I am working on a gateway product where we are authenticating users with SAML SSO. Currently we are signing the SAML authN request before posting to IDP with a self signed certificate created locally in the virtual machine. Going forward we are suppose to sign the request with a certificate placed in Thales Luna Network HSM.
Our core application framework in based on JAVA and we are using OpenSAML library to address the signing. After doing some analysis i got to know that OpenSAML is internally using Apache Santuario library to this. But I want to do this signing with OpenSSL instead of the inbuilt framework because we have already done the OpenSSL integration with HSM. So i am looking for a solution where I can sign OpenSAML objects with OpenSSL.
I did some research to achieve this with OpenSSL but in some articles it is mentioned that OpenSSL can't be used for signing XML objects. I am looking for the below workaround to achieve this use case.
- How i can sign OpenSAML objects with OpenSSL when the certs are placed in Thales Network HSM.
- Is there any other command line utility or library is there to address the sane use case so that I can take this for reference.
Sample signing code reference what we are currently doing
AuthnRequest authnRequest = createSAMLObject(AuthnRequest.class);
// Setting other params
Issuer issuer = createSAMLObject(Issuer.class);
// Setting other params
authnRequest.setIssuer(issuer);
NameIDPolicy nameIDPolicy = createSAMLObject(NameIDPolicy.class);
// Setting other params
authnRequest.setNameIDPolicy(nameIDPolicy);
authnRequest.setSignature(getSelfSignedCertificateSignature(cacheData.getIdpPreferredSigningAlgorithm()));
XMLObjectProviderRegistrySupport.getMarshallerFactory().getMarshaller(authnRequest).marshall(authnRequest);
Signer.signObject(authnRequest.getSignature());
Any leads will be appreciated.
Thanks