Skip to main content
Sign in MENU

SAML: Signing an Entity Metadata File

Tim Hodson
  • Updated

These instructions are provided as a guide and the exact steps may vary by operating system. They are provided as an overview to the process of signing an XML file for use in SAML configurations.

Your authentication system may be able to do this for you if it has tools or settings built in to provide a metadata file automatically.  You will need to refer to your systems documentation to ascertain if you can save yourself from having to do this manually

Why do we need the metadata to be signed?

Technology from Sage recognise the importance of trust in the configuration of Single Sign On connections between the University's systems and ours. As part of that trust mechanism, we include in our configuration a fingerprint for the certificate that is used to 'sign' the metadata file. This is the Enveloped Signature.

We do this so that we can verify that any changes to the metadata file have come from a trusted source. 

Here are some steps in the process to verify that we can trust what we see in the metadata file:

  • We read the metadata file regularly in case the signing or encryption certificates change. These certificates may expire or be revoked according to University certificate management practices and so we read the file approximately every 5 minutes.
  • We check that the enveloped signature contained in the metadata file is correct based on our own calculation of the signature, using your public certificate that we have 'trusted'.
  • If the signature's don't match, then we know that the file has been tampered with, or the enveloped certificate has changed.
  • We are then alerted to this and will reach out to you to confirm that what we are seeing is expected.
  • Login to Talis Aspire may be affected if the signing or encryption certificates expire unexpectedly

Signing Steps

  1. Make the changes as required to your Entity Metadata XML file.

  2. Remove everything between, and including, the <ds:Signature></ds:Signature> tags at the top of the file. This will be re-inserted when the signature is autogenerated in the next few steps.

  3. Install the xmlsectool using whatever method you choose. There is a Homebrew formulae if you are on a Mac.

  4. Get the public/private keys for signing. You don't have to use the same certificates as the signing and encryption certificates, but some customer's do. 

  5. Use the xmlsectool to generate the signature for your modified federations.xml file. It will create a new file with the signature inserted, for example:
    xmlsectool --sign --inFile ./my-entity-metadata.xml --certificate ./my-certificate.cert --key ./ny-certificate-key.pem --outFile ./my-entity-metadata.signed.xml

  6. DIFF the current live file with the new file you have just signed. the only differences should be the digest and signature, and your expected changes.

This will create the signed entity metadata as the file you want to upload. Do not edit the contents of this file beyond this, as any further change will make the signature invalid. If you need to make changes to the file you will need to re-sign it.

 

Related articles