How to sign the IdP metadata?

WULMS Alex Alex.WULMS at
Thu Nov 29 04:14:32 EST 2012


Thanks for the pointers. I have managed to sign it with the XmlSecTool.

They claim that the service provider implementation that they use mandates a signed metadata file and gives a security error when it is provided with an unsigned one. I assume it is some configuration issue on their side but don't want to go into a lengthy fight on which party (us or them) has to "fix" the issue. It will take me less time to simply provide them with a signed metadata file.

Thanks and kind regards,

-----Original Message-----
From: users-bounces at [mailto:users-bounces at] On Behalf Of Peter Schober
Sent: Wednesday, November 28, 2012 4:18 PM
To: users at
Subject: Re: How to sign the IdP metadata?

* Ian Young <ian at> [2012-11-28 16:11]:
> On 28 Nov 2012, at 15:07, WULMS Alex <Alex.WULMS at> wrote:
> > Do you know of some existing tool or script that I can use to sign 
> > it with our private key?
> You could try this:

Or samlsign from

> Having said which, I'm not clear why the SP in question thinks they 
> want metadata you're giving them out of band signed.  Or are they 
> proposing to pick it up dynamically?

Either that or maybe they're even thinking PKIX path verification on the signing cert. Never hurts to ask why (even though I doubt they'd answer "security theatre" even if that'd be the case :) -peter
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list