SAML: Signing an Entity Metadata File

These instructions are provided as a guide and the exact steps may vary by operating system. They are provided as an overview to the process of signing an XML file for use in SAML configurations.

Your authentication system may be able to do this for you if it has tools or settings built in to provide a metadata file automatically.  You will need to refer to your systems documentation to ascertain if you can save yourself from having to do this manually

  1. Make the changes as required to your Entity Metadata XML file.

  2. Remove everything between, and including, the <ds:Signature></ds:Signature> tags at the top of the file. This will be re-inserted when the signature is autogenerated in the next few steps.

  3. Install the xmlsectool using whatever method you choose. There is a Homebrew formulae if you are on a Mac.

  4. Get the public/private keys for signing. You don't have to use the same certificates as the signing and encryption certificates, but some customer's do. 

  5. Use the xmlsectool to generate the signature for your modified federations.xml file. It will create a new file with the signature inserted, for example:
    xmlsectool --sign --inFile ./my-entity-metadata.xml --certificate ./my-certificate.cert --key ./ny-certificate-key.pem --outFile ./my-entity-metadata.signed.xml

  6. DIFF the current live file with the new file you have just signed. the only differences should be the digest and signature, and your expected changes.

This will create the signed entity metadata as the file you want to upload. Do not edit the contents of this file beyond this, as any further change will make the signature invalid. If you need to make further changes to the file you will need to re-sign it.


Have more questions? Submit a request


Please sign in to leave a comment.