Skip to main content

Sign message

Message signing is automatic in litesaml/saml. When a Certificate with a PrivateKey is configured as the signing property on your Sp or Idp descriptor, all outgoing messages are signed without any extra code.

Configuring signing for an SP

use Litesaml\Models\Descriptors\Certificate;
use Litesaml\Models\Descriptors\Endpoint;
use Litesaml\Models\Descriptors\PrivateKey;
use Litesaml\Models\Descriptors\PublicKey;
use Litesaml\Models\Descriptors\Sp;
use Litesaml\Enums\BindingType;

$sp = new Sp(
entityId: 'https://my-app.example.com',
acs: new Endpoint('https://my-app.example.com/saml/acs', BindingType::POST),
slo: new Endpoint('https://my-app.example.com/saml/slo', BindingType::REDIRECT),
signing: new Certificate(
publicKey: new PublicKey(file_get_contents('/path/to/sp-cert.pem')),
privateKey: new PrivateKey(file_get_contents('/path/to/sp-key.pem')),
),
);

Every message sent by ServiceProviderWrapper (sendAuthnRequest, sendLogoutRequest, sendLogoutResponse) will be signed using this certificate and private key.

Configuring signing for an IdP

use Litesaml\Models\Descriptors\Certificate;
use Litesaml\Models\Descriptors\Endpoint;
use Litesaml\Models\Descriptors\Idp;
use Litesaml\Models\Descriptors\PrivateKey;
use Litesaml\Models\Descriptors\PublicKey;
use Litesaml\Enums\BindingType;

$idp = new Idp(
entityId: 'https://my-idp.example.com',
sso: new Endpoint('https://my-idp.example.com/saml/sso', BindingType::REDIRECT),
slo: new Endpoint('https://my-idp.example.com/saml/slo', BindingType::REDIRECT),
signing: new Certificate(
publicKey: new PublicKey(file_get_contents('/path/to/idp-cert.pem')),
privateKey: new PrivateKey(file_get_contents('/path/to/idp-key.pem')),
),
);

Every message sent by IdentityProviderWrapper (sendAuthnResponse, sendLogoutRequest, sendLogoutResponse) will be signed.

How it works

Internally, MessageHandler::send() checks whether the issuer's signing property includes a PrivateKey. If it does, it attaches a SignatureWriter to the message before serialization using the RSA-SHA256 algorithm. The certificate's public key is embedded in the XML signature's KeyInfo block so the recipient can verify it.

Publishing your certificate

Include your signing certificate in your metadata so partners can verify your signatures. generateMetadata() does this automatically — see Generate metadata.