid-connect support with OpenAM
  • Granting different access tokens for each APIs in WSO2 APIM using OAuth2 Scopes
  • Federated Authentication for granting OAuth2 Access token with WSO2 API Manager (APIM)
  • SAML2 Signature validation tool for SAML2 Response and Assertion
  • Validate and Process JWT tokens with Java
  • Customizing SAML2 Response and SAML2 Assertion in WSO2

Like SOA Security

Like SOA Security

Tags

Admin Services Balana Cluster Clustering Custom Customizing Entitlement Federated Authentication Federation Pattern grant_type Hash Password Identity Server JKS KeyStore LDAP Load balance Load Balancer Login MDF Mutual SSL OAuth2 OpenAM Openid-Connent Open source PAP PDP PEP PIP Policy Editor Proxy Server SAML SAML2 SSL SSO User Management Username Token WS-Security WSO2 WSO2 Extension WSO2APIM WSO2ESB WSO2IS XACML XACML 3.0 XACML Sample

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 53 other subscribers

Asteroid Theme