With WSU IDs, an ID attribute is inserted into the root element of the
nodeset that is to be signed. The XML Signature then references this ID
to indicate to verifiers of the signature the nodes that were signed.
The use of WSU IDs is the default option because they are WS-I compliant.
Alternatively, a generic ID attribute (that is not bound to the WSU
namespace) can be used to dereference the data. The ID attribute is
inserted into the top-level element of the nodeset to be signed.
The generated XML Signature can then reference this ID to indicate what
nodes were signed.
You can also use AssertionID attributes when signing SAML
assertions. The following options provide more details and examples of the
different styles of IDs that are available.
Use WSU IDs:
Select this option to reference the signed data using a
wsu:Id attribute. In this case, a
wsu:Id attribute is inserted into the root node of
the nodeset that is signed. This id is then referenced in the
generated XML Signature as an indication of what nodes were signed. The
following example shows the correlation:
| | |
|
<s:Envelope xmlns:s="...">
<s:Header>
<wsse:Security xmlns:wsse="...">
<dsig:Signature xmlns:dsig="..." Id="Id-00000112e2c98df8-0000000000000004">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<dsig:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<dsig:Reference URI="#Id-00000112e2c98df8-0000000000000003">
<dsig:Transforms>
<dsig:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transforms>
<dsig:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsig:DigestValue>xChPoiWJJrrPZkbXN8FPB8S4U7w=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>KG4N .... /9dw==</dsig:SignatureValue>
<dsig:KeyInfo Id="Id-00000112e2c98df8-0000000000000005">
<dsig:X509Data>
<dsig:X509Certificate>
MIID ... ZiBQ==
</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
</dsig:Signature>
</wsse:Security>
</s:Header>
<s:Body xmlns:wsu="..." wsu:Id="Id-00000112e2c98df8-0000000000000003">
<vs:getProductInfo xmlns:vs="http://ww.oracle.com">
<vs:Name>Enterprise Gateway</vs:Name>
<vs:Version>11.1.1.5.0</vs:Version>
</vs:getProductInfo>
</s:Body>
</s:Envelope>
| |
| | |
|
In the above example, a wsu:Id attribute has been
inserted into the <s:Body> element. This
wsu:Id attribute is then referenced by the
URI attribute of the
<dsig:Reference> element in the actual
Signature.
When the Signature is being verified, the value of the
URI attribute can be used to locate the nodes that
have been signed.
Use IDs:
Select this option to use generic IDs (that are not bound to the
WSU namespace) to dereference the signed data. Under this schema, the
URI attribute of the
<Reference> points at an ID attribute, which
is inserted into the top-level node of the nodeset that is signed.
Take a look at the following example, noting how the ID specified in
the Signature matches the ID attribute that has been inserted into the
<Body> element, indicating that the Signature
applies to the entire contents of the SOAP Body.
| | |
|
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"
Id="Id-0000011a101b167c-0000000000000013">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<dsig:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<dsig:Reference URI="#Id-0000011a101b167c-0000000000000012">
<dsig:Transforms>
<dsig:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transforms>
<dsig:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsig:DigestValue>JCy0JoyhVZYzmrLrl92nxfr1+zQ=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>......<dsig:SignatureValue>
<dsig:KeyInfo Id="Id-0000011a101b167c-0000000000000014">
<dsig:X509Data>
<dsig:X509Certificate>......</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
</dsig:Signature>
</soap:Header>
<soap:Body Id="Id-0000011a101b167c-0000000000000012">
<product version="11.1.1.5.0">
<name>Enterprise Gateway</name>
<company>Oracle</company>
<description>SOA Security and Management</description>
</product>
</soap:Body>
</soap:Envelope>
| |
| | |
|
Use SAML IDs for SAML Elements:
This ID option is specifically intended for use where a SAML assertion
is to be signed. When this option is selected, an AssertionID
attribute is inserted into a SAML 1.1 assertion, or a more generic ID
attribute is used for a SAML 2.0 assertion.
|