I was able to have my application act as a SP with the IDP SSOCIRCLE using the Spring Security SAML extension. My customer has the following requirements:
1. Have the assertion signed: The assertion sent from the IDP is signed and it is working fine.
2. Have the request/response signed: When using SSO Circle to generate the metadata file. I selected the option AuthnRequestsSigned to true. I uploaded my SP metadata to the SSO Circle IDP. The SP metadata had the following values as true: AuthnRequestsSigned & WantAssertionsSigned. When running the application neither my request nor the response I get are signed.
I am having issues to have the second requirement done. I am new to SAML and to Security in general. What am I missing here?
UPDATE
After taking into consideration Vladimir's comments. I changed my binding to HTTP-Post, so now I am sending the SAML Request with the signature shown. I was able to send the request signed using my private key(not the one provided by the sample project) by doing the following:
- Create a keystore, CSR, and a public key certificate using the keygen tool.
- Update the Digital Signature section in my SP metadata file to have the new certificate
- Remove the old SP metadata file from IDP SSOCIRCLE and add the new SP metadata file
- Change spring configurations to have the JKSKeyManager to use the new keystore I created with the new alias and password.
What I need to do now is to have the IDP(SSOCIRCLE) send the response where a. The response is signed b. The assertion is signed
How can that be achieved? what changes do I need to do to handle that, given that the signing of the response should be different than the signing of the assertion. Thanks.