Question

7
Views
Close popover
Niels Heinis (NielsHeinis)
Ordina
Pega CLSA
Ordina
NL
NielsHeinis Member since 2015 2 posts
Ordina
Posted: 1 week 2 days ago
Last activity: 1 week 2 days ago

How to sign SAML 2.0 SP metadata?

Our SAML 2.0 IDP is updating their requirements which forces us to supply SP metadata that goes beyond the metadata we can configure in the authentication service form. For most of the additional attributes and element values we can quite simply extend the mapping in the pyMapSPSAMLMetadata data transform.

Now, the part I'm struggling with is that the metadata has to be signed. There must be a Signature element with signing based on this protocol: https://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd#enveloped-signature

So, we need a block like this:

<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
        <dsig:SignedInfo>
            <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <dsig:SignatureMethod Algorithm="http://www.w3.org2001/04/xmldsig-more#rsa-sha256" />
            <dsig:Reference URI="#_d611bce3fb2b4ee587bd508acfb89f2f1154815b">
                <dsig:Transforms>
                    <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </dsig:Transforms>
                <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha256" />
                <dsig:DigestValue>...</dsig:DigestValue>
            </dsig:Reference>
        </dsig:SignedInfo>
        <dsig:SignatureValue>...</dsig:SignatureValue>
        <dsig:KeyInfo>
            <dsig:X509Data>
                <dsig:X509Certificate>...</dsig:X509Certificate>
            </dsig:X509Data>
        </dsig:KeyInfo>
</dsig:Signature>

How could we sign the metadata and achieve the above? Has anyone done this before or does anyone have any useful resources to accomplish this?

Pega Platform 8.4.4 Security Lead System Architect