ma314smith
commented
2 years ago I believe you are correct.
You could potentially still accomplish this by just passing in the Assertion segment, signing it, and inserting it back into the main doc. Then sign the whole message. I have not tested this, but if I'm understanding your use case correctly, it may work.
A code change would be required to do this in a single step. If you want to submit a PR for it, I'm certainly open to that.
It looks like this library, when signing, will find the first Signature and compute the Digest/Signature values for that. Is it possible to use this library also when you want to sign both the Message and the Assertions in a SAML response document - thus you would have two Signature blocks in the xml documents to sign both the whole document and then also the assertions.
Example of such a document with two Signature tags can be seen here: https://developers.onelogin.com/saml/examples/response#:~:text=A%20SAML%20Response%20is%20sent,NameID%20%2F%20attributes%20of%20the%20user.&text=A%20signed%20SAML%20Response%20with%20an%20encrypted%20Assertion,with%20an%20encrypted%20signed%20Assertion