SAML2SignatureGenerationHandler now handles creating signatures of outgoing SAML messages for both POST and REDIRECT bindings.
SAML2SignatureValidationHandler now handles validating signatures of incoming SAML messages for both POST and REDIRECT bindings.
All code related to signing and validating messages has been removed from other places. Only exception are error messages, which can be send from IDP without going through handler chain. So in method IDPWebRequestUtil.send, there is still code snipet for signing:
if (supportSignature && isErrorResponse) {
// Sign the document
...
}
I added new property into SAML2HandlerResponse called "destinationQueryStringWithSignature". This property is used only with REDIRECT binding with signatures enabled. This property is used by SAML2SignatureGenerationHandler to generate signature for REDIRECT message and creating whole queryString, which is then propagated to valves.
Option "ignoreIncomingSignatures" of IDPWebBrowserSSOValve is now deprecated and not used. Signatures are now verified with SAML2SignatureValidationHandler, so not need for this option.
Option "signOutgoingMessages" is still used, mainly because of error messages sent from IDP. With error message workflow, we are not going through handler chain, so we need this option to decide whether outgoing SAMLResponse with error content should be signed.
Option "spConfiguration.isSupportsSignature()" is still used on SP side, but only during startup (if enabled, we will try to obtain KeyProvider from configuration). Maybe we can remove it as well? I am leaving this decision to you :)
All unit tests are passing. I changed only "SAML2SignatureHandlerUnitTestCase" so now it is testing handlers for both POST binding and REDIRECT binding (before it was only POST binding as signature handlers were previously used only for dealing with POST binding)
I tested with Picketlink quickstarts applications (employee, employee-sig, idp, idp-sig, sales-post, sales-post-sig). I changed quickstarts applications. On both "IDP" and "SP" side now needs to be handlers SAML2SignatureGenerationHandler and SAML2SignatureValidationHandler added into configuration.
Summary of my changes:
if (supportSignature && isErrorResponse) { // Sign the document ... }
I tested with Picketlink quickstarts applications (employee, employee-sig, idp, idp-sig, sales-post, sales-post-sig). I changed quickstarts applications. On both "IDP" and "SP" side now needs to be handlers SAML2SignatureGenerationHandler and SAML2SignatureValidationHandler added into configuration.