Add functionality to generate new certificates for each authn reqeust and response.

Author: Hans Hörberg

example/idp2/idp.py

@@ -297,10 +297,13 @@ def do(self, query, binding_in, relay_state=""):
             if REPOZE_ID_EQUIVALENT:
                 identity[REPOZE_ID_EQUIVALENT] = self.user
             try:
+                sign_assertion = IDP.config.getattr("sign_assertion", "idp")
+                if sign_assertion is None:
+                    sign_assertion = False
                 _resp = IDP.create_authn_response(
                     identity, userid=self.user,
-                    authn=AUTHN_BROKER[self.environ["idp.authn_ref"]],
-                    **resp_args)
+                    authn=AUTHN_BROKER[self.environ["idp.authn_ref"]], sign_assertion=sign_assertion,
+                    sign_response=False, **resp_args)
             except Exception, excp:
                 logging.error(exception_trace(excp))
                 resp = ServiceError("Exception: %s" % (excp,))
@@ -322,6 +325,7 @@ def _store_request(self, _dict):
 
     def redirect(self):
         """ This is the HTTP-redirect endpoint """
+
         logger.info("--- In SSO Redirect ---")
         _info = self.unpack_redirect()
 

example/sp/nocert_sp_conf/sp.xml

@@ -0,0 +1,2 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<ns0:EntityDescriptor xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ns1="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns4="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" xmlns:ns5="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" entityID="http://localhost:8087/LocalTestSPHans.xml"><ns0:Extensions><ns1:EntityAttributes><ns2:Attribute Name="http://macedir.org/entity-category"><ns2:AttributeValue xsi:type="xs:string">http://www.geant.net/uri/dataprotection-code-of-conduct/v1</ns2:AttributeValue><ns2:AttributeValue xsi:type="xs:string">http://www.swamid.se/category/research-and-education</ns2:AttributeValue><ns2:AttributeValue xsi:type="xs:string">http://www.swamid.se/category/hei-service</ns2:AttributeValue><ns2:AttributeValue xsi:type="xs:string">http://www.swamid.se/category/sfs-1993-1153</ns2:AttributeValue><ns2:AttributeValue xsi:type="xs:string">http://www.swamid.se/category/nren-service</ns2:AttributeValue><ns2:AttributeValue xsi:type="xs:string">http://www.swamid.se/category/eu-adequate-protection</ns2:AttributeValue></ns2:Attribute></ns1:EntityAttributes></ns0:Extensions><ns0:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><ns0:Extensions><ns4:DiscoveryResponse Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="http://localhost:8087/disco" index="1" /></ns0:Extensions><ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:8087/slo" /><ns0:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8087" index="1" /></ns0:SPSSODescriptor><ns0:Organization><ns0:OrganizationName xml:lang="en">Lokal test SP Hans</ns0:OrganizationName><ns0:OrganizationDisplayName xml:lang="se">Lokal test SP Hans</ns0:OrganizationDisplayName><ns0:OrganizationDisplayName xml:lang="en">Lokal test SP Hans</ns0:OrganizationDisplayName><ns0:OrganizationURL xml:lang="en">http://130.239.200.146:8087</ns0:OrganizationURL></ns0:Organization></ns0:EntityDescriptor>

example/sp/nocert_sp_conf/sp_conf.py

@@ -0,0 +1,97 @@
+from saml2 import BINDING_HTTP_REDIRECT
+from saml2.extension.idpdisc import BINDING_DISCO
+from saml2.saml import NAME_FORMAT_URI
+from saml2.sigver import get_xmlsec_binary, CertHandlerExtra
+from saml2.entity_category.edugain import COC
+from saml2.entity_category.swamid import RESEARCH_AND_EDUCATION
+from saml2.entity_category.swamid import HEI
+from saml2.entity_category.swamid import SFS_1993_1153
+from saml2.entity_category.swamid import NREN
+from saml2.entity_category.swamid import EU
+
+
+#BASE= "http://130.239.200.146:8087"
+BASE= "http://localhost:8087"
+#BASE= "http://lingon.catalogix.se:8087"
+
+
+class SpCertHandlerExtraClass(CertHandlerExtra):
+
+    def use_generate_cert_func(self):
+        return True
+
+    def generate_cert(self, generate_cert_info, ca_cert_string, ca_key_string):
+        print "Hello"
+        return (ca_cert_string, ca_key_string)
+
+    def use_validate_cert_func(self):
+        return False
+
+    def validate_cert(self, cert_str, ca_cert_string, ca_key_string):
+        pass
+
+CONFIG = {
+    "entityid": "%s/LocalTestSPHans.xml" % BASE,
+    "description": "Lokal test SP Hans",
+    "entity_category": [COC, RESEARCH_AND_EDUCATION, HEI, SFS_1993_1153, NREN, EU],
+    "only_use_keys_in_metadata": False,
+    "cert_handler_extra_class": None,#MyCertGeneration(),
+    "generate_cert_info": {
+        "cn": "localhost",
+        "country_code": "se",
+        "state": "ac",
+        "city": "Umea",
+        "organization": "ITS Umea University",
+        "organization_unit": "DIRG"
+    },
+    "tmp_key_file": "pki/tmp_mykey.pem",
+    "tmp_cert_file": "pki/tmp_mycert.pem",
+    "validate_certificate": True,
+    "service": {
+        "sp": {
+            "authn_requests_signed": "true", #Will sign the request!
+            "want_assertions_signed": "true", #Demands that the assertion is signed.
+            "name": "LocalTestSPHans",
+            "endpoints": {
+                "assertion_consumer_service": [BASE],
+                "single_logout_service": [(BASE + "/slo",
+                                            BINDING_HTTP_REDIRECT)],
+                "discovery_response": [
+                    ("%s/disco" % BASE, BINDING_DISCO)
+                ]
+            },
+            "required_attributes": ["surname", "givenname",
+                                    "edupersonaffiliation"],
+            "optional_attributes": ["title"],
+        }
+    },
+    "debug": 1,
+    "key_file": "pki/localhost.ca.key",
+    "cert_file": "pki/localhost.ca.crt",
+    "attribute_map_dir": "./attributemaps",
+    "metadata": {
+        "local": ["../idp2/idp_nocert.xml"]
+    #    #"remote": [{"url": "http://130.239.201.5/role/idp.xml", "cert": None}],
+    },
+    #"metadata": {"local": ["/Users/haho0032/Develop/svn/trunk/pyOpSamlProxy/idp_nocert.xml"]},
+
+    # -- below used by make_metadata --
+    "organization": {
+        "name": "Lokal test SP Hans",
+        "display_name": [("Lokal test SP Hans", "se"), ("Lokal test SP Hans", "en")],
+        "url": "http://130.239.200.146:8087",
+    },
+    "contact_person": [
+    ],
+    "xmlsec_binary": '/usr/local/bin/xmlsec1',
+    "name_form": NAME_FORMAT_URI,
+    "logger": {
+        "rotating": {
+            "filename": "sp.log",
+            "maxBytes": 100000,
+            "backupCount": 5,
+        },
+        "loglevel": "debug",
+    }
+}
+

example/sp/nocert_sp_conf/who.ini

@@ -0,0 +1,42 @@
+[plugin:auth_tkt]
+# identification
+use = repoze.who.plugins.auth_tkt:make_plugin
+secret = kasamark
+cookie_name = pysaml2
+secure = False
+include_ip = True
+timeout = 3600
+reissue_time = 3000
+
+# IDENTIFIER
+# @param :
+# - rememberer_name : name of the plugin for remembering (delegate)
+[plugin:saml2auth]
+use = s2repoze.plugins.sp:make_plugin
+saml_conf = sp_conf
+remember_name = auth_tkt
+sid_store = outstanding
+idp_query_param = IdPEntityId
+discovery = http://130.239.201.5/role/idp.ds
+
+[general]
+request_classifier = s2repoze.plugins.challenge_decider:my_request_classifier
+challenge_decider = repoze.who.classifiers:default_challenge_decider
+remote_user_key = REMOTE_USER
+
+[identifiers]
+# plugin_name;classifier_name:.. or just plugin_name (good for any)
+plugins =
+      saml2auth
+      auth_tkt
+      
+[authenticators]
+# plugin_name;classifier_name.. or just plugin_name (good for any)
+plugins = saml2auth
+
+[challengers]
+# plugin_name;classifier_name:.. or just plugin_name (good for any)
+plugins = saml2auth
+
+[mdproviders]
+plugins = saml2auth

example/sp/sp.xml

@@ -1,34 +1,2 @@
 <?xml version='1.0' encoding='UTF-8'?>
-<ns0:EntityDescriptor xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ns1="http://www.w3.org/2000/09/xmldsig#" entityID="http://localhost:8087/sp.xml"><ns0:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><ns0:KeyDescriptor use="encryption"><ns1:KeyInfo><ns1:X509Data><ns1:X509Certificate>MIIC8jCCAlugAwIBAgIJAJHg2V5J31I8MA0GCSqGSIb3DQEBBQUAMFoxCzAJBgNV
-BAYTAlNFMQ0wCwYDVQQHEwRVbWVhMRgwFgYDVQQKEw9VbWVhIFVuaXZlcnNpdHkx
-EDAOBgNVBAsTB0lUIFVuaXQxEDAOBgNVBAMTB1Rlc3QgU1AwHhcNMDkxMDI2MTMz
-MTE1WhcNMTAxMDI2MTMzMTE1WjBaMQswCQYDVQQGEwJTRTENMAsGA1UEBxMEVW1l
-YTEYMBYGA1UEChMPVW1lYSBVbml2ZXJzaXR5MRAwDgYDVQQLEwdJVCBVbml0MRAw
-DgYDVQQDEwdUZXN0IFNQMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDkJWP7
-bwOxtH+E15VTaulNzVQ/0cSbM5G7abqeqSNSs0l0veHr6/ROgW96ZeQ57fzVy2MC
-FiQRw2fzBs0n7leEmDJyVVtBTavYlhAVXDNa3stgvh43qCfLx+clUlOvtnsoMiiR
-mo7qf0BoPKTj7c0uLKpDpEbAHQT4OF1HRYVxMwIDAQABo4G/MIG8MB0GA1UdDgQW
-BBQ7RgbMJFDGRBu9o3tDQDuSoBy7JjCBjAYDVR0jBIGEMIGBgBQ7RgbMJFDGRBu9
-o3tDQDuSoBy7JqFepFwwWjELMAkGA1UEBhMCU0UxDTALBgNVBAcTBFVtZWExGDAW
-BgNVBAoTD1VtZWEgVW5pdmVyc2l0eTEQMA4GA1UECxMHSVQgVW5pdDEQMA4GA1UE
-AxMHVGVzdCBTUIIJAJHg2V5J31I8MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF
-BQADgYEAMuRwwXRnsiyWzmRikpwinnhTmbooKm5TINPE7A7gSQ710RxioQePPhZO
-zkM27NnHTrCe2rBVg0EGz7QTd1JIwLPvgoj4VTi/fSha/tXrYUaqc9AqU1kWI4WN
-+vffBGQ09mo+6CffuFTZYeOhzP/2stAPwCTU4kxEoiy0KpZMANI=
-</ns1:X509Certificate></ns1:X509Data></ns1:KeyInfo></ns0:KeyDescriptor><ns0:KeyDescriptor use="signing"><ns1:KeyInfo><ns1:X509Data><ns1:X509Certificate>MIIC8jCCAlugAwIBAgIJAJHg2V5J31I8MA0GCSqGSIb3DQEBBQUAMFoxCzAJBgNV
-BAYTAlNFMQ0wCwYDVQQHEwRVbWVhMRgwFgYDVQQKEw9VbWVhIFVuaXZlcnNpdHkx
-EDAOBgNVBAsTB0lUIFVuaXQxEDAOBgNVBAMTB1Rlc3QgU1AwHhcNMDkxMDI2MTMz
-MTE1WhcNMTAxMDI2MTMzMTE1WjBaMQswCQYDVQQGEwJTRTENMAsGA1UEBxMEVW1l
-YTEYMBYGA1UEChMPVW1lYSBVbml2ZXJzaXR5MRAwDgYDVQQLEwdJVCBVbml0MRAw
-DgYDVQQDEwdUZXN0IFNQMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDkJWP7
-bwOxtH+E15VTaulNzVQ/0cSbM5G7abqeqSNSs0l0veHr6/ROgW96ZeQ57fzVy2MC
-FiQRw2fzBs0n7leEmDJyVVtBTavYlhAVXDNa3stgvh43qCfLx+clUlOvtnsoMiiR
-mo7qf0BoPKTj7c0uLKpDpEbAHQT4OF1HRYVxMwIDAQABo4G/MIG8MB0GA1UdDgQW
-BBQ7RgbMJFDGRBu9o3tDQDuSoBy7JjCBjAYDVR0jBIGEMIGBgBQ7RgbMJFDGRBu9
-o3tDQDuSoBy7JqFepFwwWjELMAkGA1UEBhMCU0UxDTALBgNVBAcTBFVtZWExGDAW
-BgNVBAoTD1VtZWEgVW5pdmVyc2l0eTEQMA4GA1UECxMHSVQgVW5pdDEQMA4GA1UE
-AxMHVGVzdCBTUIIJAJHg2V5J31I8MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF
-BQADgYEAMuRwwXRnsiyWzmRikpwinnhTmbooKm5TINPE7A7gSQ710RxioQePPhZO
-zkM27NnHTrCe2rBVg0EGz7QTd1JIwLPvgoj4VTi/fSha/tXrYUaqc9AqU1kWI4WN
-+vffBGQ09mo+6CffuFTZYeOhzP/2stAPwCTU4kxEoiy0KpZMANI=
-</ns1:X509Certificate></ns1:X509Data></ns1:KeyInfo></ns0:KeyDescriptor><ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:8087/slo" /><ns0:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8087" index="1" /></ns0:SPSSODescriptor><ns0:Organization><ns0:OrganizationName xml:lang="en">Exempel AB</ns0:OrganizationName><ns0:OrganizationDisplayName xml:lang="se">Exempel AB</ns0:OrganizationDisplayName><ns0:OrganizationDisplayName xml:lang="en">Example Co.</ns0:OrganizationDisplayName><ns0:OrganizationURL xml:lang="en">http://www.example.com/roland</ns0:OrganizationURL></ns0:Organization><ns0:ContactPerson contactType="technical"><ns0:GivenName>John</ns0:GivenName><ns0:SurName>Smith</ns0:SurName><ns0:EmailAddress>[email protected]</ns0:EmailAddress></ns0:ContactPerson></ns0:EntityDescriptor>
+<ns0:EntityDescriptor xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ns1="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns4="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" xmlns:ns5="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" entityID="http://localhost:8087/LocalTestSPHans.xml"><ns0:Extensions><ns1:EntityAttributes><ns2:Attribute Name="http://macedir.org/entity-category"><ns2:AttributeValue xsi:type="xs:string">http://www.geant.net/uri/dataprotection-code-of-conduct/v1</ns2:AttributeValue><ns2:AttributeValue xsi:type="xs:string">http://www.swamid.se/category/research-and-education</ns2:AttributeValue><ns2:AttributeValue xsi:type="xs:string">http://www.swamid.se/category/hei-service</ns2:AttributeValue><ns2:AttributeValue xsi:type="xs:string">http://www.swamid.se/category/sfs-1993-1153</ns2:AttributeValue><ns2:AttributeValue xsi:type="xs:string">http://www.swamid.se/category/nren-service</ns2:AttributeValue><ns2:AttributeValue xsi:type="xs:string">http://www.swamid.se/category/eu-adequate-protection</ns2:AttributeValue></ns2:Attribute></ns1:EntityAttributes></ns0:Extensions><ns0:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><ns0:Extensions><ns4:DiscoveryResponse Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="http://localhost:8087/disco" index="1" /></ns0:Extensions><ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:8087/slo" /><ns0:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8087" index="1" /></ns0:SPSSODescriptor><ns0:Organization><ns0:OrganizationName xml:lang="en">Lokal test SP Hans</ns0:OrganizationName><ns0:OrganizationDisplayName xml:lang="se">Lokal test SP Hans</ns0:OrganizationDisplayName><ns0:OrganizationDisplayName xml:lang="en">Lokal test SP Hans</ns0:OrganizationDisplayName><ns0:OrganizationURL xml:lang="en">http://130.239.200.146:8087</ns0:OrganizationURL></ns0:Organization></ns0:EntityDescriptor>

example/sp/sp_conf.py

@@ -1,44 +1,90 @@
 from saml2 import BINDING_HTTP_REDIRECT
+from saml2.extension.idpdisc import BINDING_DISCO
 from saml2.saml import NAME_FORMAT_URI
+from saml2.sigver import get_xmlsec_binary, CertHandlerExtra
+from saml2.entity_category.edugain import COC
+from saml2.entity_category.swamid import RESEARCH_AND_EDUCATION
+from saml2.entity_category.swamid import HEI
+from saml2.entity_category.swamid import SFS_1993_1153
+from saml2.entity_category.swamid import NREN
+from saml2.entity_category.swamid import EU
 
+
+#BASE= "http://130.239.200.146:8087"
 BASE= "http://localhost:8087"
 #BASE= "http://lingon.catalogix.se:8087"
 
+
+class SpCertHandlerExtraClass(CertHandlerExtra):
+
+    def use_generate_cert_func(self):
+        return True
+
+    def generate_cert(self, generate_cert_info, ca_cert_string, ca_key_string):
+        print "Hello"
+        return (ca_cert_string, ca_key_string)
+
+    def use_validate_cert_func(self):
+        return False
+
+    def validate_cert(self, cert_str, ca_cert_string, ca_key_string):
+        pass
+
 CONFIG = {
-    "entityid": "%s/sp.xml" % BASE,
-    "description": "My SP",
+    "entityid": "%s/LocalTestSPHans.xml" % BASE,
+    "description": "Lokal test SP Hans",
+    "entity_category": [COC, RESEARCH_AND_EDUCATION, HEI, SFS_1993_1153, NREN, EU],
+    "only_use_keys_in_metadata": False,
+    "cert_handler_extra_class": None,#MyCertGeneration(),
+    "generate_cert_info": {
+        "cn": "localhost",
+        "country_code": "se",
+        "state": "ac",
+        "city": "Umea",
+        "organization": "ITS Umea University",
+        "organization_unit": "DIRG"
+    },
+    "tmp_key_file": "pki/tmp_mykey.pem",
+    "tmp_cert_file": "pki/tmp_mycert.pem",
+    "validate_certificate": True,
     "service": {
         "sp": {
-            "name": "Rolands SP",
+            "authn_requests_signed": "true", #Will sign the request!
+            "want_assertions_signed": "true", #Demands that the assertion is signed.
+            "name": "LocalTestSPHans",
             "endpoints": {
                 "assertion_consumer_service": [BASE],
                 "single_logout_service": [(BASE + "/slo",
                                             BINDING_HTTP_REDIRECT)],
+                "discovery_response": [
+                    ("%s/disco" % BASE, BINDING_DISCO)
+                ]
             },
             "required_attributes": ["surname", "givenname",
                                     "edupersonaffiliation"],
             "optional_attributes": ["title"],
         }
     },
     "debug": 1,
-    "key_file": "pki/mykey.pem",
-    "cert_file": "pki/mycert.pem",
+    "key_file": "pki/localhost.ca.key",
+    "cert_file": "pki/localhost.ca.crt",
     "attribute_map_dir": "./attributemaps",
-    "metadata": {"local": ["../idp2/idp.xml"]},
+    "metadata": {
+        #"local": ["../idp2/idp_nocert.xml"]
+        "local": ["/Users/haho0032/Develop/svn/trunk/pyOpSamlProxy/idp_nocert.xml"]
+    #    #"remote": [{"url": "http://130.239.201.5/role/idp.xml", "cert": None}],
+    },
+    #"metadata": {"local": ["/Users/haho0032/Develop/svn/trunk/pyOpSamlProxy/idp_nocert.xml"]},
+
     # -- below used by make_metadata --
     "organization": {
-        "name": "Exempel AB",
-        "display_name": [("Exempel AB", "se"), ("Example Co.", "en")],
-        "url": "http://www.example.com/roland",
+        "name": "Lokal test SP Hans",
+        "display_name": [("Lokal test SP Hans", "se"), ("Lokal test SP Hans", "en")],
+        "url": "http://130.239.200.146:8087",
     },
-    "contact_person": [{
-        "given_name":"John",
-        "sur_name": "Smith",
-        "email_address": ["[email protected]"],
-        "contact_type": "technical",
-        },
+    "contact_person": [
     ],
-    #"xmlsec_binary":"/opt/local/bin/xmlsec1",
+    "xmlsec_binary": '/usr/local/bin/xmlsec1',
     "name_form": NAME_FORMAT_URI,
     "logger": {
         "rotating": {
@@ -49,3 +95,4 @@
         "loglevel": "debug",
     }
 }
+

example/sp/who.ini

@@ -17,6 +17,7 @@ saml_conf = sp_conf
 remember_name = auth_tkt
 sid_store = outstanding
 idp_query_param = IdPEntityId
+discovery = http://130.239.201.5/role/idp.ds
 
 [general]
 request_classifier = s2repoze.plugins.challenge_decider:my_request_classifier

src/s2repoze/plugins/sp.py

@@ -23,7 +23,9 @@
 import sys
 import platform
 import shelve
+import threading
 import traceback
+import saml2
 from urlparse import parse_qs, urlparse
 
 from StringIO import StringIO
@@ -133,7 +135,6 @@ def __init__(self, rememberer_name, config, saml_client, wayf, cache,
         self.discosrv = discovery
         self.idp_query_param = idp_query_param
         self.logout_endpoints = [urlparse(ep)[2] for ep in config.endpoint("single_logout_service")]
-
         try:
             self.metadata = self.conf.metadata
         except KeyError:
@@ -360,11 +361,18 @@ def challenge(self, environ, _status, _app_headers, _forget_headers):
                 logger.debug("srvs: %s" % srvs)
                 dest = srvs[0]["location"]
                 logger.debug("destination: %s" % dest)
-                req = _cli.create_authn_request(dest, vorg=vorg_name)
-                ht_args = _cli.apply_binding(_binding, "%s" % req,
-                                             destination=dest,
-                                             relay_state=came_from)
-                _sid = req.id
+
+                if _cli.authn_requests_signed:
+                    _sid = saml2.s_utils.sid(_cli.seed)
+                    msg_str = _cli.create_authn_request(dest, vorg=vorg_name, sign=_cli.authn_requests_signed,
+                                                        message_id=_sid)
+                else:
+                    req = _cli.create_authn_request(dest, vorg=vorg_name, sign=False)
+                    msg_str = "%s" % req
+                    _sid = req.id
+
+                ht_args = _cli.apply_binding(_binding, msg_str, destination=dest, relay_state=came_from)
+
                 logger.debug("ht_args: %s" % ht_args)
             except Exception, exc:
                 logger.exception(exc)