Michael Sole
asked on
How digitally sign xml
I am producing a simple xml response to a saml assertion. I need to digitally sign the xml but I am not sure. I think I know how to produce the signature but not sure what to do from there. This is what I got so far:
$output.="XML BLOBD";
$fp = fopen("/path/to/domain.com_without_passphrase.key", "r");
$priv_key = fread($fp, 8192);
fclose($fp);
$pkeyid = openssl_get_privatekey($priv_key);
openssl_sign($output, $signature, $pkeyid);
openssl_free_key($pkeyid);
echo base64_encode($signature);
ASKER
You aren't being insulting. You are being accurate, I don't know much about saml however implementing simplesaml (something I have used in the past) is not an option here. I need to respond to the assertion as I need to return a signed xml response with a session ID that get's passed to the client browser and used to validate login
Hmm, that still sounds like something simplesaml would do, but anyway, it seems like you have the code already to generate the signature. You'll need to send the public cert along with the digital signature so that the recipient can use it to validate the signature. It sounds like you're building out a custom process, so it's up to you how you want to send the data back.
ASKER
I know simplesaml would do it but I can't use it.
How to sign the XML is the question, do I just add a node with the signature?
How to sign the XML is the question, do I just add a node with the signature?
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Thanks!!!
If you're doing any other kind of binding (artifact or redirect), I can see why you might want to do this, but if you're not certain about what to do with the signature, you might need to study up on SAML concepts first to better understand the step of the process you're trying to accomplish. I'm not trying to be mean or insulting or anything, but with any security-related concept, you want to be absolutely certain about what you're doing and fully understand why. Any mistake in security infrastructure can be REALLY bad news.
That said, is there a reason you don't just use something like simplesamlphp?
http://simplesamlphp.org/
It's a free, open-source PHP framework for SAML. It works with all types of bindings, it can act as an identity provider or a service provider, and has lots of examples to make it easy to simply plug it into an existing application.
Sometimes rolling your own approach seems like a good idea, but it can lead to security risks that have already been patched and fully addressed in existing, vetted solutions.