我需要签名SAML AuthnRequest,它在身份验证过程中从SP发送到IdP。以下是原始请求示例:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ONELOGIN_809707f0030a5d00620c9d9df97f627afe9dcc24"
Version="2.0"
ProviderName="SP test"
IssueInstant="2014-07-16T23:52:45Z"
Destination="http://idp.example.com/SSOService.php"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="http://sp.example.com/demo1/index.php?acs">
<saml:Issuer>http://sp.example.com/demo1/metadata.php</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
AllowCreate="true" />
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
这些请求应使用私钥和X.509证书值进行签名。
基于OpenSAML的Java的解决方案看起来像这样,但是我已经预定义了格式良好的XML内容,要为AuthnRequest签名为SSO,所以我不能使用在项目中。
private void signRequest(SignableXMLObject obj) {
Credential credential = this.getCredential(SP_PRIVATEKEY, SP_CERTIFICATE);
Signature signature = (Signature) Configuration.getBuilderFactory().getBuilder(Signature.DEFAULT_ELEMENT_NAME)
.buildObject(Signature.DEFAULT_ELEMENT_NAME);
signature.setSigningCredential(credential);
signature.setCanonicalizationAlgorithm(getIdpSignature().getCanonicalizationAlgorithm());
signature.setSignatureAlgorithm(getIdpSignature().getSignatureAlgorithm());
SecurityConfiguration secConfig = Configuration.getGlobalSecurityConfiguration();
try {
SecurityHelper.prepareSignatureParams(signature, credential, secConfig, null);
obj.setSignature(signature);
Configuration.getMarshallerFactory().getMarshaller(obj).marshall(obj);
Signer.signObject(signature);
} catch (Exception e) {
}
}