Link to home
Create AccountLog in
Avatar of Michael Sole
Michael Sole

asked on

How digitally sign xml

I am producing a simple xml response to a saml assertion. I need to digitally sign the xml but I am not sure. I think I know how to produce the signature but not sure what to do from there. This is what I got so far:

$output.="XML BLOBD";
$fp = fopen("/path/to/domain.com_without_passphrase.key", "r");
$priv_key = fread($fp, 8192);
fclose($fp);
$pkeyid = openssl_get_privatekey($priv_key);
openssl_sign($output, $signature, $pkeyid);
openssl_free_key($pkeyid);
echo base64_encode($signature);

Open in new window

Avatar of gr8gonzo
gr8gonzo
Flag of United States of America image

Why are you producing a response to an assertion? With few exceptions, it seems like everyone is moving towards POST bindings with SAML, meaning that you don't have to respond to the assertion. As the service provider, you simply consume the assertion however you want to (usually just set the various variables on your side to log that person in).

If you're doing any other kind of binding (artifact or redirect), I can see why you might want to do this, but if you're not certain about what to do with the signature, you might need to study up on SAML concepts first to better understand the step of the process you're trying to accomplish. I'm not trying to be mean or insulting or anything, but with any security-related concept, you want to be absolutely certain about what you're doing and fully understand why. Any mistake in security infrastructure can be REALLY bad news.

That said, is there a reason you don't just use something like simplesamlphp?
http://simplesamlphp.org/

It's a free, open-source PHP framework for SAML. It works with all types of bindings, it can act as an identity provider or a service provider, and has lots of examples to make it easy to simply plug it into an existing application.

Sometimes rolling your own approach seems like a good idea, but it can lead to security risks that have already been patched and fully addressed in existing, vetted solutions.
Avatar of Michael Sole
Michael Sole

ASKER

You aren't being insulting. You are being accurate, I don't know much about saml however implementing simplesaml (something I have used in the past) is not an option here. I need to respond to the assertion as I need to return a signed xml response with a session ID that get's passed to the client browser and used to validate login
Hmm, that still sounds like something simplesaml would do, but anyway, it seems like you have the code already to generate the signature. You'll need to send the public cert along with the digital signature so that the recipient can use it to validate the signature. It sounds like you're building out a custom process, so it's up to you how you want to send the data back.
I know simplesaml would do it but I can't use it.

How to sign the XML is the question, do I just add a node with the signature?
ASKER CERTIFIED SOLUTION
Avatar of gr8gonzo
gr8gonzo
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Thanks!!!