Brent Putman putmanb at
Fri Sep 2 05:07:48 BST 2011

In the standard HTTP POST binding (defined in the original SAML spec),
the signature will be an enveloped XML signature in the protocol
message.  That signature would be handled by the
ProtocolWithXMLSignature rule.

In the HTTP POST SimpleSign binding, the message is signed as a "blob"
(not an XML Signature) and stored as a form parameter in the request, as
you see below.  This binding is an extension binding, not in the
original SAML spec.  Its signature will be validated by the
SAML2HTTPPostSimpleSign rule.

So the rule that is effectively validating the signature depends on
which binding the SP used to send the protocol message to the IdP.  Your
log message below would indicate that the message was *not* sent via
HTTP POST SimpleSign, so there's nothing for it to do. 

Hope that helps,

On 9/1/11 11:29 PM, rangeli nepal wrote:
> Good Evening Everybody,
> I am trying to use SAML2HTTPPostSimpleSignRule. I see following log
>  [BaseSAMLSimpleSignatureSecurityPolicyRule] HTTP request was not
> signed via simple signature mechanism, skipping
> I look at the,
> I see following section of code. It seems this code is trying to get
> data from request. I am under the impression that in Post binding
> Signature is inside the mesage not outside as in redirect bining. If
> that is true , how following code will work. I must be missing
> something.
> Any elaboration will be highly appreciated.
> Thank you.
> rn
> protected byte[] getSignature(HttpServletRequest request) throws
> SecurityPolicyException {
>        String signature = request.getParameter("Signature");
>        if (DatatypeHelper.isEmpty(signature)) {
>        return null;
>        }
>        return Base64.decode(signature);
>        }
> --
> To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list