Re: Difference Between Soap Signing using X509 and...

gaurav_bhandari · 04-27-2016 02:57 AM

Hi All,

Can someone please share the link/material regarding the difference between

Soap Signing using X509 and SAML Assertion?

Thanks and Regards,

Gaurav Bhandari

Former Community Member

In my opinion the difference is:

You can sign any XML document using X.509s using this standard - https://www.w3.org/TR/xmldsig-core/

SAML standard also leverages the same XML dig sig standard to sign the assertion, but must also includes other items like identity, authorization or attribute assertions. I think SAML assertions can also be encrypted.

SAML is included in the WS-Sec Header. XML Dig sig doesn't apply only to SOAP.

gnanasekaran

There is not much difference -

At a high level,

> Signatures ensures authenticity and integrity of the messages.

> both follows the same spec XMLSig

> Signature can be verified using X509 [this is just one mechanism, there are other methods documented in the spec - it can also be just a digest - in which case, you get only integrity but not authenticity]

SAMLAssertion - [look here for a sample] is just another XML message that is signed and the signature is included within the message - the signature can be verified with the X509 certificate present in the Message

Signed SOAP Message - [look here for a sample] is, again, just another XML message that is signed and Signature included within the message - the signature can be verified with the X509 certificate present in the Message

And obviously, there are difference in the message format and where to insert signature etc.. that are dictated by the respective specifications [saml & wssecurity]

Difference Between Soap Signing using X509 and SAML Assertion