samlsign - sign and verify XML documents

Author

       This manpage were written by Ferenc Wágner and Russ Allbery for Debian GNU/Linux.

Copyright

       Copyleft (C) 2008 Ferenc Wágner
       This is free software in the public domain.

UCAID                                              2011 Jul 25                                       SAMLSIGN(1)

Description

samlsign signs or verifies signed XML documents.  To sign a document, use -s.  To verify a document, omit
       -s.  One of the -c, -R, or -T options are required when verifying.  Either -k or -R is required when
       signing.

       By default, samlsign signs or verifies standard input.  Pass -u or -f to retrieve the document from a URL
       or file path.  Signed documents are always printed to standard output.

Examples

       To sign SAML 2.0 metadata, use:

           samlsign -k /path/to/key -c /path/to/cert -f /path/to/metadata

Exit Status

       0      Success.

       -1     An error in how samlsign was called (incorrect arguments, for example).

       -2     An error occurred when initializing the configuration.

       -10    An exception was caught.

Name

       samlsign - sign and verify XML documents

Options

-uURL The URL of the document to sign or verify.

-fPATH
The full path of the document to sign or verify.

-idID Rather than acting on the entire document, only act on the object with the specified ID. Only
that object (with its new signature) will be printed to standard output.

-s Sign, rather than the default action of verify.

-kKEY Specifies the full path to the key to use for signing.

-cCERT
Specifies the full path to the certificate to use for verification.

-RRESOLVER
Specifies a credential resolver to use for either signing or verification.

-TTRUST
Specifies the trust engine for TrustEngine-based verification.

-MMETADATA
Specifies the metadata for TrustEngine-based verification.

-iISSUER
Specifies the issuer for verification.

-pPROT
Specifies the protocol for TrustEngine-based verification. This option allows specification of an
arbitrary protocol by name, but more commonly one would use one of the options listed below for
standard protocol names.

-rRNAME
Specifies the resource name for TrustEngine-based verification. This option allows specification
of an arbitrary resource name by name, but more commonly one would use one of the options listed
below for standard resource names.

-nsRNS
Specifies the namespace for TrustEngine-based verification. If not given, the default is
SAML20MD_NS.

-saml10
Use the SAML1.0 protocol for TrustEngine-based verification.

-saml11
use the SAML1.1 protocol for TrustEngine-based verification.

-saml2 use the SAML2.0 P NS protocol for TrustEngine-based verification.

-idp Set the resource name to IDPSSODescriptor for TrustEngine-based verification.

-aa Set the resource name to AttributeAuthorityDescriptor for TrustEngine-based verification.

-pdp Set the resource name to PDPDescriptor for TrustEngine-based verification.

-sp Set the resource name to SPSSODescriptor for TrustEngine-based verification.

-V Validate the document while signing or verifying it. The path to the schemas used for validation
can be overridden by setting the OPENSAML_SCHEMAS environment variable.

-algalgorithm
Specifies the signature algorithm to use, overriding the default. Only used when signing. -digalgorithm Specifies the digest algorithm to use, overriding the default. Only used when signing.